Google has revealed the identification of a zero-day exploit, likely generated with artificial intelligence (AI), targeting a popular open-source system administration tool. This marks a significant development, signaling the first observed instance of AI being weaponized for vulnerability discovery and exploit creation in a real-world malicious campaign. The sophisticated operation, attributed to collaborating cybercrime actors, aimed for mass exploitation by bypassing two-factor authentication (2FA).
The Google Threat Intelligence Group (GTIG) detailed in a report that the exploit was embedded within a Python script. While the specific tool’s name remains undisclosed, Google collaborated with the vendor to address the vulnerability responsibly. The analysis of the script revealed characteristics strongly suggestive of large language model (LLM) generation, including extensive educational docstrings, a mistakenly included CVSS score, and a structured, Pythonic format consistent with LLM training data. This AI-facilitated discovery and weaponization bypasses traditional security measures, accelerating the threat landscape.
AI-Powered Cyberattacks Escalate with Zero-Day 2FA Bypass
The discovery of a zero-day 2FA bypass exploit, believed to be AI-generated, highlights the escalating sophistication of cyber threats. According to Google Threat Intelligence Group (GTIG), threat actors exploited a vulnerability in a popular open-source web-based system administration tool. This exploit, embedded within a Python script, effectively allowed unauthorized access by circumventing two-factor authentication, a critical security layer for many online services.
GTIG’s analysis pointed to the script exhibiting hallmarks of AI-generated code, such as detailed docstrings and a structured format typical of LLM outputs. While no direct link to Google’s own Gemini AI was established, the assessment of AI involvement in the exploit’s creation is described as having high confidence. The vulnerability, stemming from a logic flaw related to hard-coded trust assumptions, is precisely the type of issue LLMs are adept at identifying.
Ryan Dewhurst, Head of Threat Intelligence at watchTowr, commented on the evolving threat landscape, stating, “AI is already accelerating vulnerability discovery, reducing the effort needed to identify, validate, and weaponize flaws.” He emphasized that the timelines for discovery, weaponization, and exploitation are compressing, a reality that cybersecurity defenders must confront without exception.
This incident is part of a broader trend where AI is not only amplifying vulnerability exploitation but also enabling the development of advanced malware and autonomous operations. For instance, PromptSpy, an Android malware, has been observed abusing Gemini to analyze on-screen activity and guide malicious app operations, demonstrating a new avenue for device compromise.
PromptSpy: A Multifaceted Android Threat
PromptSpy showcases advanced capabilities designed for persistent device control and data theft. The malware can navigate the Android user interface autonomously, interpreting user activity in real-time to execute its next steps via an autonomous agent module. This allows it to adapt and operate with minimal direct human intervention.
Further analysis revealed PromptSpy’s ability to capture biometric data, such as PINs or patterns, for replaying authentication gestures and regaining access to compromised devices. Additionally, it employs an “AppProtectionDetector” module to thwart uninstallation. This module identifies the uninstall button on-screen and overlays it with an invisible view, making it appear unresponsive to the user and preventing removal.
Google noted that PromptSpy is engineered for high operational resilience. Its command-and-control infrastructure, including Gemini API keys and VNC relay servers, can be dynamically updated. This adaptive nature allows adversaries to maintain presence and functionality even if specific components are identified and blocked by security measures.
Broader AI Abuse by Threat Actors
Beyond the zero-day exploit, Google’s report details several other instances of threat actors leveraging AI for malicious purposes:
- A cyber espionage group, identified as UNC2814, reportedly used Gemini to simulate a network security expert, aiding in persona-driven jailbreaking and vulnerability research on embedded devices.
- The North Korean actor APT45 (also known as Andariel and Onyx Sleet) is said to have sent numerous prompts to AI models to analyze CVEs and validate proof-of-concept exploits.
- A Chinese hacking group, APT27, utilized Gemini to accelerate the development of a fleet management application, likely for managing relay networks.
- Russian-linked intrusion activities targeting Ukrainian organizations deployed AI-enabled malware, CANFAIL and LONGSTREAM, which employed LLM-generated code to disguise malicious functions.
Additionally, a GitHub repository named “wooyun-legacy” has been observed, designed as a Claude code skill plugin. This repository contains over 5,000 vulnerability cases collected from 2010 to 2016, likely intended to prime LLMs for enhanced vulnerability identification and code analysis.
Google also highlighted the use of agentic tools like Hexstrike AI and Strix by a China-aligned threat actor. These tools were deployed in attacks against a Japanese technology firm and a cybersecurity platform, enabling automated discovery with minimal human oversight.
Furthermore, information operations (IO) actors from Russia, Iran, China, and Saudi Arabia are reportedly using AI for common productivity tasks, including research and content creation. China-affiliated threat activity, UNC6201, was noted for using a Python script to automate the registration and cancellation of premium LLM accounts, a tactic to acquire AI capabilities at scale while evading account bans. This process involves professionalized middleware and automated registration pipelines to bypass usage limits and subsidize operations through trial abuse.
Another China-linked group, UNC5673 (TEMP.Hex), has been observed using publicly available commercial tools and GitHub projects to facilitate scalable LLM abuse.
The Rise of Shadow APIs and AI Supply Chain Risks
Recent findings align with reports of a growing grey market for API relay platforms. These platforms, particularly in China, offer illicit access to AI models like Anthropic Claude and Gemini, routing requests through proxy servers outside mainland China. Services are advertised on Chinese marketplaces, raising concerns about data exfiltration and model manipulation.
Research from CISPA Helmholtz Center for Information Security identified 17 such “shadow APIs” potentially providing unrestricted access to official model services. Their evaluation showed significant accuracy drops, particularly for models like Gemini-2.5-flash, on critical benchmarks like MedQA when accessed through these unofficial channels. These proxy services also pose data privacy risks, as they can capture all prompts and responses, enabling unlawful data acquisition for model fine-tuning and illicit knowledge distillation.
The AI development environment itself is becoming a target, with incidents like TeamPCP (UNC6780) exposing users to supply chain attacks. Adversaries gaining access to an organization’s AI systems could leverage internal models and tools for large-scale data exfiltration or deeper network reconnaissance, broadening the landscape of software supply chain threats.
The increasing weaponization of AI, from zero-day exploit generation to malware development and sophisticated evasion techniques, presents a significant challenge for cybersecurity. The continuous evolution of these AI-driven threats necessitates proactive defense strategies and ongoing vigilance from security researchers and organizations alike. As AI capabilities advance, so too will the methods employed by malicious actors, demanding a dynamic and adaptive approach to cybersecurity.