Google on Monday disclosed that it identified an unknown threat actor using a zero-day exploit that it said was likely developed with an artificial intelligence (AI) system, marking the first time the technology has been put to use in the wild in a malicious context for vulnerability discovery and exploit generation.
The activity is said to be the work of cybercrime threat actors who appear to have collaborated together to plan what the tech giant described as a “mass vulnerability exploitation operation.”
“Our analysis of exploits associated with this campaign identified a zero-day vulnerability implemented in a Python script that enables the user to bypass two-factor authentication (2FA) on a popular open-source, web-based system administration tool,” Google Threat Intelligence Group (GTIG) said in a report shared with The Hacker News.
The tech giant said it worked with the impacted vendor to responsibly disclose the flaw and get it fixed in order to proactively disrupt the activity. It did not disclose the name of the tool.
Although there is no evidence to suggest that Google’s Gemini AI tool was used to aid the threat actors, GTIG assessed with high confidence that an AI model was weaponized to facilitate the discovery and weaponization of the flaw via a Python script that featured all hallmarks typically associated with large language model (LLM)-generated code.
“For example, the script contains an abundance of educational docstrings, including a hallucinated CVSS score, and uses a structured, textbook Pythonic format highly characteristic of LLMs training data (e.g., detailed help menus and the clean _C ANSI color class),” GTIG added.
The vulnerability, described as a 2FA bypass, requires valid user credentials for exploitation. It stems from a high-level semantic logic flaw arising as a result of a hard-coded trust assumption, something LLMs excel at spotting.
“AI is already accelerating vulnerability discovery, reducing the effort needed to identify, validate, and weaponize flaws,” Ryan Dewhurst, watchTowr’s Head of Threat Intelligence, told The Hacker News in a statement. “This is today’s reality: discovery, weaponization, and exploitation are faster. We’re not heading toward compressed timelines; we’ve been watching the timelines compress for years. There is no mercy from attackers, and defenders don’t get to opt out.”
The development comes as AI is not only acting as a force multiplier for vulnerability disclosure and abuse, but is also enabling attackers to develop polymorphic malware and conduct autonomous malware operations, as observed in the case of PromptSpy, an Android malware that abuses Gemini to analyze the current screen and provide it with instructions to pin the malicious app in the recent apps list.
Further investigation of the backdoor has uncovered a broader set of capabilities to allow the malware to navigate the Android user interface and autonomously monitor and interpret real-time user activity to determine the next course of action using an autonomous agent module.
PromptSpy is also equipped to capture victim biometric data to replay authentication gestures, such as a lock screen PIN or a pattern, to regain access to a compromised device. On top of that, it’s capable of preventing uninstallation by making use of an “AppProtectionDetector” module that identifies the on-screen coordinates of the “Uninstall” button and serves an invisible overlay just over the button to block a victim’s touch events and give the impression that the button is unresponsive.
“While PromptSpy initializes using hardcoded default infrastructure and credentials, the malware is designed with high operational resilience, allowing adversaries to rotate critical components at runtime without redeploying the PromptSpy payload,” Google said.
“Specifically, the malware’s command-and-control (C2) infrastructure, including the Gemini API keys and the VNC relay server, can be updated dynamically via the C2 channel. This configuration model demonstrates the developers anticipated defensive countermeasures and engineered the backdoor to maintain presence even if specific infrastructure endpoints are identified and blocked by defenders.”
Google said it took steps against PromptSpy by disabling all assets related to the malicious activity. No apps containing the malware have been discovered on the Play Store. Some other cases of Gemini-specific abuse spotted by Google are listed below –
- A suspected China-nexus cyber espionage group dubbed UNC2814 prompted Gemini by asking it to assume the role of a network security expert to trigger persona-driven jailbreaking and support vulnerability research into embedded device targets, including TP-Link firmware and Odette File Transfer Protocol (OFTP) implementations.
- The North Korean threat actor known as APT45 (aka Andariel and Onyx Sleet) sent “thousands of repetitive prompts” that recursively analyze different CVEs and validate proof-of-concept (PoC) exploits.
- A Chinese hacking group known as APT27 leveraged Gemini to speed up the development of a fleet management application with an aim to likely manage an operational relay box (ORB) network.
- A cluster of Russia-nexus intrusion activity targeted Ukrainian organizations to deliver AI-enabled malware dubbed CANFAIL and LONGSTREAM, both of which use LLM-generated decoy code to conceal their malicious functionality.
Threat actors have also been found experimenting with a specialized GitHub repository named “wooyun-legacy” that’s designed as a Claude code skill plugin featuring over 5,000 real-world vulnerability cases collected by the Chinese vulnerability disclosure platform WooYun between 2010 and 2016.
“By priming the model with vulnerability data, it facilitates in-context learning to steer the model to approach code analysis like a seasoned expert and identify logic flaws that the base model might otherwise fail to prioritize,” Google explained.
Elsewhere, a suspected China-aligned threat actor is said to have deployed agentic tools like Hexstrike AI and Strix in an attack targeting a Japanese technology firm and a major East Asian cybersecurity platform to conduct automated discovery with minimal human oversight.
Google also said it continues to see information operations (IO) actors from Russia, Iran, China, and Saudi Arabia using AI for common productivity tasks like research, content creation, and localization, even as it called out China-affiliated threat activity from UNC6201 that involved the use of a publicly available Python script to automatically register and immediately cancel premium LLM accounts.
“This process highlights the methods adversaries leverage to procure high-tier AI capabilities at scale while insulating their malicious activity from account bans,” GTIG pointed out.
“Threat actors now pursue anonymized, premium-tier access to models through professionalized middleware and automated registration pipelines to illicitly bypass usage limits. This infrastructure enables large-scale misuse of services while subsidizing operations through trial abuse and programmatic account cycling.”
Another China-linked activity flagged by Google originates from UNC5673 (aka TEMP.Hex), which has employed various publicly available commercial tools and GitHub projects to likely facilitate scalable LLM abuse.
The findings overlap with recent reports about a thriving grey market of API relay platforms that allow local developers in China to illicitly access Anthropic Claude and Gemini. These relay or transfer stations route access to these AI models through proxy servers that are hosted outside mainland China. The services are advertised on Chinese online marketplaces Taobao and Xianyu.
In a study published in March 2026, academics from the CISPA Helmholtz Center for Information Security found 17 shadow APIs that claim to provide access to official model services without regional limitations via indirect access. A performance evaluation of these services uncovered evidence of model substitution, exposing AI applications to unintended safety risks.
“On high-risk medical benchmarks like MedQA, the accuracy of the Gemini-2.5-flash model drops precipitously, from 83.82% with the official API to approximately 37.00% across all examined shadow APIs,” the researchers said in the paper.
What’s more, the proxy services can capture every prompt and response that passes through their servers, providing the operators with unlawful access to a goldmine of data that could then be used for fine-tuning models and conducting illicit knowledge distillation.
In recent months, AI environments have also become the target of adversaries like TeamPCP (aka UNC6780), exposing developers to supply chain attacks and enabling attackers to burrow deeper into compromised networks for follow-on exploitation.
“For example, threat actors with access to an organization’s AI systems could leverage internal models and tools to identify, collect, and exfiltrate sensitive information at scale or perform reconnaissance tasks to move deeper within a network,” Google said. “While the level of access and particular use depends heavily on the organization and the specific compromised dependency, this case study demonstrates the broadened landscape of software supply chain threats to AI systems.”
