As enterprises increasingly embed generative AI and autonomous assistants into workflows and network infrastructure, a new class of cyberattack vector is emerging: abusing web-accessible AI services as covert command-and-control (C2) proxies. This technique, recently described by Check Point Research (CPR) in their “AI in the Middle” report, demonstrates how legitimate AI tools with browsing or URL-fetch capabilities—such as Grok and Microsoft Copilot—can be repurposed by attackers to relay commands and exfiltrate data without direct C2 infrastructure contact.
Background: The Evolution of Malware C2 Channels
Classical malware command-and-control relies on dedicated servers operated by threat actors. These C2 servers coordinate infected hosts, issue instructions, and collect stolen data. Defenders have developed extensive tooling—firewalls, IDS/IPS, network blocks, and domain reputation lists—to detect and restrict such connections. However, attackers have long sought to camouflage C2 traffic inside legitimate services that are nearly universally permitted on corporate networks (e.g., email, cloud storage, DNS).
The AI in the Middle research identifies AI services with anonymous web access features as the next such vector: traffic to these services is typically allowed, encrypted, and indistinct from benign business usage. This makes them ideal candidates to shield malicious communication from traditional monitoring systems.
The Core Technique: AI as a Covert C2 Proxy
The CPR team demonstrated a proof-of-concept (PoC) illustrating how an AI assistant with web browsing or arbitrary URL fetching can be manipulated to serve as a C2 relay:
- Infection and Implant – Malware infects a host and includes a lightweight component capable of interacting with an AI service through its web interface (e.g., via WebView/embedded browser).
- Prompt-Driven Communication – The malware crafts prompts that instruct the AI to fetch a URL controlled by the attacker. Query parameters carry encoded data (e.g., reconnaissance results).
- Bidirectional Channel – The AI service fetches the attacker’s controlled URL, returning summaries that embed attacker commands. The implant parses these replies and acts upon them.
- Stealth and Blending – Because the traffic is standard HTTPS to a trusted AI domain, it is unlikely to trigger alerts or be distinguished from legitimate enterprise AI use.
This technique requires no API keys, accounts, or authenticated sessions, allowing malware to operate through these AI hosts without being directly attributable or easily disrupted by revoking credentials.
Beyond Simple Relaying: Toward AI-Driven Malware
While leveraging AI assistants as a C2 proxy is impactful in itself, the CPR report frames it as a building block for more advanced AI-driven malware:
- Adaptive Runtime Logic – Instead of rigid, pre-programmed logic, malware could send environmental context (e.g., OS version, installed software, domain membership) to an AI assistant and receive dynamic instructions or prioritization guidance.
- Model-Assisted Decisions – AI could weigh value of targets, suggest next actions, or optimize lateral movement, functions traditionally requiring human operator expertise.
- Evasion and Polymorphism – By offloading decision logic externally to AI models, malware behavior becomes less predictable and signature-based detections less effective.
In essence, the AI service becomes not just a transport layer but a remote decision engine influencing malware operations.
Technical Implications and Defenses
From a defensive engineering perspective, several concerns stand out:
1. Network Traffic Visibility
AI domains are increasingly treated as trusted destinations. Traditional firewalls and proxy filters often permit traffic to these services without deep inspection. Organisations must begin analyzing AI-bound traffic with the same scrutiny applied to webmail or cloud storage.
2. Authentication Controls
Because the PoC relies on anonymous access, merely throttling or monitoring authenticated API usage is insufficient. AI services exposed to public access become potential inadvertent facilitators of covert channels.
3. Prompt Abuse and Sanitization
Natural language prompts are semantically flexible, allowing attackers to craft queries that appear benign but encode malicious intent. This complicates automated detection, as AI output may not raise syntactic red flags.
4. Advanced Threat Hunting
Incorporating AI egress into SIEM/XDR pipelines, identifying unusual patterns in AI interaction volumes, and correlating with endpoint behavior are key tactics to surface misuse.
Conclusion
The “AI in the Middle” research underscores a crucial inflection point in cyber-attack strategy: leveraging generative AI services as covert infrastructure. By turning trusted, widely accessible AI assistants into C2 proxies, attackers can blend malicious traffic into legitimate network flows, evade classical defenses, and potentially orchestrate highly adaptive malware.
For defenders, this mandates a rethink of how AI usage is governed, monitored, and protected. Security controls must evolve to treat AI traffic as sensitive egress, apply intelligent inspection, and incorporate behavioural analytics capable of exposing abuse patterns within encrypted traffic. Only through such adaptive security frameworks can organizations anticipate and mitigate this emerging threat class.
