Google: AI-Aided Zero-Day Exploit Bypassed 2FA

On Sunday, Google’s Threat Intelligence Group reported it intercepted what it believes is the first zero-day exploit built with the help of an AI model. The exploit was a Python script designed to bypass two‑factor authentication in an open-source web administration tool. Google discovered the activity while monitoring for mass exploitation and worked with the vendor to prevent wide-scale attacks. The company did not name the targeted tool or the actor.

Analysts reviewing the code identified elements that match large language model output, including detailed instructional docstrings, a fabricated Common Vulnerability Scoring System severity number, structured help menus and uniform color-class formatting. Google linked the patterns and formatting to AI-generated content and clarified it was not attributing the work to its own Gemini model.

Google wrote: “Based on the structure and content of these exploits, we have high confidence that the actor likely leveraged an AI model to support the discovery and weaponization of this vulnerability.” The company noted the documentation and formatting suggested an AI assistant helped both find the flaw and create an exploit capable of bypassing two-factor controls.

The report also describes several state-linked clusters using AI to speed vulnerability research and exploit development. A China-linked group tracked as UNC2814 used a technique Google calls persona-driven jailbreaking, prompting a model to act as a senior security auditor and then directing it to analyze embedded device firmware from TP-Link and implementations of the Odette file transfer protocol for remote code execution issues. Another China-linked actor deployed tools named Strix and Hexstrike in attacks on a Japanese technology firm and a major East Asian cybersecurity company.

A North Korean group tracked as APT45 submitted thousands of repetitive prompts to AI models to recursively analyze known CVE entries and validate proof-of-concept exploits. Google reported that approach allowed the group to build a larger set of exploitable capabilities than would be practical without AI assistance.

The report flagged suspected Russian actors using AI to generate polymorphic malware and obfuscation networks that speed development and help evade detection. Google introduced the term PROMPTSPY to describe malware that uses AI models to assess a victim system’s state and dynamically generate commands, effectively shifting operational decision-making to the model.

Google said some threat actors obtain anonymized premium access to language models through specialized middleware and automated account registration services, enabling large-scale misuse via trial accounts and other workarounds. A group tracked as TeamPCP, also known as UNC6780, has targeted AI software dependencies to gain footholds and deploy ransomware and extortion.

The company described defensive uses of AI inside Google, citing tools such as Big Sleep, an agent that helps identify software vulnerabilities, and CodeMender, which applies model reasoning to automatically patch flaws. Google reported it disables accounts found misusing its Gemini service and works with software vendors to block active exploitation when a flaw is discovered.

The report documents attackers adding AI into vulnerability discovery, exploit construction and autonomous attack decisions and defenders using AI to detect and remediate threats.