AI-Assisted Hacking Is Already Here — The Race Google’s Report Just Made Impossible to Ignore
AI-Assisted Hacking Is Already Here — The Race Google’s Report Just Made Impossible to Ignore
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution — No Patch, No Warning
- Ubuntu 26.04 LTS (Resolute Raccoon): The Most Ambitious Ubuntu LTS in a Decade
- Proton Mail: Data Transferred to FBI Again!
- How Close Are Quantum Computers to Breaking RSA-2048?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
AI-Assisted Hacking Is Already Here — The Race Google’s Report Just Made Impossible to Ignore
Google’s Threat Intelligence Group has confirmed the world’s first zero-day exploit developed using artificial intelligence. The attack was foiled — but barely. Experts warn this is only the beginning.
or years, cybersecurity experts warned that AI would one day lower the barrier for hackers to discover and weaponize software vulnerabilities. That day, according to Google’s Threat Intelligence Group (GTIG), has now arrived — and the first confirmed incident came perilously close to triggering a mass exploitation campaign that could have compromised systems worldwide.
On May 11, 2026, Google’s GTIG published its latest AI Threat Tracker, documenting what it describes as a historic and alarming milestone: the first real-world case in which a criminal threat actor used an artificial intelligence model to discover and weaponize a previously unknown zero-day vulnerability — a software flaw unknown even to its own developers.
The Incident: A Near-Miss Mass Exploitation
GTIG researchers uncovered a Python exploit script prepared by a cybercrime group targeting a popular open-source, web-based system administration tool. The script was engineered to bypass two-factor authentication (2FA) by exploiting a hardcoded trust assumption buried deep in the application’s authentication logic — a high-level “semantic logic flaw” that traditional security scanners, fuzzers, and static analysis tools are fundamentally ill-equipped to detect.
The attackers planned to unleash this exploit in a mass campaign targeting the tool at scale. Google’s proactive counter-discovery disrupted the operation before it could gain traction. Additionally, errors in the exploit’s own implementation likely interfered with its successful use — a reminder that even AI-generated attacks are still in their clumsy early phase.
Google worked with the affected vendor to responsibly disclose the vulnerability and issue a patch before the campaign could launch. The name of the vendor and tool has not been publicly disclosed.
How Researchers Knew AI Wrote the Code
GTIG stated it has “high confidence” that an AI model — not a human researcher — authored the exploit script. The code bore unmistakable fingerprints of large language model (LLM) authorship:
AI Authorship Indicators Found in the Exploit Script
- An abundance of educational docstrings and detailed help menus — typical of LLM training data output
- Clean, structured “textbook Pythonic” formatting far more polished than typical human-written exploit code
- A hallucinated CVSS severity score — the AI invented a risk rating for the bug before it even had an official CVE designation
- A semantic logic flaw as the vulnerability vector — a type of high-level error invisible to traditional automated scanners but detectable by AI reasoning over developer intent
Google confirmed that neither its own Gemini model nor Anthropic’s Mythos model was used in the attack. The identity of the AI model actually leveraged by the attackers was not disclosed.
“There’s a misconception that the AI vulnerability race is imminent. The reality is that it’s already begun. For every zero-day we can trace back to AI, there are probably many more out there.”
— John Hultquist, Chief Analyst, Google Threat Intelligence GroupNation-State Actors: A Broader, More Systematic Threat
The confirmed zero-day was not an isolated incident. GTIG’s report documents a much wider pattern of nation-state actors systematically integrating AI into their offensive cyber operations:
| Threat Actor | Country | AI-Assisted Activity |
|---|---|---|
| APT45 | North Korea | Sent thousands of repetitive automated prompts to recursively analyze CVEs and validate proof-of-concept exploits, building an arsenal at a scale impractical without AI |
| UNC2814 | China-linked | Used expert-persona jailbreaking — prompting Gemini to act as a “senior C/C++ binary security expert” — to research pre-authentication remote code execution flaws in TP-Link router firmware |
| APT27 | China-linked | Used AI to accelerate development of network relay infrastructure to obfuscate intrusion origins |
| Russia-nexus actors | Russia | Deployed AI-generated decoy code in malware families (CANFAIL, LONGSTREAM) to confuse analysts; used AI voice cloning in influence operations impersonating journalists |
PROMPTSPY: The Android Backdoor That Thinks for Itself
Among the report’s most alarming findings is PROMPTSPY, an Android backdoor first identified by cybersecurity firm ESET. Unlike traditional malware that executes a fixed payload, PROMPTSPY integrates Google’s own Gemini API directly into its attack flow — giving it the ability to reason and adapt autonomously.
PROMPTSPY works by serializing the Android device’s visible user interface into XML, then querying Gemini for spatial coordinates and structured JSON instructions on what to do next. It can capture biometric authentication data to replay lock screen gestures, deploy invisible overlays to block the uninstall button, and dynamically rotate its own command-and-control infrastructure and API keys at runtime to survive takedown attempts. Google has disabled all assets associated with the activity, and no infected apps have been found on Google Play. Google Play Protect blocks known versions by default.
Why This Changes Everything for Defenders
The nature of the vulnerability at the centre of the confirmed zero-day — a semantic logic flaw — is particularly concerning for the security industry. Traditional vulnerability scanners are engineered to detect memory corruption, improper input sanitization, and detectable crashes. A hardcoded trust assumption in authentication logic, however, requires understanding developer intent — something large language models are increasingly capable of doing.
GTIG notes that while AI’s contextual reasoning capabilities are advancing rapidly, threat actors have not yet achieved “breakthrough capabilities” to bypass the core security logic of frontier AI models themselves. Instead, they are exploiting the orchestration layers around AI systems: open-source wrapper libraries, API connectors, and configuration files. In March 2026, criminal group TeamPCP compromised LiteLLM, a widely used AI gateway library, by embedding a credential stealer through poisoned PyPI packages.
What Security Teams Should Do Now
- Accelerate vulnerability assessments for products that rely on semantic or logic-based trust assumptions, not just traditional memory-safety issues
- Audit CI/CD pipelines, GitHub tokens, and third-party AI dependency chains for signs of supply chain compromise
- Treat AI-integrated components (API connectors, LLM wrapper libraries) as high-priority attack surface
- Monitor for patterns of AI-assisted reconnaissance: unusually structured, verbose, or well-commented exploit code may indicate AI authorship
- Assume AI-assisted vulnerability discovery is already being applied against your systems — not a future concern
Is a Security Disaster Imminent?
The honest answer from the experts closest to this threat is: the disaster is not imminent — it is incremental, and it has already started. The foiled mass exploitation campaign showed that AI-generated attacks are still imperfect; errors in implementation saved many potential victims this time. But the trajectory is clear.
As GTIG’s report states, AI tools are serving as “expert-level force multipliers for vulnerability research and exploit development.” They lower the barrier for less sophisticated actors, accelerate the operations of well-resourced state groups, and enable autonomous malware that can adapt in real time. Google’s intervention in this case was the product of proactive threat intelligence — a reminder that defensive AI capabilities must evolve at least as fast as offensive ones.
“AI-enabled malware signals a shift toward autonomous attack orchestration, where models interpret system states to dynamically generate commands and manipulate victim environments.”
— Google Threat Intelligence Group, AI Threat Tracker Report, May 11, 2026The race John Hultquist described is not coming. It is already being run — and for now, defenders are still on the track. The question is how long that remains true as AI capabilities on both sides continue to accelerate.
This article is based on Google’s GTIG AI Threat Tracker report published May 11, 2026, and corroborating coverage from CNBC, The Register, BleepingComputer, SiliconANGLE, UPI, and Axios. All claims reflect verified reporting as of May 12, 2026.
