A command-and-control pattern in which a local payload sends context to an external large language model and receives instructions back. This removes some logic from the binary itself and creates a dependency on outbound connectivity, service trust, and response latency.
Expanded Definition
LLM-as-C2 is an attack pattern where malware or a scripted payload outsources part of its command logic to a hosted large language model, then receives tasking, branching decisions, or rewritten instructions in return. In NHI and agentic AI security, this is less about “using AI” and more about turning an external model into a dynamic control plane for malicious or covert automation.
The pattern overlaps with command-and-control, prompt mediation, and tool orchestration, but it is distinct because the payload depends on model availability, prompt fidelity, and transport trust rather than hard-coded decision trees. The security implications are covered in broader agentic application guidance such as the OWASP Top 10 for Agentic Applications 2026 and the NIST AI Risk Management Framework, both of which stress that delegated reasoning and external dependencies expand the attack surface. Definitions vary across vendors on whether LLM-as-C2 requires malicious intent or simply external decision dependence, but NHIMG treats the threat pattern as relevant whenever a payload can be remotely steered through model responses.
The most common misapplication is treating it as ordinary API-driven automation, which occurs when defenders ignore how model output can become adversary-controlled tasking.
Examples and Use Cases
Implementing LLM-as-C2 detection rigorously often introduces inspection and latency constraints, requiring organisations to balance visibility against the operational need to avoid blocking legitimate model traffic.
- A loader sends host, process, or environment context to a public model and asks for the next execution step, making the model act as an adaptive controller rather than a static script.
- A phishing or malware family changes commands based on LLM responses to evade simple signature-based detection, a pattern adjacent to the abuse discussed in AI LLM hijack breach.
- An operator uses a compromised NHI to call an LLM endpoint and generate fresh instructions or shell commands, illustrating the credential abuse dynamics described in LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
- A covert agent requests policy decisions from a model before selecting a target system, similar in shape to agentic routing issues highlighted in the NIST AI 600-1 Generative AI Profile.
- A security team red-teams a detection stack by simulating outbound prompt traffic and observing whether the SOC can distinguish normal LLM use from command-bearing traffic patterns.
These examples align with the control concerns in the OWASP NHI Top 10, where trust boundaries around prompts, tools, and external services are central to secure design.
Why It Matters in NHI Security
LLM-as-C2 matters because the command channel is no longer just code, it is also the model relationship, the outbound credential, and the trust placed in remote inference. That means defenders must monitor secrets, API keys, service identities, and egress patterns together, not as separate problems. In the NHI domain, a compromised workload identity can become the bridge that lets an attacker send prompts, receive instructions, and iterate quickly without embedding much logic in the binary itself.
NHIMG research on AI agent abuse shows that 80% of organisations report AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, sharing sensitive data, and revealing credentials. Those findings, alongside the Moltbook AI agent keys breach and the DeepSeek breach, underscore how quickly delegated AI access can become a live abuse path when credentials or exposed data feed external reasoning systems. The right governance response is to treat outbound model access as privileged activity, with explicit approval, telemetry, and revocation paths. Organisations typically encounter the operational impact only after an investigation reveals model-mediated tasking in malicious traffic, at which point LLM-as-C2 becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers secret exposure and abuse of non-human credentials used to reach model endpoints. |
| OWASP Agentic AI Top 10 | A1 | Addresses prompt and tool abuse where model output steers autonomous actions. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege and access control are essential when model access becomes a command path. |
Inventory and protect NHI credentials that can initiate model calls, and revoke any exposed key immediately.
