AI chatbots Grok and Copilot could be abused as hidden channels for malware, researchers warn

Published: 18 February 2026
Last updated: 19 February 2026
grok and copilot could be abused as hidden channels for malware
Image by Cybernews

AI assistants, including Grok and Microsoft Copilot, could be manipulated by attackers to secretly pass instructions to malware, highlighting how everyday AI tools may become part of future cyberattacks.

The claims come from Check Point Research (CPR), which demonstrated that AI chatbots with web browsing or URL-fetching capabilities can be turned into stealthy command-and-control (C2) relays between hackers and infected machines.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News
Google News Follow us
ADVERTISEMENT

In practice, this means that malware could send a prompt to a chatbot, which then retrieves information from an attacker-controlled site and returns instructions – an activity that may look like ordinary AI use inside a corporate network.

The attack method, which has been demonstrated against Microsoft Copilot and xAI Grok, has been named “AI as a C2 proxy” by CPR. It demonstrates how AI may not just help create malware, but it could also become part of how attacks operate in real time.

What Check Point Research discovered

CPR found that AI assistants with web browsing or URL fetching can be misused as covert communication relays between hackers and infected machines [“AI as proxy”].

Grok and Copilot were used, researchers added, because both allowed web browsing and URL fetching without requiring an API key or logged-in account, making them suitable for a real-world proof of concept.

Researchers warn that this technique could allow malicious communications to hide inside routine AI activity, “allowing attacker traffic to blend seamlessly into legitimate, commonly permitted enterprise communications.”

How “AI as Proxy” works

According to CPR, instead of malware communicating directly with an attacker's command-and-control server, it interacts with an AI chatbot through its normal web interface.

ADVERTISEMENT

“AI assistants with web-browsing and URL fetch capabilities can be abused as covert command-and-control relays, effectively using AI as a C2 proxy.”

Malware sends a prompt asking the chatbot to visit an attacker-controlled webpage and retrieve or summarize its contents.

malicious website instructs ai coding tools to run malware
CPR's research shows how chatbots that allow web browsing and URL fetching without API key can be manipulated by attackers.

From there, AI acts as a “middleman.”

The researchers showed how attackers could “drive [AI assistants] through their web interfaces to fetch attacker-controlled URLs and return responses, creating a bidirectional channel that tunnels victim data out and commands back in.”

Because this interaction looks like standard chatbot use, it may be difficult for security teams to distinguish from normal employee activity.

The conversation on this topic is live. Join in the discussion.

The researchers note that this can happen “without an API key or registered account” (as the examples of Grok and Copilot prove), reducing the effectiveness of traditional controls such as account suspension or credential revocation.

Beyond direct command generation, CPR also noted that an attacker could use the AI agent in evasion techniques.

ADVERTISEMENT

An attacker might ask the AI whether the system is worth further exploration, which tools to deploy next, or how aggressively to move laterally without raising suspicion.”

Check Point Research

A gradual shift towards AI-driven malware?

For all this to happen, there’s one key prerequisite: the threat actor must have already compromised a machine by some other means and installed malware.

It then needs to use Copilot or Grok as a C2 channel using specially crafted prompts that cause the AI agent to contact the attacker-controlled infrastructure and pass the response containing the command to be executed on the host back to the malware.

While theoretical (there are no “in the wild” citations mentioned in the research), CPR believes that it highlights a wider evolution in cyber threats, where malware relies less on fixed instructions and more on AI-generated decisions.

"The findings point to a near-term evolution in malware development, where implants shift from static logic to prompt-driven, adaptive behavior that can autonomously plan operations, prioritize targets and data, and amidst tactics in real time based on environmental feedback.”

Check Point Research

The upshot is that this could make attacks more flexible and harder to detect as AI becomes standard across many organizations.

Unlock more exclusive Cybernews content on YouTube

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
US regulator reviews school internet funding over children's screen time
Bernard Meyer: “Trust me, not everyone will make it through the AI transition”
Experts say EU remains years away from technological independence despite sovereignty plans
Pentesters turn up the heat on Shelly as Bluetooth thermostat flaw leaves smart homes exposed
Researcher easily finds five OpenClaw zero-days just as Microsoft expands its use of platform
Passwords and locations at risk in alleged Grindr data leak
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked