"For the first time, GTIG has identified a threat actor using a zero-day exploit that we believe was developed with AI," GTIG researchers say.
Google Threat Intelligence Group outlines an AI-assisted zero-day
Researchers at Google Threat Intelligence Group (GTIG) reported a previously unseen pattern: a zero-day exploit targeting a popular open-source, web-based system administration tool that the company did not name. According to GTIG, the exploit was capable of bypassing the tool’s two-factor authentication (2FA) protections. The attack was interrupted before it reached a mass-exploitation phase, and Google notified the software developer to enable timely remediation.
Why GTIG believes an LLM helped weaponize the vulnerability
GTIG cites the structure and content of the Python exploit code as the basis for its assessment. The script, the researchers say, contains an abundance of educational docstrings, a hallucinated CVSS score, and a "structured, textbook Pythonic format" that the team regards as highly characteristic of data present in large language model (LLM) training sets. Google states it has "high confidence" the adversary used an AI model to find and weaponize the vulnerability, while also noting the specific LLM used remains unclear and that Google has ruled out Gemini’s involvement in developing this exploit.
Technical features: semantic logic flaws, docstrings, and automation
GTIG highlights the nature of the underlying software flaw as part of its reasoning: it was a high-level semantic logic bug, the sort of issue AI systems can excel at identifying, rather than a memory-corruption or input-sanitization bug typically uncovered through fuzzing or static analysis. In a separate, related finding, Google describes other malware leveraging LLM-related automation. The company points to the PromptSpy Android backdoor — previously documented by ESET and highlighted again by Google — which integrated with Gemini APIs for autonomous device interaction.
Within PromptSpy, Google found an autonomous agent module named "GeminiAutomationAgent" that uses a hardcoded prompt to assign a benign persona and thereby attempt to bypass an LLM's safety features. The stated role of the prompt was to calculate the geometry of user-interface bounds so the malware could interact with the device. Google also reports that PromptSpy used AI-based capabilities to replay authentication on the device, including lock patterns or PINs.
Other state-aligned and nation-linked actors using AI, per Google
GTIG’s report situates the zero-day incident within a broader pattern of adversaries adopting AI for vulnerability discovery and exploit development. Google names Chinese and North Korean-linked groups — APT27, APT45, UNC2814, UNC5673, and UNC6201 — as actors observed using AI models for those tasks. The company also reports Russia-linked actors employing AI-generated decoy code to obfuscate malware families such as CANFAIL and LONGSTREAM, and it describes an operation codenamed "Overload" in which social-engineering operators used AI-driven voice cloning to impersonate journalists in fake videos promoting an anti-Ukraine narrative.
What this means for open-source maintainers, security teams, and enterprises
- Open-source maintainers: Google’s decision to notify the software developer demonstrates the rapid-notification channel defenders can still use. GTIG’s findings emphasize that flaws in application logic — not just memory or sanitization bugs — can be discovered and weaponized with AI assistance, increasing the urgency for maintainers to review semantic logic and authentication workflows.
- Technologists and security teams: The incident highlights a shift in tooling: exploit code bearing LLM-like hallmarks (docstrings, structured, textbook-style Python) and attacks that target high-level logic rather than low-level memory weaknesses. Teams responsible for detection and incident response will need to consider these new artifacts and the likelihood of automated, AI-assisted account and model access on adversary infrastructure.
- Enterprises and procurement leaders: Google warns that threat actors are industrializing access to premium AI models through automated account creation, proxy relays, and account-pooling infrastructure. Organizations that rely on third-party administration tools and hosted services should factor this increased adversary capability into procurement risk assessments and contractually require timely vulnerability disclosure and patching.
GTIG’s account marks a concrete instance in which Google attributes a zero-day exploit’s development to AI-assisted techniques, and it places that incident within a catalogue of other AI-infused campaigns and tooling. The company’s timely notification to the unnamed project’s developer stopped mass exploitation in this case; the report’s specific technical markers — a textbook-style Python exploit, a hallucinated CVSS score, and the targeting of semantic logic bugs — are now tangible indicators defenders can watch for as adversaries continue to fold AI into their toolchains.
Source: BleepingComputer — Google: Hackers used AI to develop zero-day exploit for web admin tool




