AI As Malicious C2 Servers Is Almost Here
Recent work by Check Point Research has shown how cybercriminals could use AI to enhance an existing attack method. Check Point has dubbed it AI as a C2 Proxy, and it introduces more headaches for anyone with a web supply chain to protect. It can be defended against, but before we get to that, let’s begin with a definition.
What’s C2?
C2 is short for command and control. It’s the communication channel attackers use to remotely control compromised systems. Whenever you see a story about “botnets,” a C2 server is at the heart of it.
In a typical cyberattack, malware infects a device, which then connects to a C2 server controlled by the attacker. They use it to send commands, telling the device (or multiple devices in the case of a botnet) to do things such as exfiltrate data, download additional malware, or flood a target with requests to overwhelm it. Once the infected system completes its assigned tasks, it reports back to the attacker.
The New Approach
The problem with this method for attackers is that it’s fairly easy to scupper. Domains can be blocked, infrastructure taken down, and suspicious traffic patterns detected by defenders.
But Check Point Research realized that AI could help attackers work around this problem using the following approach:
- The attacker infects a machine and installs a piece of malware.
- The malware communicates with an AI assistant through its public web interface.
- It prompts the AI agent to issue an HTTPS request to an attacker-controlled URL, pull content from that site, and return the attacker’s response via the AI output back to the malware.
In this way, the AI service effectively acts as an intermediary between the malware and the attacker, doing the job of a C2 server, but with none of the hassle.
The researchers demonstrated the concept using publicly accessible AI chat interfaces for Grok and Microsoft Copilot, which allow prompts to retrieve or summarize external web content without the need for direct API integration.
Because the AI model retrieves the content and returns it in its response, the malware never needs to contact the attacker’s infrastructure directly.
Instead, the communication happens through the AI platform itself.
The Advantage
There are several major benefits of this approach.
- By hooking into major AI services, attackers can take advantage of encrypted traffic via trusted infrastructure that organizations are unlikely to block.
- Requests to AI platforms typically occur over HTTPS, which limits visibility into the content of those interactions, and with the traffic looking like normal interactions with trusted platforms, this makes detection significantly harder.
- When employees routinely use AI assistants, this creates background noise that attackers can hide their activities within. When it becomes the norm for AI tools to retrieve external content on behalf of users, these requests stand a better chance of avoiding suspicion.
Together, these factors add up to an environment where AI platforms could potentially be used as stealthy communication channels.
Where Traditional Security Controls Fall Short
Although this exploit hasn’t been observed in the wild yet, it’s only a matter of time, now that the concept has been made public. With that in mind, it’s best to start preparing to defend against it now, but typical methods will make that tricky.
Many existing security controls focus on network or server-side threats. However, AI-assisted attacks often operate within the browser or user environment, where visibility is limited.
Because the communication occurs through legitimate browser sessions and trusted AI platforms, traditional network defenses may see only normal HTTPS traffic to well-known services.
Common blind spots include:
- AI-driven requests to external domains
- Prompt-injection payloads embedded in URLs or content
- Malicious scripts triggering AI queries
- Data exfiltration through AI responses
Without client-side monitoring, these activities may go unnoticed.
Defending Against AI-Assisted Client-Side Attacks
AI-driven third-party interactions in the browser demand the same level of deep visibility and constant monitoring as other third parties. Prompt injection and hidden commands embedded in URLs should be detected before they execute, and security teams also need to identify unexpected data flows leaving the browser.
Where Reflectiz Can Help
The AI as a C2 Proxy technique highlights a broader challenge: as AI tools become embedded in websites and web workflows, they expand your attack surface in ways traditional security controls weren’t built to see. That’s precisely where Reflectiz is designed to shine.
1. Detecting unexpected outbound data flows from your website
The most direct risk this research surfaces for website owners is data leaving the browser through channels that look legitimate. Reflectiz continuously monitors all outbound network requests made by scripts on your pages, and uses AI-powered code analysis to surface hidden data flows and identify when a script begins sending data to unexpected domains. If a third-party component on your site starts routing information through an AI platform as part of an exfiltration path, Reflectiz will flag the anomaly — even when the destination is a trusted service like Copilot or Grok.
2. Monitor AI components embedded on your pages for behavioral changes
Many websites now embed AI assistants and chat widgets as third-party components. Like any third-party script, these can be compromised or updated without your knowledge. Reflectiz continuously monitors all scripts, iframes, tags, and web components on your pages for behavioral changes — revealing not just whether they’re present, but what they’re doing. If an embedded AI widget suddenly starts making requests it didn’t make before, or communicating with domains outside its normal pattern, Reflectiz issues an immediate alert. You set the behavioral baseline; any deviation triggers a notification.
3. Supply chain visibility across your entire web ecosystem
The AI as a C2 Proxy technique exploits trust — trust in platforms, in traffic patterns, in familiar services. Supply chain attacks work the same way. Reflectiz maps your entire digital supply chain, giving you a complete inventory of every first-, third-, and fourth-party component on your site, who it communicates with, and what data it touches. When a new AI script or integration appears on one of your pages — whether you added it intentionally or not — Reflectiz surfaces it immediately. Security teams can then enforce allowlists, restrict domains, or block the component entirely via an API call to your WAF.
Conclusion
This exploit turns AI assistants into potential stealth command-and-control channels. While the research demonstrated a proof-of-concept, it highlights how AI platforms could become an additional layer in modern attack infrastructure.
As AI assistants become embedded in everyday workflows and web applications, they effectively expand the client-side web supply chain.
Reflectiz can help reduce risk by monitoring browser-side AI interactions, detecting suspicious external requests, and giving security teams deeper visibility and control over third-party AI integrations. Try it for yourself today!
Subscribe to our newsletter
Stay updated with the latest news, articles, and insights from Reflectiz.
Your Website looks great!
But what’s happening behind the scenes?
Discover your website blind spots and vulnerabilities before it’s too late!
