Feb 20, 2026
3 min read
Researchers have shown that AI assistants can act as C2 proxies to disguise virus communications, escape, and automate attacks.
Cybersecurity researchers have disclosed that artificial intelligence (AI) assistants that support web browsing or URL fetching capabilities can be turned into stealthy command-and-control (C2) relays, a technique that could allow attackers to blend into legitimate enterprise communications and evade detection.
The attack method, demonstrated against Microsoft Copilot and xAI Grok, is known by Check Point with AI code as proxy C2.
It "stimulates anonymous web access in combination with browsing and summary signals," the cybersecurity firm says."Those mechanisms can also enable AI-assisted malware operations, including generating reconnaissance workflows, scripting attack actions and dynamically determining 'what to do next' during an intrusion."
The development marks a downstream development of how threat actors can exploit AI systems, not only to scale or speed up the various stages of the cyber attack cycle, but also to use APIs to dynamically generate code at runtime that can adapt behavior based on information gathered from compromised hosts and evade detection.
AI tools already act as a force multiplier for adversaries, allowing them to take over critical steps in their campaigns, whether it's reconnaissance, vulnerability analysis, crafting credible phishing emails, creating synthetic identities, debugging code, or developing malware.But AI in the form of C2 proxy goes a step further.
It actually leverages web browsing capabilities with Microsoft Copilot to capture URLs controlled by the attacker and respond through its web interface, essentially turning it into a two-way communication channel to receive operator-issued commands and tunnel victim data.
It should be noted that all of this works without the need for an API key or a registered account, rendering traditional approaches such as revocation of keys or account suspension useless.
After seeing the difference,This approach is different from attack campaigns that weaponize trusted services for malware distribution and C2.Also known as surviving-of-trusted-sites (LOTS).
However, for all this to happen, there is one main condition: the threat actor must have compromised the machine in some other way and installed malware that uses Copilot or Grok as a C2 channel to communicate with the AI agent using special crafting instructions with the attacker's managed infrastructure and sends commands to execute the malware on the host.
Check Point also found that an attacker can pass the command generation to use the AI agent to plan an evasion strategy and determine the next course of action by passing information about the system and confirming whether it is suitable to use.
"Once AI services can be used as an implicit delivery layer, the same interface can contain queries and model outputs that serve as an external decision engine, leading to AI-Driven implants and AIOps-style C2 ladders that provide real-time identification, targeting, and task selection," Checkpoint said.
It comes weeks after Palo Alto Networks Unit 42 demonstrated a new attack technique that can turn a seemingly innocent web page into a phishing site by using a client-side API call to generate malicious JavaScript dynamically and in real-time.
The method is similar to Last Mile Reassembly (LMR) attacks, which involve sending malware through the network through unmonitored channels such as WebRTC and WebSocket, and hitting it directly on the victim's browser, effectively bypassing security controls in the process.
"Attackers can use specially crafted commands to bypass the AI's security mechanisms, tricking LLM into false control," said Unit 42 researchers Shehroze Farooqi, Alex Starov, Diva-Oriane Marty, and Billy Melicher."These fragments are returned via the LLM service's API, then compiled and loaded into the victim's browser at runtime, resulting in an active phishing page."for stealing sensitive information."
