Artificial Intelligence

Google Detects First AI-Generated Zero-Day Exploit

The zero-day was designed to bypass 2FA and it was developed by a prominent cybercrime group.

Zero-day

For the first time, Google has identified a zero-day exploit believed to have been developed using artificial intelligence.

The company published a new report on Monday summarizing its observations on the use of AI in the cyber threat landscape, drawing on data collected recently by Gemini, Google Threat Intelligence Group (GTIG), and Mandiant. 

One of the most notable findings is that a prominent cybercrime group leveraged AI to develop a zero-day exploit designed to bypass two-factor authentication (2FA) on an open source web-based system administration tool. The exploit was implemented in a Python script.

The hacker group and the targeted tool have not been named, but Google said it worked with the impacted vendor to prevent mass exploitation, which appeared to be the threat actor’s plan.

“Although we do not believe Gemini was used, based on the structure and content of these exploits, we have high confidence that the actor likely leveraged an AI model to support the discovery and weaponization of this vulnerability,” Google explained. 

It added, “For example, the script contains an abundance of educational docstrings, including a hallucinated CVSS score, and uses a structured, textbook Pythonic format highly characteristic of LLMs training data (e.g., detailed help menus and the clean _C ANSI color class).”

Advertisement. Scroll to continue reading.

Google highlighted that Chinese and North Korean state-sponsored threat actors have been particularly interested in leveraging AI for vulnerability discovery. 

A China-linked actor was observed deploying agentic tools such as Strix and Hexstrike in attacks targeting a Japanese tech firm and a major East Asian cybersecurity company. 

UNC2814, a Chinese group known for targeting telecoms and government organizations, used a persona-driven jailbreak — in which the AI is instructed to act as a senior security auditor — to enhance vulnerability research on embedded devices, including TP-Link firmware with OFTP implementations. 

According to Google, the North Korean group tracked as APT45 sent out thousands of repetitive prompts to recursively analyze CVEs and validate PoC exploits.

“This results in a more robust arsenal of exploit capabilities that would be impractical to manage without AI assistance,” Google said in its report. 

The full report also covers autonomous malware operations, AI-augmented defense evasion, supply chain attacks, and threat actors pursuing premium access to LLMs.

Related: Google: Half of 2025’s 90 Exploited Zero-Days Aimed at Enterprises

Related: Malicious AI Prompt Injection Attacks Increasing, but Sophistication Still Low: Google

Related: Vulnerability in Claude Extension for Chrome Exposes AI Agent to Takeover

Related Content

Artificial Intelligence

Researchers demonstrate adversarial hallucination squatting against popular AI assistants to achieve remote code execution.

Artificial Intelligence

Two announcements on July 7, 2026, demonstrate the government’s determination to improve the level of cybersecurity within the UK.

Vulnerabilities

Affecting every major distribution since 2011, the Linux kernel vulnerability allows attackers to gain root access.

Artificial Intelligence

Wiz has disclosed the details of a new AI coding assistant attack method it has dubbed GhostApproval.

Artificial Intelligence

The "Rogue Agent" vulnerability could have enabled attackers to silently manipulate AI conversations, exfiltrate data, and compromise every Dialogflow CX agent within the same...

Artificial Intelligence

Researchers show how attackers can use a crafted public GitHub Issue to trick AI-powered workflows into exposing data from private repositories without authentication.

Artificial Intelligence

The audits are reportedly being spearheaded by CISA’s Attack Surface Evaluation team, a specialized unit tasked with conducting digital defense assessments and simulated hacking...

Artificial Intelligence

Attack demonstrates how LLM agents can combine known exploitation techniques with real-time reasoning to automate complex, multi-stage intrusions.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version