Researchers Show Copilot and Grok Can Be Abused as Malware C2 Proxies

Cybersecurity researchers have disclosed that artificial intelligence (AI) assistants that support web browsing or URL fetching capabilities can be turned into stealthy command-and-control (C2) relays, a technique that could allow attackers to blend into legitimate enterprise communications and evade detection.

The attack method, which has been demonstrated against Microsoft Copilot and xAI Grok, has been codenamed AI as a C2 proxy by Check Point.

It leverages “anonymous web access combined with browsing and summarization prompts,” the cybersecurity company said. “The same mechanism can also enable AI-assisted malware operations, including generating reconnaissance workflows, scripting attacker actions, and dynamically deciding ‘what to do next’ during an intrusion.”

The development signals yet another consequential evolution in how threat actors could abuse AI systems, not just to scale or accelerate different phases of the cyber attack cycle, but also leverage APIs to dynamically generate code at runtime that can adapt its behavior based on information gathered from the compromised host and evade detection.

AI tools already act as a force multiplier for adversaries, allowing them to delegate key steps in their campaigns, whether it be for conducting reconnaissance, vulnerability scanning, crafting convincing phishing emails, creating synthetic identities, debugging code, or developing malware. But AI as a C2 proxy goes a step further.

It essentially leverages Grok and Microsoft Copilot’s web-browsing and URL-fetch capabilities to retrieve attacker-controlled URLs and return responses through their web interfaces, essentially transforming it into a bidirectional communication channel to accept operator-issued commands and tunnel victim data out.

Notably, all of this works without requiring an API key or a registered account, thereby rendering traditional approaches like key revocation or account suspension useless.

Viewed differently, this approach is no different from attack campaigns that have weaponized trusted services for malware distribution and C2. It’s also referred to as living-off-trusted-sites (LOTS).

However, for all this to happen, there is a key prerequisite: the threat actor must have already compromised a machine by some other means and installed malware, which then uses Copilot or Grok as a C2 channel using specially crafted prompts that cause the AI agent to contact the attacker-controlled infrastructure and pass the response containing the command to be executed on the host back to the malware.

Check Point also noted that an attacker could go beyond command generation to make use of the AI agent to devise an evasion strategy and determine the next course of action by passing details about the system and validating if it’s even worth exploiting.