Google Threat Intelligence Group (GTIG) has confirmed what the security community has dreaded since generative AI hit mainstream: threat actors deployed a real-world zero-day exploit developed with help from an LLM in a planned mass exploitation campaign. The criminal group targeted a popular open-source web-based system administration tool, crafting a Python script that bypassed two-factor authentication—but GTIG worked with the vendor to responsibly disclose the vulnerability and disrupt the operation before damage was done. The exploit itself is textbook evidence of how frontier LLMs excel at finding high-level semantic logic flaws. Rather than exploiting memory corruption or input sanitization errors—the bread and butter of traditional fuzzers and static analysis tools—this zero-day relied on a hardcoded trust assumption that contradicted the application's own 2FA enforcement logic. GTIG researchers noted that while conventional scanners optimize for crashes and sinks, LLMs can perform contextual reasoning to surface dormant logic errors that appear functionally correct but are strategically broken from a security standpoint. The vulnerability required valid user credentials as a prerequisite, making it a privilege escalation vector rather than an initial access vector. GTIG's confidence that an AI model was used stems from forensic analysis of the exploit code itself. The Python script contains what researchers describe as "an abundance of educational docstrings," including a hallucinated CVSS score—something no human developer would leave in production code. The structure follows textbook, highly organized Pythonic formatting with detailed help menus and clean ANSI color classes that closely mirror patterns found in LLM training data. While GTIG doesn't believe Gemini was specifically used, the code's characteristics align so strongly with AI-generated output that researchers have high confidence a large language model played a role in discovery and weaponization. State-sponsored actors are equally invested in AI-augmented vulnerability research—and they're taking more sophisticated approaches than their criminal counterparts. Threat clusters associated with the People's Republic of China (PRC) and the Democratic People's Republic of Korea (DPRK) have been observed leveraging persona-driven jailbreaking attempts, directing models to act as senior security auditors or binary security experts to extract focused assistance. One notable technique involves a GitHub repository called "wooyun-legacy," a Claude code skill plugin containing over 85,000 real-world vulnerability cases from the Chinese bug bounty platform WooYun (2010–2016). By priming models with this distilled knowledge base, threat actors enable in-context learning that steers AI toward identifying logic flaws like seasoned experts. APT45 has been observed sending thousands of recursive prompts analyzing different CVEs and validating proof-of-concept exploits at scale—workloads "impractical to manage without AI assistance."

Autonomous Malware: PROMPTSPY and the Agentic Future

The zero-day exploit represents one end of the AI-threat spectrum, but Google's report also details how adversaries are pushing toward autonomous attack orchestration. PROMPTSPY, an Android backdoor first identified by ESET, integrates with Gemini's API to enable payloads that act independently—synthesizing system states, navigating UI elements, and executing commands without human supervision. The malware contains a module called "GeminiAutomationAgent" that assigns benign personas to bypass safety filters while requesting complex spatial calculations for targeting specific interface coordinates. PROMPTSPY serializes device UI hierarchies via the Accessibility API and sends them to Google's gemini-2.5-flash-lite model, which returns structured JSON responses dictating action types and coordinates—CLICK, SWIPE gestures that simulate human interaction. The user goal isn't hardcoded in initial prompts but supplied dynamically, suggesting the architecture supports multiple exploitation objectives. Perhaps most concerning: if victims attempt to uninstall PROMPTSPY, an "AppProtectionDetector" module renders invisible overlays over the Uninstall button, silently intercepting touch events and making the interface appear unresponsive. No apps containing PROMPTSPY exist on Google Play, and Google Play Protect shields users by default.

AI-Powered Obfuscation and Defense Evasion

Beyond direct exploitation, threat actors are leveraging LLMs to defeat security tooling through intelligent obfuscation. Russia's APT27 has used Gemini to accelerate development of ORB (operational relay box) network management applications, complete with hardcoded "maxHops" parameters set to 3—anonymization networks rather than VPNs typically use 1 hop. Russia-nexus intrusion activity targeting Ukrainian organizations deploys CANFAIL and LONGSTREAM malware containing LLM-generated decoy code designed to camouflage malicious functionality. Researchers found developer comments explicitly describing which blocks weren't used—filler content generated likely because the threat actor requested outputs with large amounts of inert code for obfuscation purposes.

The Defensive Side: AI Fighting Back

Google's report doesn't sugarcoat the threat landscape, but it emphasizes that defenders wield the same tools. GTIG highlighted proactive measures including Big Sleep, an AI agent designed to identify software vulnerabilities before adversaries do, and CodeMender, which leverages Gemini's reasoning capabilities to automatically patch discovered flaws. "Attackers rarely shy away from experimentation and innovation," Google noted, "but neither do we." The company disables malicious accounts on Gemini and employs enhanced safeguards across its product suite—scaled protections that threat actors must actively circumvent just to access the models they depend on.

Key Takeaways

  • GTIG confirmed the first documented real-world AI-assisted zero-day: a 2FA bypass targeting an open-source admin tool, disrupted before deployment
  • The exploit exploited a semantic logic flaw (hardcoded trust assumptions) rather than memory corruption—precisely the vulnerability class LLMs excel at finding
  • Forensic evidence of AI involvement includes hallucinated CVSS scores, educational docstrings, and structured Pythonic formatting patterns
  • PRC/DPRK actors are using sophisticated AI workflows including specialized vulnerability databases like wooyun-legacy (85K+ cases) and agentic tools like OpenClaw and OneClaw
  • PROMPTSPY Android backdoor demonstrates autonomous attack orchestration via Gemini integration—malware that navigates UI and evades uninstallation independently

The Bottom Line

This is the moment we've been hurtling toward since LLMs started writing code: AI-generated zero-days aren't theoretical anymore. Google's catch is a warning shot, but it's also proof that defenders can play this game—the question isn't whether AI will be weaponized for exploits, it's who masters the tooling first.