On Monday, Google revealed that it had detected an unidentified threat actor leveraging a zero-day exploit, which the company believes was likely created using an artificial intelligence (AI) system. This marks the first known instance of AI being used in the wild for malicious purposes, specifically for discovering vulnerabilities and generating exploits.
The campaign is believed to be orchestrated by cybercriminal groups who appear to have joined forces to execute what Google referred to as a “mass vulnerability exploitation operation.”
“Our examination of the exploits linked to this campaign uncovered a zero-day vulnerability embedded in a Python script that allows the user to circumvent two-factor authentication (2FA) on a widely-used, open-source, web-based system administration tool,” stated the Google Threat Intelligence Group (GTIG) in a report provided to The Hacker News.
Google collaborated with the affected vendor to responsibly disclose the flaw and ensure it was patched, aiming to proactively disrupt the malicious activity. The company chose not to reveal the name of the tool in question.
While there is no evidence indicating that Google’s own Gemini AI tool was used to assist the threat actors, GTIG assessed with high confidence that an AI model was weaponized to aid in the discovery and weaponization of the vulnerability. The Python script in question displayed all the typical characteristics of code generated by a large language model (LLM).
“For instance, the script is filled with educational docstrings, includes a fabricated CVSS score, and follows a structured, textbook Pythonic style that is highly indicative of LLM training data (such as detailed help menus and the clean _C ANSI color class),” GTIG elaborated.
The vulnerability, identified as a 2FA bypass, necessitates valid user credentials for exploitation. It originates from a high-level semantic logic flaw caused by a hard-coded trust assumption—a type of issue that LLMs are particularly adept at identifying.
“AI is already speeding up the process of vulnerability discovery, minimizing the effort required to identify, validate, and weaponize flaws,” said Ryan Dewhurst, Head of Threat Intelligence at watchTowr, in a statement to The Hacker News. “This is the current reality: discovery, weaponization, and exploitation are happening at a faster pace. We’re not moving toward shorter timelines; we’ve been witnessing these timelines shrink for years. Attackers show no mercy, and defenders cannot afford to opt out.”
This development occurs as AI is not only serving as a force multiplier for vulnerability disclosure and exploitation but is also empowering attackers to create polymorphic malware and execute autonomous malware operations. This was observed in the case of PromptSpy, an Android malware that exploits Gemini to analyze the current screen and receive instructions to pin the malicious app in the recent apps list.
Further analysis of the backdoor has revealed a broader range of capabilities, enabling the malware to navigate the Android user interface and autonomously monitor and interpret real-time user activity to determine its next steps using an autonomous agent module.
PromptSpy is also designed to capture victims’ biometric data to replicate authentication gestures, such as a lock screen PIN or pattern, to regain access to a compromised device. Additionally, it can prevent uninstallation by utilizing an “AppProtectionDetector” module that identifies the on-screen coordinates of the “Uninstall” button and places an invisible overlay over it to block the victim’s touch inputs, making the button appear unresponsive.
“Although PromptSpy initializes with hardcoded default infrastructure and credentials, the malware is built with high operational resilience, allowing attackers to rotate critical components at runtime without needing to redeploy the PromptSpy payload,” Google explained.
“Specifically, the malware’s command-and-control (C2) infrastructure, including the Gemini API keys and the VNC relay server, can be updated dynamically through the C2 channel. This configuration model shows that the developers anticipated defensive measures and engineered the backdoor to maintain its presence even if specific infrastructure endpoints are identified and blocked by defenders.”
Google stated that it took action against PromptSpy by disabling all assets associated with the malicious activity. No apps containing the malware have been found on the Play Store. Other instances of Gemini-specific abuse detected by Google include:
- A suspected China-linked cyber espionage group known as UNC2814 prompted Gemini by asking it to act as a network security expert to trigger persona-driven jailbreaking and assist in vulnerability research targeting embedded devices, including TP-Link firmware and Odette File Transfer Protocol (OFTP) implementations.
- The North Korean threat actor identified as APT45 (also known as Andariel and Onyx Sleet) sent “thousands of repetitive prompts” to recursively analyze various CVEs and validate proof-of-concept (PoC) exploits.
- A Chinese hacking group called APT27 used Gemini to accelerate the development of a fleet management application, likely intended to manage an operational relay box (ORB) network.
- A cluster of Russia-linked intrusion activity targeted Ukrainian organizations to deliver AI-powered malware named CANFAIL and LONGSTREAM, both of which employ LLM-generated decoy code to disguise their malicious functions.
Threat actors have also been found experimenting with a specialized GitHub repository called “wooyun-legacy,” designed as a Claude code skill plugin containing over 5,000 real-world vulnerability cases collected by the Chinese vulnerability disclosure platform WooYun between 2010 and 2016.
“By priming the model with vulnerability data, it enables in-context learning to guide the model to approach code analysis like a seasoned expert and identify logic flaws that the base model might otherwise overlook,” Google explained.
Additionally, a suspected China-aligned threat actor is reported to have deployed agentic tools such as Hexstrike AI and Strix in an attack targeting a Japanese technology company and a major East Asian cybersecurity platform, conducting automated discovery with minimal human intervention.
Google also noted that it continues to observe information operations (IO) actors from Russia, Iran, China, and Saudi Arabia using AI for common productivity tasks like research, content creation, and localization, while also highlighting China-affiliated threat activity.
from UNC6201 that involved the use of a publicly available Python script to automatically register and immediately cancel premium LLM accounts.
“This process highlights the methods adversaries leverage to procure high-tier AI capabilities at scale while insulating their malicious activity from account bans,” GTIG pointed out.
“Threat actors now pursue anonymized, premium-tier access to models through professionalized middleware and automated registration pipelines to illicitly bypass usage limits. This infrastructure enables large-scale misuse of services while subsidizing operations through trial abuse and programmatic account cycling.”
Another China-linked activity flagged by Google originates from UNC5673 (aka TEMP.Hex), which has employed various publicly available commercial tools and GitHub projects to likely facilitate scalable LLM abuse.
The findings overlap with recent reports about a thriving grey market of API relay platforms that allow local developers in China to illicitly access Anthropic Claude and Gemini. These relay or transfer stations route access to these AI models through proxy servers that are hosted outside mainland China. The services are advertised on Chinese online marketplaces Taobao and Xianyu.
In a study published in March 2026, academics from the CISPA Helmholtz Center for Information Security found 17 shadow APIs that claim to provide access to official model services without regional limitations via indirect access. A performance evaluation of these services uncovered evidence of model substitution, exposing AI applications to unintended safety risks.
“On high-risk medical benchmarks like MedQA, the accuracy of the Gemini-2.5-flash model drops precipitously, from 83.82% with the official API to approximately 37.00% across all examined shadow APIs,” the researchers said in the paper.
What’s more, the proxy services can capture every prompt and response that passes through their servers, providing the operators with unlawful access to a goldmine of data that could then be used for fine-tuning models and conducting illicit knowledge distillation.
In recent months, AI environments have also become the target of adversaries like TeamPCP (aka UNC6780), exposing developers to supply chain attacks and enabling attackers to burrow deeper into compromised networks for follow-on exploitation.
“For example, threat actors with access to an organization’s AI systems could leverage internal models and tools to identify, collect, and exfiltrate sensitive information at scale or perform reconnaissance tasks to move deeper within a network,” Google said. “While the level of access and particular use depends heavily on the organization and the specific compromised dependency, this case study demonstrates the broadened landscape of software supply chain threats to AI systems.”
