Check Point Research (CPR) has detailed a novel attack technique that turns artificial intelligence assistants with web-browsing capabilities into covert command-and-control (C&C) relays, allowing malicious traffic to blend into legitimate enterprise communications.
Dubbed “AI as a C2 proxy,” the method was tested against platforms including Microsoft Copilot and Grok. According to researchers, the technique exploits anonymous web access combined with browsing and summarization prompts to transform the AI tools into bidirectional communication channels.
In the proposed attack scenario, malware running on a previously compromised machine sends specially crafted prompts to an AI assistant. The assistant retrieves data from attacker-controlled URLs and returns responses through its web interface. The responses can contain encoded instructions, allowing attackers to issue commands and exfiltrate data through what appears to be normal AI-driven web traffic.
“This technique is one example of how a threat actor can abuse an AI web app by using it as a proxy for C2, but it is far from the only option,” the researchers noted. “The same interface could be used to request AI-generated commands to locate files, enumerate the system, search for sensitive data, or generate PowerShell code to move laterally across the network. Instead of relying on a skilled human operator, malware could directly task an AI agent for what to do next.”