Google has identified the first zero-day exploit it believes was developed with artificial intelligence. The criminal threat actor that built it planned to use it in a mass exploitation event. Google’s Threat Intelligence Group discovered the vulnerability before it was deployed, worked with the affected vendor to patch it, and disrupted the operation. The exploit, a Python script that bypasses two-factor authentication on a popular open-source system administration tool, contained hallucinated CVSS scores, educational docstrings, and the structured textbook formatting characteristic of large language model output. Google has high confidence that an AI model was used to find and weaponise the flaw.

The disclosure comes in a report published on Monday by the Google Threat Intelligence Group that documents a maturing transition from experimental AI-enabled hacking to what GTIG calls the “industrial-scale application of generative models within adversarial workflows.” State-sponsored actors from China and North Korea are using AI for vulnerability research. Russia-nexus threat actors are deploying AI-generated decoy code against Ukrainian targets. An Android malware called PROMPTSPY uses Google’s own Gemini API to autonomously navigate victim devices, capture biometric data, and block its own uninstallation. The AI cybersecurity arms race that experts warned about is no longer theoretical. It is in Google’s incident response logs.

The zero-day

The exploit targeted a semantic logic flaw, not a memory corruption bug or an input sanitisation error, but a high-level design mistake where the developer hardcoded a trust assumption into the two-factor authentication logic. Traditional vulnerability scanners and fuzzers are optimised to detect crashes and data-flow sinks. They miss this category of flaw. Large language models do not. Frontier models can perform contextual reasoning, reading the developer’s intent and correlating the authentication enforcement logic with hardcoded exceptions that contradict it. The model surfaced a dormant logic error that appeared functionally correct to every traditional scanner but was strategically broken from a security perspective.

GTIG worked with the impacted vendor to responsibly disclose the vulnerability. It does not believe Gemini was used. The criminal group behind the exploit has, according to Google, “a strong record of high-profile incidents and mass exploitation.” The planned mass exploitation event was prevented by proactive counter-discovery. The implication is that AI has crossed a threshold. It can now find vulnerabilities that humans and traditional tools miss, and it is being used by criminal actors to do so at scale.

The autonomous malware

PROMPTSPY is an Android backdoor first identified by ESET in February 2026. Initial reporting focused on its use of the Gemini API to maintain persistence by navigating the Android user interface to pin the malicious application in the recent apps list. Google’s analysis revealed capabilities that go significantly further.

The malware contains an autonomous agent module called GeminiAutomationAgent. It serialises the device’s visible user interface hierarchy into an XML-like format via the Accessibility API and sends it to the gemini-2.5-flash-lite model. The model returns structured JSON responses containing action types and spatial coordinates, which PROMPTSPY parses to simulate physical gestures: clicks, swipes, and navigation. The AI interprets the device’s state and generates commands in real time without human supervision.

PROMPTSPY can capture victim biometric data to replay authentication gestures and regain access to compromised devices. If a victim tries to uninstall it, the malware identifies the on-screen coordinates of the uninstall button and renders an invisible overlay that intercepts touch events, making the button appear unresponsive. Its command and control infrastructure, including Gemini API keys and VNC relay servers, can be updated dynamically at runtime, meaning that blocking specific endpoints does not disable the backdoor. Google has disabled the assets associated with this activity and confirmed that no apps containing PROMPTSPY are found on Google Play.

The state actors

Chinese and North Korean state-sponsored threat actors are using AI for vulnerability research with increasing sophistication. GTIG observed UNC2814, a Chinese-linked group, directing Gemini to act as a “senior security auditor” and “C/C++ binary security expert” to support vulnerability research into TP-Link firmware and file transfer protocol implementations. North Korea’s APT45 sent thousands of repetitive prompts that recursively analysed different CVEs and validated proof-of-concept exploits, building an arsenal of exploit capabilities that would be impractical to manage without AI assistance.

Chinese threat actors experimented with a specialised vulnerability repository called wooyun-legacy, a Claude code skill plugin containing a distilled knowledge base of more than 85,000 real-world vulnerability cases collected by the Chinese bug bounty platform WooYun between 2010 and 2016. By priming an AI model with this vulnerability data, the actors enabled in-context learning that steered the model to approach code analysis like an experienced researcher and identify logic flaws the base model would otherwise miss.

Russia-nexus actors targeting Ukrainian organisations are deploying malware families called CANFAIL and LONGSTREAM, both of which use AI-generated decoy code to obfuscate their malicious functionality. CANFAIL’s source code contains developer comments that explicitly identify unused blocks as filler content designed to disguise malicious activity. LONGSTREAM contains 32 instances of code querying the system’s daylight saving status, a repetitive benign-looking operation that exists solely to camouflage the downloader’s real purpose. APT27, a Chinese-linked group, used Gemini to accelerate development of an operational relay box network management tool with multi-hop proxy configurations designed to obfuscate intrusion origins.

The supply chain

A cyber crime group called TeamPCP claimed responsibility for multiple supply chain compromises of popular GitHub repositories and associated GitHub Actions in late March 2026, including Trivy, Checkmarx, LiteLLM, and BerriAI. The attackers gained initial access through compromised PyPI packages and malicious pull requests, then embedded credential-stealing malware to extract AWS keys and GitHub tokens from affected build environments. The stolen credentials were monetised through partnerships with ransomware and data theft extortion groups.

The compromise of LiteLLM, an AI gateway utility used to integrate multiple large language model providers, is particularly significant. Because the package is widely deployed, the breach could expose AI API secrets across the software supply chain. GTIG notes that attackers who gain access to an organisation’s AI systems through compromised dependencies could leverage internal models to identify, collect, and exfiltrate sensitive information at scale, or perform reconnaissance to move deeper within the network. The AI software ecosystem has become both a tool for attackers and a target.

Google announced its agent infrastructure at Cloud Next 2026, positioning Gemini as the reasoning backbone for autonomous AI workflows across enterprise. The same company is now documenting how adversaries are using agentic workflows to orchestrate attacks. The GTIG report describes threat actors deploying tools called Hexstrike and Strix against a Japanese technology firm and an East Asian cybersecurity platform, with Hexstrike using a temporal knowledge graph to maintain persistent state of the attack surface and autonomously pivot between reconnaissance tools. The agents that Google is selling to enterprises are being mirrored by agents that adversaries are deploying against them.

The defence

Google’s response includes Big Sleep, an AI agent developed by Google DeepMind and Google Project Zero that searches for unknown security vulnerabilities in software. Big Sleep found the vulnerability that the criminal group planned to exploit before the attack was launched. Google also introduced CodeMender, an AI-powered agent that uses Gemini’s reasoning capabilities to automatically fix critical code vulnerabilities. The defensive AI found the flaw. The offensive AI created the exploit. Google’s proactive discovery arrived first.

Google has repositioned Chrome as an enterprise security platform with real-time data loss prevention and AI governance controls, reporting a 50 per cent reduction in unauthorised AI data transfers. The investment in defensive infrastructure reflects the scale of the threat GTIG is documenting: 308 petabytes of industry telemetry in 2025 across more than four million identities, endpoints, and cloud assets, producing nearly 30 million investigative leads. No human team can process that volume. The defensive AI is not optional. It is the only way to match the speed of the offensive AI.

The policy gap

The Trump administration blocked the expansion of Anthropic’s Mythos, the most powerful vulnerability-discovery AI ever built, even as the GTIG report documents criminal and state-sponsored actors using AI to find and exploit the same types of flaws that Mythos was designed to detect. The policy contradiction is that the US government is simultaneously restricting access to defensive AI and facing an adversary landscape in which offensive AI is being deployed at industrial scale.

UK banks received their Mythos briefing within days of the European access crisis, illustrating the scramble among governments and financial institutions to gain access to AI security tools that can match the capabilities GTIG describes. Euro-area finance ministers convened to discuss the fact that no EU government had access to the most advanced vulnerability-discovery AI while the adversaries documented in the GTIG report, state-sponsored actors from China, North Korea, and Russia, were already using AI to find zero-days, generate autonomous malware, and attack the AI software supply chain.

The GTIG report is 33 pages of evidence that the AI cybersecurity arms race has moved from hypothesis to operational reality. Criminal actors are using AI to discover zero-day vulnerabilities and plan mass exploitation events. State-sponsored groups are building AI-augmented exploit arsenals. Autonomous malware is using commercial AI APIs to navigate victim devices without human supervision. The supply chain that connects AI models to enterprise systems is under active attack. Google’s defensive AI found the zero-day before the attackers could deploy it. The question the report does not answer is how many zero-days have been found by actors whose work Google has not yet detected.