security researchers checkpoint research (CPR) warned that web-based AI assistants with browsing capabilities could be repurposed as covert command-and-control (C2) channels, communication paths used by attackers to send commands to compromised machines and receive stolen data.
In a newly published study titled, AI in the middle: Transforming web-based AI services into C2 proxies and the future of AI-driven attacks CPR details how certain AI assistants that support web browsing and URL fetching can be exploited as command-and-control relays, effectively acting as “AI as a proxy.” This allows the attacker’s traffic to mix into legitimate, generally allowed corporate communications, the company said.
This technique has been demonstrated against the following platforms: Grok and microsoft copilotuses a combination of anonymous web access and browsing and summary prompts. According to CPR, the same mechanism could enable AI-assisted malware operations, such as generating reconnaissance workflows, scripting an attacker’s actions, and dynamically deciding “what to do next” during a breach.
AI tools are increasingly being integrated into browsers, collaboration suites, and developer environments, and their domains often form part of everyday corporate traffic. CPR claims that threat actors are already exploiting this change.
While AI is commonly used to accelerate malware development, including by generating code and drafting phishing content, researchers say the next step is even more important. It’s about integrating AI directly into the runtime behavior of malware.
In what CPR calls AI-driven (AID) malware, the implant’s behavior is dynamically shaped by model outputs rather than a fixed decision tree. Malware collects contextual information from infected hosts, such as installed software, domain membership, and geography, and uses AI models to decide what actions to take, what data to prioritize, and how aggressively to manipulate them.
At the heart of the report is a proof of concept that shows how an AI assistant with web fetching capabilities can be used as a bidirectional C2 channel. In the proposed scenario, the malware sends a prompt to the AI web interface, instructing it to retrieve content from an attacker-controlled website. The response returned by the AI may include embedded commands.
To test the feasibility, CPR set up a controlled HTTPS website and told an AI tool to retrieve and summarize it. By embedding hidden content within a page, researchers demonstrated that both Grok and Microsoft Copilot could retrieve and return the embedded commands. They noted that encoding or encrypting data is sufficient to bypass several safeguards designed to block clearly malicious content.
Recommended reading
The team also developed a C++ proof of concept using WebView2, an embedded browser component, to demonstrate how malware can automate processes without visible user interaction. The program gathered basic system information, appended it to the URL, and instructed the AI assistant to retrieve and summarize the page, effectively creating a covert communication loop.
Beyond proxy technology, CPR outlined some potential future use cases for AI-driven malware. This includes using AI to assess whether a system is sandboxed before activating malicious behavior, prioritizing high-value victims at the command-and-control level, and selectively encrypting or extracting high-value files to evade volume-based ransomware detection.
Researchers claim that this represents a service exploitation issue rather than a traditional software vulnerability.
CPR calls on AI providers to enhance web fetch capabilities and improve enterprise visibility, while asking defenders to treat AI service domains as high-value exit points.
