Hackers Can Leverage Grok and Copilot for Stealthy Malware Communication and Control

A novel attack technique that repurposes mainstream AI assistants, specifically xAI’s Grok and Microsoft Copilot, as covert command-and-control (C2) relays, enabling attackers to tunnel malicious traffic through platforms that enterprise networks already trust and permit by default.

Dubbed “AI as a C2 proxy,” the technique uncovered by Check Point Research (CPR) exploits the web-browsing and URL-fetching capabilities available in both platforms.

Because AI service domains are increasingly treated as routine corporate traffic, often allowed by default and rarely inspected as sensitive egress, malicious activity blending through them evades most conventional detection mechanisms.

CPR researchers demonstrated that both Grok (grok.com) and Microsoft Copilot (copilot.microsoft.com) can be driven through their public web interfaces to fetch attacker-controlled URLs and return structured responses, establishing a fully bidirectional communication channel.

Critically, this works without an API key or a registered account, eliminating the traditional kill switches of key revocation or account suspension.

The proof-of-concept attack flow is quite simple. Malware installed on a victim’s machine collects reconnaissance data, such as the username, domain, installed software, and running processes.

This information is then appended to the query parameters of an attacker-controlled HTTPS website, which is disguised as a harmless “Siamese Cat Fan Club” page in the proof of concept. Finally, the malware prompts the AI assistant to summarize the content of that URL.

The AI fetches the page, returns the embedded command planted in the HTML, and the malware parses the response and executes accordingly.

To circumvent safeguards that flag obviously malicious content, researchers found that simply encoding or encrypting data as a high-entropy blob was sufficient to bypass model-side checks.

To demonstrate real-world malware deployment, CPR implemented the technique in C++ using WebView2, an embedded browser component pre-installed on all Windows 11 systems and widely deployed on modern Windows 10 via updates.

Grok and Copilot for Malware Communication

The program opens a hidden WebView window pointing to either Grok or Copilot, injects the prompt, and parses the AI’s response, all without any user interaction or visible browser window.

The result is a fully functional, end-to-end C2 channel where victim data flows out via URL query parameters and attacker commands flow back in through AI-generated output. CPR has responsibly disclosed these findings to both the Microsoft security team and the xAI security team.

Beyond this specific C2 abuse technique, CPR frames the research within a larger and more consequential evolution: AI-Driven (AID) malware, where AI models become part of the malware’s runtime decision loop rather than just a development aid.

Instead of hardcoded logic, implants can collect host context environment artifacts, user role, domain membership, geography, installed software, and query a model to triage targets, prioritize data, choose payloads, and adapt tactics in real time.

This shifts decision-making away from static, predictable code patterns and toward context-aware, prompt-driven behavior that is significantly harder to fingerprint or replicate in sandbox environments.

CPR identifies three near-term AID use cases with the highest threat potential. First, AI-assisted anti-sandbox evasion: malware offloads environment validation to a remote AI model, allowing payloads to remain dormant in analysis environments and only execute on confirmed real targets, directly undermining signature- and sandbox-based detection pipelines.

Second, AI-augmented C2 servers that score and triage victims based on available PII, automatically withholding second-stage payloads from sandboxes while routing high-value corporate targets to manual lateral movement workflows.

Third, AI-targeted ransomware and data exfiltration, where a model scores files based on metadata and content to encrypt or steal only the highest-value subset, generating far fewer I/O events than bulk-encryption approaches and potentially evading the volume-based thresholds that XDR tools use to trigger ransomware alerts.

This research follows CPR’s January 2026 disclosure of VoidLink, the first confirmed AI-generated malware framework a modular Linux implant that grew to over 88,000 lines of code in under a week, authored almost entirely by AI.

Together, these findings mark a structural shift: AI is no longer just lowering the barrier to malware development; it is being integrated into malware operations themselves.

Defenders must treat AI service domains as high-value egress points, monitor for automated and anomalous usage patterns, and incorporate AI traffic into threat-hunting and incident response playbooks.

AI providers, in turn, need to enforce authentication on web fetch features and provide enterprises with greater visibility into how their models access external URLs.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.