{"id":7164,"date":"2026-02-19T10:22:03","date_gmt":"2026-02-19T10:22:03","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7164"},"modified":"2026-02-19T10:22:03","modified_gmt":"2026-02-19T10:22:03","slug":"hackers-can-turn-grok-copilot-into-covert-command-and-control-channels-researchers-warn","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7164","title":{"rendered":"Hackers can turn Grok, Copilot into covert command-and-control channels, researchers warn"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Enterprise security teams racing to enable generative AI tools may be overlooking a new risk: attackers can abuse web-based AI assistants such as Grok and Microsoft Copilot to quietly relay malware communications through domains that are often exempt from deeper inspection.<\/p>\n

The technique, outlined<\/a> by Check Point Research (CPR), exploits the web-browsing and URL-fetch capabilities of these platforms to create a bidirectional command-and-control channel that blends into routine AI traffic and requires neither an API key nor an authenticated account.<\/p>\n

\u201cOur proposed attack scenario is quite simple: an attacker infects a machine and installs a piece of malware,\u201d CPR said. The malware then communicates with the AI assistant through the web interface, prompting it to fetch content from an attacker-controlled URL and return embedded instructions to the implant.<\/p>\n

Because many organizations allow outbound access to AI services by default and apply limited inspection to that traffic, the approach effectively turns trusted AI domains into covert egress infrastructure.<\/p>\n

Security analysts said the findings expose a growing blind spot in enterprise AI governance.<\/a><\/p>\n

\u201cEnterprises that allow unrestricted outbound access to public AI web services without inspection, identity controls, or strong logging are more exposed than many realize,\u201d said Sakshi Grover<\/a>, senior research manager for IDC Asia Pacific Cybersecurity Services.<\/p>\n

\u201cThese platforms can effectively function as trusted external endpoints, meaning malicious activity can be concealed within normal network traffic, including routine HTTPS sessions to widely used AI domains,\u201d she added.<\/p>\n

Sunil Varkey<\/a>, a cybersecurity analyst, said the technique echoes past evasion strategies such as steganography and \u201cliving off the land\u201d attacks, where adversaries abuse legitimate tools and trusted infrastructure to avoid detection.<\/p>\n

CPR said using AI platforms as C2 relays is only one potential abuse case. The same interfaces could be prompted to generate operational commands on demand, from locating files and enumerating systems to producing PowerShell scripts for lateral movement, allowing malware to determine its next steps without direct human control.<\/p>\n

In a more advanced scenario, an implant could transmit a brief profile of the infected host and rely on the model to determine how the attack should progress.<\/p>\n

A structural shift in detection<\/h2>\n

The research also points to a broader shift in how malware may evolve as AI becomes embedded<\/a> in runtime operations rather than just development workflows.<\/p>\n

\u201cWhen AI moves from assisting development to actively guiding malware behavior at runtime, detection can no longer rely solely on static signatures or known infrastructure indicators,\u201d said Krutik Poojara<\/a>, a cybersecurity practitioner. \u201cInstead of hardcoded logic, you are dealing with adaptive, polymorphic, context-aware behavior that can change without modifying the malware itself.\u201d<\/p>\n

Grover said this makes attacks harder to fingerprint, forcing defenders to rely more on behavioral detection and tighter correlation across endpoint, network, identity, and SaaS telemetry.<\/p>\n

More significantly, this changes the tempo of defense. If attackers can dynamically adjust commands and execution paths based on the environment they encounter, security teams are no longer responding to a fixed playbook but to a continuously evolving interaction.<\/p>\n

\u201cThis compresses the window between intrusion and impact and increases the importance of real-time detection, automated response, and tighter feedback loops between threat intelligence and SOC operations,\u201d Grover said.<\/p>\n

Steps to take<\/h2>\n

Security leaders should not respond by blocking AI outright, analysts said, but by applying the same governance discipline used for other high-risk SaaS platforms.<\/p>\n

Varkey recommended starting with a comprehensive inventory of all AI tools in use and establishing a clear policy framework for approving and enabling them.<\/p>\n

Organizations should also implement AI-specific traffic monitoring and sequence-based detection rules to identify abnormal automation patterns. Other options to consider include rolling out phased awareness programs. \u201cFrom an architectural standpoint, organizations should also invest in platforms that provide unified visibility across network, cloud, identity, and application layers, enabling security teams to correlate signals and trace activity across domains rather than treating AI usage as isolated web traffic,\u201d Grover said.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Enterprise security teams racing to enable generative AI tools may be overlooking a new risk: attackers can abuse web-based AI assistants such as Grok and Microsoft Copilot to quietly relay malware communications through domains that are often exempt from deeper inspection. The technique, outlined by Check Point Research (CPR), exploits the web-browsing and URL-fetch capabilities […]<\/p>\n","protected":false},"author":0,"featured_media":7165,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7164","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7164"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7164"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7164\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7165"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7164"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7164"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7164"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}