Researchers Show Copilot and Grok Can Be Abused as Malware C2 Proxies

Published: 3 days ago (February 17, 2026 at 01:08 PM EST)

4 min read

Source: The Hacker News

Ravie Lakshmanan
Feb 17 2026 – Malware / Artificial Intelligence

Grok AI

AI as a C2 Proxy

The attack method, demonstrated against Microsoft Copilot and xAI Grok, has been codenamed AI as a C2 proxy by Check Point.

“It leverages anonymous web access combined with browsing and summarisation prompts,” the cybersecurity company said. “The same mechanism can also enable AI‑assisted malware operations, including generating reconnaissance workflows, scripting attacker actions, and dynamically deciding ‘what to do next’ during an intrusion.”

Why This Matters

The development signals yet another consequential evolution in how threat actors could abuse AI systems—not just to scale or accelerate different phases of the cyber‑attack cycle, but also to leverage APIs to dynamically generate code at runtime that can adapt its behaviour based on information gathered from the compromised host and evade detection.

Gartner

AI tools already act as a force multiplier for adversaries, allowing them to delegate key steps in their campaigns—reconnaissance, vulnerability scanning, crafting convincing phishing emails, creating synthetic identities, debugging code, or developing malware. AI as a C2 proxy goes a step further.

How the Technique Works

The technique essentially leverages Grok’s and Microsoft Copilot’s web‑browsing and URL‑fetch capabilities to retrieve attacker‑controlled URLs and return responses through their web interfaces, turning the AI service into a bidirectional communication channel that:

Accepts operator‑issued commands.
Tunnels victim data out.

All of this works without requiring an API key or a registered account, rendering traditional mitigations such as key revocation or account suspension ineffective.

Viewed differently, this approach is analogous to attack campaigns that weaponise trusted services for malware distribution and C2. It is also referred to as living‑off‑trusted‑sites (LOTS).

Check Point

Attack Flow

For the technique to be viable, the threat actor must first compromise a machine by other means and install malware. The malware then uses Copilot or Grok as a C2 channel by sending specially crafted prompts that cause the AI agent to contact attacker‑controlled infrastructure and return the command to be executed on the host.

Exploit

Check Point also noted that an attacker could go beyond command generation, using the AI agent to devise evasion strategies and decide the next course of action by passing system details and validating whether a target is worth exploiting.

“Once AI services can be used as a stealthy transport layer, the same interface can also carry prompts and model outputs that act as an external decision engine—a stepping stone toward AI‑driven implants and AIOps‑style C2 that automate triage, targeting, and operational choices in real time,” Check Point said.

The disclosure comes weeks after Palo Alto Networks Unit 42 demonstrated a novel attack technique where a seemingly innocuous web page can be turned into a phishing site by using client‑side API calls to trusted large‑language‑model (LLM) services for generating malicious JavaScript dynamically in real time.

The method resembles Last Mile Reassembly (LMR) attacks, which smuggle malware through the network via unmonitored channels such as WebRTC and WebSocket and piece it together directly in the victim’s browser, effectively bypassing security controls.

“Attackers could use carefully engineered prompts to bypass AI safety guardrails, tricking the LLM into returning malicious code snippets,” Unit 42 researchers Shehroze Farooqi, Alex Starov, Diva‑Oriane Marty, and Billy Melicher said.

Article excerpt

“These snippets are returned via the LLM service API, then assembled and executed in the victim’s browser at runtime, resulting in a fully functional phishing page.”
— Source: ascript‑through‑llms/

Follow Us for More Exclusive Content

Google News –
Twitter –
LinkedIn –

var share_url   = encodeURIComponent('https://thehackernews.com/2026/02/researchers-show-copilot-and-grok-can.html');
var share_title = document.getElementsByTagName("title")[0].innerHTML;
share_title = encodeURIComponent(share_title);

Share buttons

Platform	Link
Facebook	`#link_share`
Twitter	`#link_share`
LinkedIn	`#link_share`
Reddit	`#link_share`
Hacker News	`#link_share`
Email	`#link_share`
WhatsApp	`#link_share`
Facebook Messenger	`#link_share`
Telegram	`#link_share`

(The icons have been replaced by plain text for clarity.)

Researchers Show Copilot and Grok Can Be Abused as Malware C2 Proxies

AI as a C2 Proxy

Why This Matters

How the Technique Works

Attack Flow

Article excerpt

Follow Us for More Exclusive Content

Tags

Related posts

BeyondTrust Flaw Used for Web Shells, Backdoors, and Data Exfiltration

ThreatsDay Bulletin: OpenSSL RCE, Foxit 0-Days, Copilot Leak, AI Password Flaws & 20+ Stories

From Exposure to Exploitation: How AI Collapses Your Response Window

CRESCENTHARVEST Campaign Targets Iran Protest Supporters With RAT Malware

AI as a C2 Proxy

Why This Matters

How the Technique Works

Attack Flow

Related Research

Article excerpt

Follow Us for More Exclusive Content

Share This Article

Tags

Related posts

BeyondTrust Flaw Used for Web Shells, Backdoors, and Data Exfiltration

ThreatsDay Bulletin: OpenSSL RCE, Foxit 0-Days, Copilot Leak, AI Password Flaws & 20+ Stories

From Exposure to Exploitation: How AI Collapses Your Response Window

CRESCENTHARVEST Campaign Targets Iran Protest Supporters With RAT Malware