Researchers Show AI Assistants Can Be Abused for Stealthy Malware C2

By Azhar Khan
Researchers Show AI Assistants Can Be Abused for Stealthy Malware C2

Researchers at Check Point have demonstrated how AI assistants with web browsing and URL-fetching capabilities can be abused as stealthy command-and-control (C2) relays. The findings show that platforms such as Microsoft Copilot and Grok could be leveraged by malware operators to exchange instructions and exfiltrate data while blending into legitimate AI traffic.

The proof-of-concept highlights emerging risks as AI agents become deeply integrated into enterprise workflows.

AI as a Covert Relay Channel

The researchers showed that malware running on a compromised endpoint can use Microsoft’s WebView2 component to programmatically interact with AI assistants. Instead of communicating directly with attacker infrastructure, the malware sends prompts to the AI platform.

The AI assistant, equipped with web browsing or URL-fetching capabilities, retrieves attacker-controlled content and incorporates it into its response.

Parsing Commands from Chat Output

Once the AI agent generates a response, the malware parses the chat output to extract embedded instructions. In effect, the AI platform becomes an intermediary that relays commands between attacker-controlled servers and infected systems.

This approach allows malware to:

  • Fetch encoded commands via AI-generated responses
  • Exfiltrate encrypted data hidden within prompts or replies
  • Avoid direct outbound connections to suspicious domains

Why Detection Is Difficult

Traditional security tools often monitor suspicious outbound traffic patterns, such as connections to known malicious IP addresses. However, communication with legitimate AI platforms typically appears benign and may be permitted in corporate environments.

By tunneling C2 traffic through trusted AI services, attackers can make detection and blocking significantly more challenging.

WebView2 as an Enabler

The use of WebView2 allows malware to embed a browser component within an application and automate interactions with web-based AI tools. This technique removes the need for visible browser sessions, enabling silent background communications.

Because WebView2 is widely used in enterprise applications, blocking it outright may not be feasible without disrupting legitimate business functions.

Implications for Enterprise Security

The research underscores the need for organizations to treat AI platforms as potential data egress channels. As AI assistants gain capabilities like browsing, plugin integration, and API connectivity, their role in security monitoring frameworks must evolve accordingly.

Security teams may need to implement behavioral analysis and context-aware monitoring to distinguish legitimate AI use from automated abuse.

Emerging Threat Landscape

While the demonstration was conducted in a research setting, it signals a broader trend: threat actors are likely to explore novel ways to hide malicious traffic within legitimate cloud and AI services.

As adoption of AI assistants accelerates, proactive controls and visibility into AI-related network activity will become increasingly critical.

Azhar Khan
Azhar Khan
Azhar is a seasoned Cybersecurity Professional with over 8 years of experience in Cybersecurity Research.