We’re joined today by Dominic Jainy, an IT professional with deep expertise in artificial intelligence and machine learning. We’ll be exploring a chilling new development at the intersection of AI and cybersecurity: the weaponization of popular AI assistants as stealthy tools for malware command and control, a technique that allows malicious activity to hide in plain sight. This conversation will cover how attackers can transform trusted services like Microsoft Copilot into C2 proxies, the challenges posed by the accountless nature of this attack, and how AI is evolving from a passive communication channel into an active decision-making engine for malware. We will also touch on related threats, such as the dynamic generation of malicious code, and look ahead at the future of AI in the cyber attack lifecycle.
The technique of using AI assistants as C2 proxies leverages their web-browsing capabilities. Can you explain the step-by-step process an attacker uses to establish this channel, and why does this method so effectively blend in with legitimate enterprise communications?
The process is both simple and incredibly insidious. It all begins after an attacker has already compromised a machine and installed their malware. This malware then crafts specific prompts and sends them to an AI assistant like Copilot or Grok. The AI’s web-browsing function is instructed to fetch a URL controlled by the attacker. That URL contains the next command. The AI assistant retrieves the content, processes it, and passes the attacker’s instructions back to the malware on the infected machine. It’s a full bidirectional communication channel. What makes it so effective is that from a network monitoring perspective, all you see is traffic going to a trusted, legitimate AI service. It looks exactly like an employee using Copilot for work, making the malicious C2 traffic nearly invisible within the noise of normal enterprise activity.
This C2 proxy technique reportedly works without requiring an API key or even a user account. How does this ‘accountless’ nature subvert traditional security measures like key revocation or account suspension, and what new defensive strategies must organizations consider to counter this specific threat?
The accountless nature is what makes this a particularly nasty problem. Our traditional defensive playbook relies heavily on identity and access management. When we detect malicious activity tied to an API key or a user account, the first step is to revoke that key or suspend the account, cutting off the attacker’s access. But with this technique, there is no key to revoke and no account to suspend. The attacker is essentially using the public-facing, anonymous access that these tools provide. This completely neutralizes our standard response. It forces us to evolve our defensive strategies away from just identity-based controls and toward more sophisticated behavioral analysis of the prompts themselves and the data flowing through these AI channels.
Beyond acting as a passive communication channel, these AI tools can reportedly become an external decision engine for malware. How might an attacker use prompts to automate reconnaissance and targeting in real-time, essentially creating what’s been called “AIOps-style C2”?
This is where the threat truly escalates. Once the C2 channel is established, it’s no longer just about sending simple commands like “delete file” or “exfiltrate data.” An attacker can use the malware to gather information about the compromised system—like its operating system, security software, or network configuration—and feed it back to the AI through prompts. The attacker can then ask the AI, “Given this environment, what’s the best way to evade detection?” or “Is this system a high-value target worth exploiting further?” The AI essentially becomes an automated brain for the malware, making tactical decisions on the fly. This “AIOps-style C2” automates the attacker’s operational choices, allowing for much faster, more adaptive, and more targeted intrusions without direct human intervention for every step.
An attacker must already have malware on a machine for this to work. How does this prerequisite affect the overall risk profile of this threat, and how does it compare to established living-off-trusted-sites (LOTS) tactics that also abuse legitimate services for C2?
That prerequisite is a crucial piece of context. This isn’t a method for initial breach; it’s a post-compromise technique for maintaining persistence and control. In that sense, it’s very similar to living-off-trusted-sites, or LOTS, tactics where attackers have long used services like Slack, Telegram, or cloud storage as C2 channels. However, the risk profile is significantly higher here. A traditional LOTS approach uses a trusted service as a simple, passive data drop or message relay. Abusing an AI assistant adds a layer of intelligence and automation. It’s not just a communication channel; it’s a computational and decision-making engine that the attacker can leverage. It transforms the C2 from a simple pipeline into an active, intelligent partner in the attack.
We’re seeing related threats where LLMs dynamically generate malicious code, like JavaScript, directly in a victim’s browser. How does this runtime generation challenge security controls that scan for static threats, and what commonalities does it share with the AI C2 proxy technique?
This is a parallel and equally concerning evolution. Security controls are traditionally built to recognize and block known threats—scanning for specific file hashes or malicious code signatures. But when an LLM generates malicious JavaScript on the fly, directly within the victim’s browser at runtime, there’s no static file to scan. The malicious code doesn’t exist until the moment of execution. This is very similar to what we call Last Mile Reassembly attacks. The common thread with the AI C2 proxy technique is the abuse of a trusted service to dynamically create malicious content that bypasses static defenses. In both scenarios, the attacker is using the AI’s capabilities to generate their attack components in real time, making them ephemeral and incredibly difficult for conventional security tools to detect.
What is your forecast for how threat actors will integrate AI into the entire cyber attack lifecycle over the next two years?
My forecast is that AI will become deeply and seamlessly integrated into every single phase of the attack lifecycle, moving from a novel tool to standard operating procedure. For reconnaissance, AI will automate the discovery of vulnerabilities and high-value targets at a massive scale. For initial access, we’ll see hyper-personalized phishing emails and synthetic identities that are virtually indistinguishable from legitimate communications. During the intrusion itself, as we’ve discussed, AI will serve as an adaptive C2 engine, automating evasion and lateral movement. Finally, for the attack’s objective, AI will optimize data exfiltration and even help attackers craft more convincing and coercive ransomware negotiations. Essentially, threat actors will leverage AI as their own automated, highly efficient red team, dramatically increasing the speed, scale, and sophistication of their campaigns.