Google Warns Hackers Are Using AI to Build Zero-Day Exploits Faster Than Ever
Researchers at Google Threat Intelligence Group say attackers likely used AI to discover and weaponize a zero-day exploit that bypassed 2FA in a popular web administration tool.
AI Is Changing Cyber Attacks
Cybercriminals are no longer using artificial intelligence only for phishing emails or fake content. They are now using AI to discover and build zero-day exploits.
Researchers at Google Threat Intelligence Group (GTIG) recently found a zero-day exploit targeting a widely used open-source web administration platform. The flaw allowed attackers to bypass two-factor authentication (2FA). This created a serious risk for organizations using the platform for secure system administration.
Google did not reveal the name of the affected platform. However, the company confirmed that it stopped the attack before mass exploitation began. Even so, the bigger concern is what this incident means for the future of cyber threats.
Signs That AI Helped Build the Exploit
GTIG says the Python exploit code strongly suggested the use of a large language model (LLM). The script included detailed educational docstrings and textbook-style Python formatting. It also contained a hallucinated CVSS score. These signs often appear in AI-generated code.
Google says this is the first time it has identified a threat actor using a zero-day exploit likely developed with AI help. This marks a major change in offensive cyber operations.
Unlike common vulnerabilities found through fuzzing or static analysis, this flaw was a semantic logic bug. These bugs exist in the application’s behavior and design. AI systems are often better at finding them because they can understand logic relationships more effectively.
Threat Groups Are Expanding AI Usage
Google ruled out its own Gemini platform as the source of the exploit. However, researchers found that several threat groups linked to China and North Korea are using AI models for vulnerability discovery and exploit development.
These groups include APT27, APT45, UNC2814, UNC5673, and UNC6201. Their growing use of AI shows that attackers are moving faster and becoming more efficient.
Meanwhile, Russia-linked actors have used AI-generated decoy code to hide malware such as CANFAIL and LONGSTREAM. In another campaign called “Overload,” attackers used AI voice cloning to impersonate journalists and spread fake anti-Ukraine videos.
Android Malware Also Uses AI
Google also highlighted Android malware called PromptSpy. It used Gemini APIs for automated device interaction.
Researchers found a module called “GeminiAutomationAgent” inside the malware. It used hardcoded prompts to bypass LLM safety controls. This allowed the malware to interact with the device automatically.
The malware could also replay authentication methods such as lock patterns and PINs. As a result, attackers gained more control over infected devices.
What Security Leaders Should Do Next
Google warns that threat actors are now scaling access to premium AI tools. They use automated account creation, proxy relay systems, and account-pooling infrastructure to make this possible.
This means advanced AI-powered attacks are becoming easier to launch.
For CISOs and security leaders, this is a serious warning. Attackers now use AI not only for speed but also for precision.
Security teams should improve vulnerability management and strengthen behavior-based detection. They should also review authentication controls beyond traditional 2FA.
AI is no longer only a tool for defenders. It is now a weapon for attackers, and security strategies must adapt quickly.