Google’s Threat Intelligence Group (GTIG) has published an alarming Q2 2026 report revealing a watershed moment in cybersecurity: a cybercriminal syndicate has successfully weaponized generative artificial intelligence to develop a working zero-day exploit entirely without human reverse engineering. The findings mark a significant escalation in the industrialization of AI-assisted attacks.
AI Writes a Working Zero-Day From Scratch
The most striking discovery in the GTIG report is the case of a cybercrime group that collaborated to plan a mass exploitation campaign against a popular open-source web-based system administration tool. The weapon they built was a Python script capable of bypassing two-factor authentication — and analysis of the code strongly suggests it was entirely AI-generated.
The telltale signs were unmistakable: an abundance of educational docstrings, a hallucinated CVSS score, and a clean “textbook Pythonic” structure characteristic of large language model outputs. Crucially, the flaw itself was not a memory corruption bug or an input sanitization failure — it was a high-level semantic logic vulnerability, a hardcoded trust assumption in the 2FA enforcement logic that traditional static analysis tools and fuzzers would likely have missed entirely.
Google’s GTIG responsibly disclosed the vulnerability to the impacted vendor and disrupted the operation before it could be executed at scale. The incident represents a qualitative leap: frontier LLMs are uniquely capable of identifying exactly this category of high-level logic flaw, where security tools built around known vulnerability patterns simply fall short.
Nation-State Actors Scale AI-Assisted Reconnaissance
Beyond cybercrime groups, GTIG observed PRC- and DPRK-linked threat actors systematically leveraging AI to discover vulnerabilities at scale:
- UNC2814 (PRC-linked) employed expert “persona-driven” jailbreaking, prompting Gemini to act as a senior C/C++ binary security expert to probe TP-Link firmware and OFTP implementations.
- APT45 (DPRK) sent thousands of repetitive, automated prompts to recursively analyze CVEs and validate proof-of-concept exploits, producing an AI-augmented arsenal operationally impractical without AI assistance.
- APT27 (PRC) used Gemini to accelerate development of an operational relay box (ORB) network fleet management application, designed to obfuscate intrusion origins with hardcoded “maxHops=3” and mobile device type spoofing.
PROMPTSPY: Android Malware Powered by Gemini
One of the most alarming discoveries is PROMPTSPY, an Android backdoor first identified by ESET that integrates Google’s Gemini API directly into its execution flow. PROMPTSPY’s “GeminiAutomationAgent” module serializes the device’s visible UI hierarchy into XML, sends it to Gemini’s gemini-2.5-flash-lite model, and receives structured JSON commands — including CLICK and SWIPE gestures — to autonomously navigate the victim’s device without human involvement.
The malware can also capture biometric data, deploy invisible overlays to block uninstallation, and dynamically rotate its C2 infrastructure and Gemini API keys at runtime to evade defenders. Google has since disabled all assets associated with PROMPTSPY, and no infected apps have been found on Google Play.
AI-Powered Obfuscation in Malware
Russia-nexus threat actors targeting Ukrainian organizations have deployed AI-enabled malware families, notably CANFAIL and LONGSTREAM, that use LLM-generated “decoy logic” to camouflage malicious functionality. LONGSTREAM contains 32 instances of redundant daylight saving time queries interspersed throughout its code — a pattern designed to appear benign to static analyzers.
Another family, HONESTCUE, interacts with the Gemini API in real time to request just-in-time VBScript obfuscation, defeating signature-based detection dynamically. This represents a fundamental shift: malware is no longer static — it can evolve its evasion techniques on demand.
AI Account Abuse at Industrial Scale
State-sponsored and cybercriminal groups are no longer relying on simple API access — they are building professionalized middleware ecosystems to bypass AI safety guardrails and billing constraints. PRC-linked UNC6201 was observed using a GitHub Python script that automates premium LLM account registration, CAPTCHA bypassing, SMS verification, and immediate cancellation to cycle free credits. UNC5673 deployed tools like “Claude-Relay-Service” and “CLI-Proxy-API” to pool multiple Gemini, Claude, and OpenAI accounts simultaneously.
Perhaps most concerning, the cybercrime group TeamPCP executed coordinated supply chain compromises of GitHub repositories linked to the Trivy vulnerability scanner, Checkmarx, LiteLLM, and BerriAI in late March 2026, embedding a credential stealer to harvest AWS keys and GitHub tokens from CI/CD build environments.
What Organizations Should Do
GTIG’s findings carry immediate implications for defenders. Organizations must urgently audit CI/CD pipelines, GitHub tokens, and AI dependency chains as LLM-integrated environments become primary targets. Key recommended actions include:
- Audit all AI API credentials and rotate keys for any services exposed in CI/CD environments
- Monitor for unusual LLM API usage patterns, particularly automated bulk querying
- Deploy behavioral detection rules specifically tuned for AI-assisted reconnaissance patterns
- Treat AI gateway utilities (LiteLLM and similar) as high-value targets requiring additional hardening
- Ensure mobile device management solutions are equipped to detect AI-navigated malware like PROMPTSPY
Google itself is deploying AI offensively in defense, using its Big Sleep agent to identify software vulnerabilities and the CodeMender AI agent to automatically patch them. The AI security arms race is now fully underway — and organizations that fail to adapt their threat models risk falling behind a rapidly evolving adversarial landscape.