Criminal hackers have used artificial intelligence to develop a working zero-day exploit, the first confirmed case of its kind, according to a report released today by Google LLC’s Google Threat Intelligence Group.

The GTIG AI Threat Tracker report details how a criminal group used AI to build a Python-based exploit targeting a two-factor authentication bypass in a popular open-source web-based system administration tool. The actors planned to deploy it in a mass exploitation campaign, but errors in their implementation likely interfered with successful use. Google disclosed the flaw to the vendor and a patch has been issued.

GTIG said it has high confidence that an AI model assisted in the discovery and weaponization of the vulnerability, citing telltale signs in the code, including a hallucinated severity score, textbook Python formatting, detailed help menus and educational docstrings characteristic of training data. The researchers said Google’s Gemini model was not used.

The vulnerability in this case stemmed from a semantic logic flaw where the developer hardcoded a trust assumption, a kind of high-level error that security tools struggle to detect. Frontier large language models excel at identifying these flaws because they can reason about a developer’s intent and surface dormant logic errors that appear functionally correct to traditional scanners.

“There’s a misconception that the AI vulnerability race is imminent. The reality is that it’s already begun. For every zero-day we can trace back to AI, there are probably many more out there,” explains John Hultquist, chief analyst at Google Threat Intelligence Group. “Threat actors are using AI to boost the speed, scale and sophistication of their attacks.”

GTIG said the activity reflects a wider trend, with state-backed groups in China, North Korea and Russia using AI across the full attack chain. Criminal groups are doing the same to build malware faster and run larger operations.

North Korean threat group APT45 has been observed sending thousands of repetitive prompts to recursively analyze vulnerabilities and validate proof-of-concept exploits, building an arsenal that would be impractical to manage without AI assistance. An alleged China-linked actor, UNC2814, used expert-persona jailbreaking to push Gemini into researching pre-authentication remote code execution flaws in TP-Link router firmware and Odette File Transfer Protocol implementations.

Agentic tools are also being folded into operations. A China-nexus actor was observed using the Hexstrike and Strix frameworks alongside the Graphiti memory system to autonomously probe a Japanese technology firm and an East Asian cybersecurity platform, pivoting between reconnaissance tools based on internal reasoning with minimal human oversight.

The report also details PROMPTSPY, an Android backdoor that calls the Gemini application programming interface at runtime to interpret on-screen user interface elements and generate touch coordinates autonomously.

Russia-nexus malware families CANFAIL and LONGSTREAM use AI-generated decoy code to camouflage malicious functionality. Russian actors behind the “Operation Overload” influence campaign used AI voice cloning to impersonate real journalists in fabricated video content targeting Ukraine, France and the U.S.

GTIG also flagged the March compromise of LiteLLM, a popular AI gateway utility, by criminal group TeamPCP. The actor embedded a credential stealer through poisoned packages on PyPI and malicious pull requests, extracting AWS keys and GitHub tokens that were monetized through ransomware partnerships.

To counter the misuse, Google said it is disabling malicious accounts that abuse Gemini and pushing AI defenders such as its Big Sleep vulnerability discovery agent and CodeMender patching tool into wider use.

Image: SiliconANGLE/Ideogram