CyberLeveling Logo
When Malware Talks to AI

When Malware Talks to AI: The Quiet Rise of AI as a Command-and-Control Channel

For years, defenders have trained their eyes on suspicious domains, strange IP addresses, and traffic heading to infrastructure nobody’s heard of. That’s how malware typically “phones home.” It reaches out to a command-and-control server to receive instructions or send back stolen data.

But what happens when malware doesn’t phone home to a shady server?

What happens when it talks to an AI platform instead?

The Old Model: Obvious Bad Infrastructure

Traditional command-and-control setups look something like this:

  • An attacker compromises a machine
  • The malware connects to a remote server controlled by the attacker
  • Data gets sent out and commands come back in

Security teams detect this by looking for:

  • Known malicious IP addresses
  • Suspicious domains
  • Large outbound data transfers
  • Encrypted traffic to unfamiliar infrastructure

It’s a pattern we’ve gotten pretty good at spotting.

The New Twist: Blending Into Trusted Traffic

Researchers have started demonstrating something more subtle.

Instead of sending stolen data to a suspicious server, malware can use legitimate cloud platforms, including AI services, as a relay layer.

Here’s the basic idea:

  • The infected system collects data
  • Instead of sending it directly to the attacker, it sends it to a trusted AI API
  • The data is embedded inside what looks like a normal prompt
  • The attacker later retrieves it through an account or workflow they control

From a network perspective, the traffic looks completely ordinary.

It’s HTTPS.
It’s going to a well-known domain.
It matches approved enterprise tools.

Nothing screams breach.

Why This Works

AI platforms have a few characteristics that make them attractive as covert channels:

  • They are widely allowed inside corporate environments
  • They operate over encrypted HTTPS
  • They accept arbitrary text input
  • They generate structured output that can also carry hidden data

Attackers don’t need the AI to be malicious. They just need it to act as a middleman.

And this isn’t entirely new behavior. In the past, attackers have used:

  • Google Docs
  • GitHub
  • Slack
  • Telegram
  • Twitter

The difference now is flexibility. AI APIs are programmable, context-aware, and capable of carrying encoded information inside natural language without raising immediate suspicion.

How Exfiltration Can Be Hidden

At a high level, malware could:

  • Compress and encode stolen data
  • Break it into small chunks
  • Embed it inside prompt text
  • Send it slowly over time

To monitoring systems, it looks like a user making repeated AI requests.

There’s no obvious data dump. No direct connection to criminal infrastructure.

Just normal API usage.

Important Context: AI Isn’t the Root Problem

This technique doesn’t mean AI tools are inherently unsafe.

The real issue begins earlier: initial compromise.

  • Phishing
  • Credential theft
  • Unpatched vulnerabilities
  • Malicious downloads

If an attacker already has code running on a machine, they can look for any outbound channel that blends in. AI just happens to be a very modern, very convenient one.

The AI platform isn’t the breach vector. It’s the camouflage.

What This Means for Defenders

Blocking bad domains isn’t enough anymore.

Detection increasingly has to shift toward:

  • Endpoint behavior monitoring
  • Process-level anomaly detection
  • Unusual API usage patterns
  • Unexpected automation against AI services
  • Monitoring which systems are allowed to access external APIs

The real question isn’t “Is traffic going to a bad place?”

It’s “Is this system behaving in a way that makes sense?”

That’s a much harder problem.

What This Means for Threat Hunters and Defenders

If AI platforms can be abused as covert channels, traditional network-centric detection loses some effectiveness. Blocking bad IPs or flagging unknown domains will not catch traffic headed to a trusted AI provider.

So the focus has to shift.

1. Hunt at the Endpoint, Not Just the Network

The key question becomes: Why is this system talking to an AI API in the first place?

Threat hunters should look for:

  • Non-browser processes making outbound AI API calls
  • Background services suddenly generating prompt traffic
  • Script engines or unknown binaries interacting with AI endpoints
  • AI usage from servers that normally have no business using it

The anomaly is often behavioral, not infrastructural.

2. Watch for Automation Patterns

Legitimate AI use usually follows human rhythms. Malicious use often looks different:

  • High-frequency, evenly spaced requests
  • API calls outside business hours
  • Large volumes of structured text embedded in prompts
  • Sudden spikes from service accounts

Telemetry and baselining become critical. If you know what “normal” looks like, abuse stands out faster.

3. Restrict and Segment AI Access

Not every machine needs outbound AI access. Defensive measures might include:

  • Allowlisting which hosts can access AI APIs
  • Forcing AI usage through monitored proxies
  • Restricting API keys to specific workloads
  • Enforcing strong authentication and logging on AI accounts

If malware can’t reach the AI service, it can’t use it as a covert channel.

4. Strengthen Initial Compromise Detection

Remember, AI-as-C2 is not the initial entry point. It’s post-compromise tradecraft. The real defensive wins are still:

  • Phishing-resistant MFA
  • Patch management discipline
  • EDR with strong behavioral detection
  • Rapid credential rotation

If the attacker never gets execution, they never get to be clever.

Why This Is Attractive From an Attacker’s Perspective

From a risk calculus standpoint, using trusted platforms reduces friction. Attackers are constantly balancing:

  • Stealth
  • Cost
  • Infrastructure maintenance
  • Detection risk

Building and maintaining dedicated C2 infrastructure is expensive and fragile. It gets burned. It gets blocked. It gets seized.

Leveraging trusted platforms shifts that burden. The traffic blends in. The infrastructure is resilient. The reputation is inherited from the provider.

This reflects a broader pattern in modern intrusions: living off trusted services instead of standing out.

For defenders, that means reputation-based blocking is no longer enough. The battle moves from “Is this domain bad?” to “Is this behavior legitimate?”

That’s a much more nuanced fight.

The Bigger Picture

This is part of a broader shift in attacker tradecraft. Instead of building obvious infrastructure, attackers are living off trusted platforms.

Cloud services.
Collaboration tools.
AI APIs.

The more embedded these platforms become in daily business operations, the more attractive they are as cover.

And that’s the real takeaway.

The future of command-and-control isn’t necessarily hidden in some obscure data center.