AI assistants with web browsing capabilities can be weaponized as stealthy command-and-control relays, allowing attackers to blend into legitimate enterprise communications and evade detection.
Cybersecurity researchers have uncovered a novel attack method that transforms artificial intelligence assistants like Microsoft Copilot and xAI Grok into stealthy command-and-control (C2) proxies, potentially allowing threat actors to blend malicious communications into legitimate enterprise traffic and evade traditional security controls.
The AI as C2 Proxy Technique
The attack, dubbed "AI as a C2 proxy" by Check Point researchers, exploits the web browsing and URL fetching capabilities built into modern AI assistants. By leveraging these features, attackers can create bidirectional communication channels that tunnel commands to compromised systems and exfiltrate data through the AI's web interfaces.
"The same mechanism can also enable AI-assisted malware operations, including generating reconnaissance workflows, scripting attacker actions, and dynamically deciding 'what to do next' during an intrusion," Check Point explained in their analysis.
How the Attack Works
For this technique to succeed, attackers must first compromise a target machine through traditional means and install malware. The malware then uses specially crafted prompts to interact with Copilot or Grok, causing the AI agents to contact attacker-controlled infrastructure and return responses containing commands to execute on the compromised host.
What makes this particularly concerning is that the attack works without requiring API keys or registered accounts. This means traditional mitigation strategies like key revocation or account suspension become ineffective, as the AI assistants are being used through their standard web interfaces rather than programmatic APIs.
Beyond Simple C2 Communication
The implications extend far beyond basic command-and-control functionality. Researchers noted that attackers could leverage the AI's reasoning capabilities to devise evasion strategies and determine the next course of action by passing system details to the AI agent.
"Once AI services can be used as a stealthy transport layer, the same interface can also carry prompts and model outputs that act as an external decision engine," Check Point stated. "This represents a stepping stone toward AI-driven implants and AIOps-style C2 that automate triage, targeting, and operational choices in real time."
Connection to Living-off-Trusted-Sites (LOTS)
This technique is essentially a modern evolution of the "living-off-trusted-sites" (LOTS) attack methodology, where threat actors abuse legitimate services for malicious purposes. However, AI assistants present unique advantages:
- They're widely deployed in enterprise environments
- Their web browsing capabilities are legitimate features
- They blend seamlessly into normal business communications
- They can dynamically generate and adapt responses
Related Research on AI Abuse
The discovery comes alongside related research from Palo Alto Networks Unit 42, which demonstrated how trusted large language model services could be abused to generate malicious JavaScript dynamically in real time. This method, similar to Last Mile Reassembly (LMR) attacks, involves smuggling malware through unmonitored channels and assembling it directly in the victim's browser.
"Attackers could use carefully engineered prompts to bypass AI safety guardrails, tricking the LLM into returning malicious code snippets," the Unit 42 researchers explained. "These snippets are returned via the LLM service API, then assembled and executed in the victim's browser at runtime, resulting in a fully functional phishing page."
Implications for Enterprise Security
This research highlights the evolving threat landscape as AI assistants become more deeply integrated into enterprise workflows. Organizations must now consider how these powerful tools could be repurposed by attackers to bypass traditional security controls.
The attack demonstrates that AI systems are not just being used to scale existing attack methods but are becoming integral components of sophisticated attack chains that can dynamically adapt based on real-time information from compromised systems.
Mitigation Strategies
While specific technical mitigations were not detailed in the research, organizations should consider:
- Monitoring AI assistant usage patterns for anomalies
- Implementing network segmentation to limit lateral movement
- Using behavioral analysis to detect unusual command patterns
- Regularly auditing AI assistant configurations and permissions
- Training security teams on AI-powered attack techniques
As AI assistants continue to evolve and gain more capabilities, security researchers warn that we're likely to see increasingly sophisticated attacks that leverage these tools not just as force multipliers but as intelligent components of attack infrastructure.
The research underscores the need for security teams to adapt their detection and response strategies to account for AI-powered threats that can blend into legitimate enterprise communications while maintaining the flexibility to adapt their tactics in real time.
Comments
Please log in or register to join the discussion