A report from the Google Threat Intelligence Group (GTIG) has confirmed the first instances of threat actors using generative AI to find zero-day vulnerabilities.
From state-sponsored groups in China and North Korea to profit-driven cybercriminals, the barrier to high-level exploitation has officially collapsed, leading to what researchers call the “industrialization of adversarial workflows.”
Key Points
- Confirmed Zero-Day: First known case of a zero-day exploit (a 2FA bypass) generated via AI by criminal actors.
- State-Sponsored Activity: PRC (China) and DPRK (North Korea) groups are using “persona-driven jailbreaking” to audit firmware.
- Autonomous Malware: New malware families like PROMPTSPY use AI to interpret system states and generate commands dynamically.
- Industrial Scale: Attackers are using automated pipelines to recursively test thousands of exploits.
- Supply Chain Risk: Emergence of “TeamPCP” targeting AI software dependencies as an initial access vector.
The Incident: AI Moves to the Front Lines
On May 11, 2026, Google released an update on the state of AI-driven threats. The most significant finding is the discovery of a Python-based zero-day exploit designed to bypass two-factor authentication (2FA) on a popular web administration tool.
While Google proactively disrupted the campaign, analysis of the code—featuring “hallucinated” CVSS scores and textbook Pythonic formatting—confirmed with high confidence that the exploit was authored by an LLM.
Technical Details: How AI Finds the “Unfindable”
Traditional scanners (fuzzers) are excellent at finding memory crashes. However, Google notes that LLMs excel at finding high-level semantic logic flaws.
In the 2FA bypass case, the AI didn’t find a “broken” piece of code; it found a “logical contradiction” where the developer had hardcoded a trust assumption that bypassed the security check. By “reading the developer’s intent,” the AI surfaced a dormant error that would have remained invisible to automated security tools.
Who is Affected: The Global Scope
- PRC-Nexus (APT27): Observed using Gemini to build “ORB” (Operational Relay Box) networks to anonymize their attacks.
- DPRK-Nexus (APT45): Sending thousands of recursive prompts to validate Proof-of-Concept (PoC) exploits at a scale impossible for human teams.
- Enterprise AI Users: Groups like TeamPCP are now targeting the AI software supply chain (Insecure Integrated Components) to gain initial access to corporate networks.
Autonomous Malware: The Rise of PROMPTSPY
The Google report highlights a shift toward Agentic Workflows. Instead of a hacker manually typing commands, new malware like PROMPTSPY and PROMPTFLUX interact with AI APIs to:
- Sense the victim’s environment.
- Request a specific obfuscation technique to evade the local antivirus.
- Generate a unique, polymorphic payload “just-in-time” for execution.
Impact and Risks
The primary risk is the collapse of the “Time-to-Exploit” window. Previously, turning a vulnerability into a working exploit took days or weeks. With AI-augmented development, this is shrinking to minutes, allowing for mass exploitation events that can outpace human defenders.
Mitigation Tips: Fighting AI with AI
Google emphasizes that the only way to counter AI-scale attacks is through AI-scale defense:
- Use AI Security Agents: Tools like Google’s Big Sleep and CodeMender are now being used to find and auto-patch vulnerabilities before attackers see them.
- Secure AI Framework (SAIF): Organizations should adopt the SAIF taxonomy to identify “Rogue Actions” and “Insecure Components” in their AI deployments.
- Harden Management Interfaces: As seen in the 2FA bypass, web-based admin tools are primary targets. Use hardware security keys (FIDO2) which are resilient to the logic-based bypasses AI currently generates.
FAQ Section
Q. Can AI discover zero-day vulnerabilities?
A. Yes. Google Threat Intelligence Group has confirmed that threat actors are now using LLMs to identify high-level logic flaws and hardcoded static anomalies to create zero-day exploits.
Q. What is the “Bleeding Edge” of AI malware?
A. It refers to autonomous malware like PROMPTSPY, which uses AI agents to dynamically generate commands and evade detection based on the specific environment it is attacking.
Q. How are hackers bypassing AI guardrails?
A. Attackers use “persona-driven jailbreaking,” where they command the AI to act as a “senior security auditor” or “C++ binary expert” to bypass safety filters and generate malicious code.
