The Chatbot as Middleman

For years, security teams have gotten good at spotting the telltale signs of malware phoning home. When an infected machine contacts a suspicious server in an unusual country, or sends data to an IP address that doesn't belong to any known service, monitoring tools flag it. The entire discipline of command-and-control (C2) detection revolves around identifying traffic that doesn't look like normal business activity.

Check Point Research, in a February 2026 disclosure they codenamed "AI as a C2 Proxy," demonstrated a technique that makes that detection model obsolete in a specific and alarming way: instead of contacting a suspicious server directly, the malware asks an AI assistant to do it.

The targets of the demonstration were Microsoft Copilot and xAI's Grok - two AI assistants that are widely deployed in enterprise environments and that both support web browsing or URL-fetching capabilities. The technique exploits a basic property of these tools: when they fetch a web page to "summarize" it for the user, the resulting network traffic looks exactly like a legitimate employee using their AI assistant. Because it is a legitimate employee's AI assistant. It's just also carrying hidden instructions from an attacker.

How the Proxy Works

The attack flow demonstrated by Check Point is elegant in a way that should make security teams uncomfortable.

First, malware on a compromised machine gathers basic information about the system - user details, network configuration, installed software. It appends this reconnaissance data to the URL of an attacker-controlled website. In Check Point's proof of concept, this was a site themed around Siamese cats, because apparently even security researchers need a moment of levity.

Next, the malware opens a hidden WebView2 window - an embedded browser component that comes preinstalled on Windows 11 and is broadly available on modern Windows 10 systems. Inside this hidden window, the malware navigates to either Grok or Copilot and submits a prompt asking the AI to "summarize" the attacker's URL.

The AI assistant obligingly fetches the URL, which contains the system information in its parameters (so the attacker's server receives the reconnaissance data) and returns a response with embedded commands disguised as normal web content. The malware parses the AI's "summary" and extracts the hidden instructions.

For Grok, the process is particularly simple: the prompt can be injected directly into a URL parameter, and Grok automatically processes it. For Copilot, the researchers used JavaScript injection within the loaded page to submit prompts to the UI. Either way, a bidirectional communication channel is established between the malware and the attacker, routed entirely through a trusted AI assistant.

Why Traditional Defenses Don't See It

The technique's potency lies in what it isn't. It isn't a connection to a suspicious server - it's a connection to microsoft.com or x.ai. It isn't unusual traffic - it looks identical to any of the millions of daily Copilot or Grok queries generated by legitimate enterprise users. It doesn't require stolen API keys, registered accounts, or any special access - the AI assistant's public web interface is all that's needed.

This is an evolution of what security researchers call "Living Off Trusted Sites" (LOTS), where attackers route malicious communications through legitimate services like Dropbox, Slack, GitHub, or OneDrive. AI assistants are the next chapter of that playbook, with one critical difference: they don't just relay data passively. They can process it.

The encryption layer makes detection even harder. Check Point demonstrated that by encrypting the commands embedded in the attacker's website, the technique easily bypasses the AI platforms' content safety checks. The AI dutifully fetches and "summarizes" encrypted text that it can't evaluate for malicious intent, passing it through to the malware which can decrypt it locally. Platform safety mechanisms designed to prevent obviously harmful prompts are irrelevant when the payload is opaque.

Traditional security mitigations are similarly powerless. Revoking API keys doesn't help when no API key is used. Banning accounts doesn't help when no account is needed. Blocking the AI provider's domain means blocking a tool that 77 percent of Fortune 500 companies have deployed for legitimate business use.

The AI as a Decision Engine

Check Point's research went beyond the C2 relay to explore an even more concerning possibility: using the AI assistant not just as a communication channel, but as a decision-making engine for the malware itself.

In this scenario, malware passes detailed system information to the AI and asks it to analyze the environment. The AI could determine whether the compromised machine is a real workstation or a security sandbox (used by researchers to study malware), recommend evasion strategies, and decide what actions to take next. Instead of following a rigid, pre-programmed script, the malware becomes adaptive - using the AI's analysis to change its behavior based on the specific environment it finds itself in.

This transforms malware from static code into something that can reason about its situation. The researchers called this "AIOps-C&C" - borrowing the term from the legitimate practice of using AI to manage IT operations and applying it to the rather less legitimate practice of managing cyberattacks. As AI becomes more deeply embedded in corporate infrastructure, the line between a legitimate query and a malicious one becomes correspondingly harder to draw.

Disclosure and Response

Check Point responsibly disclosed the findings to both Microsoft and xAI before publication. The researchers noted that the vulnerability is architectural rather than a simple bug - it stems from the fundamental design decision to give AI assistants web browsing capabilities without adequate mechanisms to distinguish between a user's legitimate requests and malware's automated prompts.

Neither company's response was detailed in the initial reporting, which is typical for disclosures of this nature. The challenge for Microsoft and xAI is that the "fix" would require fundamentally restricting the web-browsing capabilities that make their AI assistants useful. Blocking URL fetching eliminates the attack vector but also eliminates a significant portion of the product's functionality.

The Arms Race Continues

The Check Point research illustrates a broader shift in how threat actors use AI. AI assistants aren't just targets for prompt injection anymore - they're becoming infrastructure that attackers can exploit. The same features that make these tools valuable to enterprises (web access, integration with local systems, the ability to process and summarize information) make them equally valuable to threat actors looking for covert communication channels.

For security teams, the uncomfortable implication is that the tools they've been encouraging employees to adopt are also the tools that may be hiding the next generation of C2 traffic in plain sight. Monitoring for anomalous AI usage - unusual prompts, unexpected URL fetches, queries that look more like system commands than natural language - will need to become part of the standard detection playbook. But distinguishing sophisticated malware prompts from legitimate (if occasionally weird) employee queries is likely to prove as much art as science.