Back to Home

AI zero-day: Google discovers machine-created exploit

Google Threat Intelligence Group recorded the first ever case of an AI-created zero-day exploit in a real criminal scheme targeting the bypass of two-factor authentication. The code contained artifacts characteristic of LLMs, including a hallucinated CVSS score. The incident marks a shift to attacks with semantic vulnerabilities invisible to traditional scanners.

Google caught the first AI-created zero-day: how machine code hacked 2FA
Advertisement 728x90

Google Confirms First Case of Zero-Day Vulnerabilities Discovered Using AI for Criminal Purposes

Google's GTIG AI Threat Tracker report documented the first criminal exploit created with AI that bypassed two-factor authentication. It also identified autonomous Android malware leveraging Gemini.


AI learned to break systems: how Google caught the first machine-created zero-day, and why this is just the beginning

The Bottom Line: What's Really Happening

May 12, 2026, will go down in cybersecurity textbooks as the day detective fiction became reality. Google's Threat Intelligence Group published a report documenting the first confirmed case of a zero-day exploit created using artificial intelligence—not in a lab, not as an experiment, but within an active criminal scheme targeting mass exploitation of a vulnerability in an open-source system administration tool.

Google AdInline article slot

The story is both mundane and alarming. An unnamed criminal group—with a history of high-profile intrusions—used a large language model to find and exploit a vulnerability that allowed bypassing two-factor authentication. The exploit was intended to form the basis of a "mass exploitation event," but Google intervened in time: the vulnerability was disclosed to the developer, and a patch was released before the attack began.

Why Google is confident that AI wrote the code, not a human, is key. The Python script contained "educational" docstrings in a textbook style, structured comments typical of LLM outputs, and—most tellingly—a hallucinated CVSS score that the model invented rather than pulling from a real database. A human researcher doesn't write such artifacts. It's the machine's signature.

Timeline and Context

The events of May 2026 did not arise in a vacuum. They were preceded by months of escalation on all fronts.

Google AdInline article slot

August 2025: ESET discovers PromptLock—the first ever AI-driven ransomware using generative models to adapt demands to the victim. The industry sees GenAI not as a development tool but as part of the malware's executable code.

January 2026: The first samples of the Android trojan VNCSpy are uploaded to VirusTotal from Hong Kong. The code is still primitive—a classic VNC backdoor without an AI component.

February 2026: Just a month later, a qualitative leap. PromptSpy emerges, an evolution of VNCSpy, with a built-in module for interacting with Gemini. The malware now uses Google's API to interpret the infected device's interface and autonomously navigate the screen. ESET detects samples uploaded from Argentina. The mechanism works like this: the trojan takes an XML dump of the screen, sends it to Gemini with the instruction "you are an Android automation assistant," receives a JSON response with touch coordinates, and executes them. The cycle repeats until the task is completed.

Google AdInline article slot

In parallel, Google publishes its February GTIG report, which for the first time documents that state-sponsored groups from the DPRK and PRC use AI in all phases of attacks—from reconnaissance to post-compromise. North Korea's APT45 runs thousands of exploits through AI for validation and arsenal scaling.

March 2026: The TeamPCP group compromises LiteLLM—a popular gateway library for working with LLMs—through poisoned PyPI packages and malicious pull requests. AWS and GitHub credentials are stolen and monetized through ransomware partnerships. This is a new vector: attacking not the model itself, but the integration layer around it.

May 2026: The GTIG report, published on May 12, crystallizes the picture. Besides the zero-day, it documents: the use of agentic tools like OpenClaw by the Chinese group UNC2814 for continuous scanning of a Japanese technology company; persona-driven jailbreaks to extract pre-auth RCE vulnerabilities in TP-Link firmware from LLMs; Russian influence operations with synthetic audio embedded into real news broadcasts.

These are no longer isolated incidents but a pattern.

Who Wins and Who Loses

The losers—obviously—are all those who administer web infrastructure. The window between vulnerability disclosure and the start of attacks is disappearing. Fortinet, in a parallel report, notes that exploitation attempts now begin within 24-48 hours of disclosure, compared to an average of 4.76 days before. Over the past year, the number of ransomware victims increased by 389%—from 1,600 to 7,831. This is a world where patching must happen on the day of CVE publication, not within a weekly SLA.

The open-source ecosystem loses. The attack targeted an open-source administration tool. The semantic vulnerability that AI found was a logical flaw where the developer embedded an assumption of trust into the authentication flow, creating a contradiction with 2FA logic. Traditional scanners look for buffer overflows and race conditions. They don't read code like a human. LLMs read it exactly that way—and find errors in intent, not syntax.

Phone manufacturers lose. PromptSpy doesn't need specific coordinates to press the "pin to memory" button on Android. It asks Gemini, and the model understands: on Samsung, app locking is done with a long tap; on Xiaomi, a swipe down; on Pixel, a lock icon. The same malware works on all devices.

Google wins. Ironically, the company whose Gemini model PromptSpy exploits benefits from the entire situation. GTIG builds reputational capital by demonstrating the ability to intercept AI-driven attacks at an early stage. Protection tools like Big Sleep for vulnerability discovery and CodeMender for automatic patching gain evidence of demand.

Attackers ready for automation win. Fortinet notes: brute-force attempts decreased by 22%, but exploitation attempts increased by 25.49%. This is not a decline in activity but a shift from quantity to quality. Access to tools like WormGPT, FraudGPT, and HexStrike AI lowers the entry barrier, and data stolen by infostealers (RedLine, Lumma, Vidar)—now 67% of all datasets sold on the dark web—provides fuel for targeted attacks.

What the Media Isn't Saying

Insight one: the vulnerability is not technical but semantic—and that's the core problem. For all thirty years of the cybersecurity industry, we have built defenses around finding syntax errors. Fuzzers look for crashes. Static analyzers look for patterns. Neither notices a logical contradiction between the programmer's intent and the implementation. LLMs notice—because they see semantics, context, intent. This means that in any project with a history longer than five years, there are unnoticed logical vulnerabilities that no traditional tool can see. The AI-discovered zero-day is not an exception; it's the start of a gold rush.

Insight two: the use of AI for criminal purposes makes malware unpredictable, and therefore invisible to antivirus. Traditional antivirus looks for signatures, behavioral patterns, known sequences of API calls. But if each instance of PromptSpy dynamically makes decisions based on LLM responses, its behavior varies within limits not covered by any conceivable rule base. ESET caught PromptSpy due to a debug flag in the code. Next time, the flag will be removed, and detection will become an order of magnitude harder.

Insight three: the target is not the tool but the AI itself. The TeamPCP LiteLLM attack reveals a new threat model. Compromising a gateway library allows intercepting credentials of everyone using LLMs through that tool. This is a supply-chain attack on the infrastructure around models. If an attacker gains access to an LLM provider's API keys, they can use someone else's paid subscription to scale their own attacks, completely hiding their tracks. GTIG explicitly states: attackers are developing professional middleware for anonymous access to premium models with automatic account rotation.

Insight four: the first documented zero-day is a mistake by the criminals, not a triumph of defense. Google found the exploit due to artifacts of inexperience: a hallucinated CVSS, "educational" comments. Subsequent iterations will not contain these markers. Cases of using OpenClaw for refining AI-generated exploits in controlled environments before deployment have already been documented. This is industrialization: the LLM writes a draft, a human reviews and cleans up artifacts.

Forecast: The Next 30 Days and 90 Days

30 days (until mid-June 2026). The publication of Google's report will trigger a wave of audits in the open-source industry. Projects maintaining web administration interfaces will start receiving bug reports of an unusual type: "AI found a logical contradiction in line 847." Developers of mainstream projects (Jenkins, Grafana, GitLab) will initiate internal reviews specifically for semantic vulnerabilities—the class that no one systematically searched for before.

Simultaneously, on underground forums, a revaluation will occur. Ready-made exploits with "hallucinations" in the code will be discounted, while demand will grow for specialists capable of cleaning AI-generated code of artifacts. A new micro-specialization will emerge in the criminal ecosystem: "AI exploit sanitizer."

I expect that within 30 days, at least one major vendor (Microsoft, Cisco, or Palo Alto) will announce the inclusion of LLM-based semantic analysis in their code scanners. This will be a direct response to the threat described by GTIG.

90 days (until mid-August 2026). Semantic vulnerabilities will become a mainstream vector. Today, only Google talks about them. In three months, independent research from FireEye, CrowdStrike, and academic groups will appear, cataloging types of logical errors that LLMs find better than humans. By August, at least 5-7 CVEs discovered with AI will be documented—by both defenders and attackers.

In summer 2026, at Black Hat and DEF CON, the topic of AI-driven vulnerability discovery will dominate the agenda. I expect at least one presentation demonstrating an automated pipeline: an LLM finds a vulnerability, an agentic framework generates an exploit, another agent cleans up artifacts, and a third deploys the attack. Not as a proof-of-concept, but as a working chain.

The most unpleasant part: the monetization model for stolen data will finally shift toward AI analysis. Infostealers already supply 67% of dark web database content. To this will be added automatic categorization and prioritization of victims using LLMs: "here's a company with open RDP and outdated vCenter—ransom payment probability 78%, recommended amount $400,000." This will elevate ransomware to a new level of economic efficiency.

Conclusion. May 12, 2026, documented what had been warned about for years: the first AI-generated zero-day. But this is not the finish line; it's the start. The race has begun—and defenders will have to learn to think like LLMs to outpace those who already have. John Hultquist of GTIG put it succinctly: "There is a misconception that the AI vulnerability race is inevitable. The reality is that it is already underway. For every zero-day we can trace to AI, there are likely many others we don't see."

— Editorial Team

Advertisement 728x90

Read Next