Google Confirms First AI-Crafted Zero-Day Exploit Foiled

Google has confirmed the first verified instance of a criminal threat actor using artificial intelligence to develop a zero-day exploit. The Google Threat Intelligence Group (GTIG) identified the vulnerability and alerted the affected vendor before the attack could launch.

This represents a shift from theoretical concerns to documented reality. Security experts have long feared that AI models could lower the barrier for adversaries to discover and weaponize undisclosed software flaws. That fear was largely speculative until now.

According to GTIG's official report, the company has "high confidence that the actor likely leveraged an AI model to support the discovery and weaponization of this vulnerability." The threat actor planned to use it in a mass exploitation event, but Google's proactive counter-discovery may have prevented its deployment.

The vulnerability affected a popular open-source, web-based administration tool. Specifically, it impacted a Python script that allows attackers to bypass two-factor authentication for the service. Google declined to identify the specific vulnerability or name the affected tool, noting it has been patched.

Researchers withheld details about how they discovered the zero-day or the cybercrime group preparing to use it. The threat group has a "strong record of high-profile incidents and mass exploitation," according to John Hultquist, chief analyst at GTIG.

GTIG is fairly confident the threat group was using AI meaningfully throughout the entire process. The evidence left artifacts throughout the exploit code that are inconsistent with human developers. This included documentation strings in Python, highly annotated code, and a hallucinated but non-existent CVSS score.

Google is confident the attackers didn't use Gemini or Anthropic's Mythos. The company did not specify which AI platform the hackers used, but the artifacts suggest a generative model heavily involved in the development workflow.

The discovery comes as GTIG has been warning about AI-developed exploits hitting systems in the wild. The group's own Big Sleep AI agent found a zero-day vulnerability in late 2024, proving the capability was possible two years ago.

"We finally uncovered some evidence this is happening," Hultquist told CyberScoop. "This is probably the tip of the iceberg and it's certainly not going to be last."

State-sponsored threat actors associated with the People's Republic of China and the Democratic People's Republic of Korea have also demonstrated significant interest in capitalizing on AI for vulnerability discovery. These actors have leveraged sophisticated approaches toward AI-augmented vulnerability discovery and exploitation.

The report details how adversaries are leveraging AI to augment various phases of the attack lifecycle. This includes supporting the development of vulnerability exploits and malware, facilitating autonomous execution of commands, and improving the efficacy of social engineering.

As the coding capabilities of AI models advance, adversaries increasingly leverage these tools as expert-level force multipliers for vulnerability research and exploit development. While these tools empower defensive research, they also lower the barrier for adversaries to reverse-engineer applications and develop sophisticated, AI-generated exploits.

Google employs proactive measures to stay ahead of these constantly changing threats. The company enhances its products' safeguards to offer scaled protections to users. For Gemini, they mitigate model abuse by disabling malicious accounts.

Furthermore, Google leverages AI agents like Big Sleep to identify software vulnerabilities and uses Gemini's reasoning capabilities via the likes of CodeMender to automatically fix them. This proves AI can also be a powerful tool for defenders (though the arms race is getting exhausting, frankly).

The physical reality of this threat is stark. When developers review code, they typically look for patterns that match human behavior. AI-generated code leaves telltale signs—overly verbose documentation, inconsistent formatting, and impossible metrics that no human would invent.

These artifacts are the digital equivalent of a fingerprint left at a crime scene. They reveal the tool used, the workflow followed, and sometimes even the specific prompts that generated the exploit.

According to Google's official threat intelligence blog, the dual nature of the current threat environment means AI serves as both a sophisticated engine for adversary operations and a high-value target for attacks.

Independent reporting from The New York Times corroborates the timeline and scope of the changes. The attempted attack represents "a taste of what's to come," one expert said.

Flaws like the one identified by Google and the hacking group are known as "zero-day vulnerabilities" — security holes that are unknown to the software makers. They were once considered so rare and powerful that they could fetch millions of dollars on black markets used to sell hacking tools.

The tech industry and governments, including the Trump administration, are re-evaluating how and whether to police advanced versions of AI. This is largely because of growing concerns over what they mean for cybersecurity.

Hultquist noted that the discovery of a zero-day exploit developed by AI is less concerning than what this single instance forebodes even further. "The game's already begun and we expect the capability trajectory is pretty sharp," he said.

They do expect that this will be a much bigger problem, with more devastating zero-day attacks done over this, especially as capabilities grow. The trajectory suggests AI-assisted vulnerability discovery will become routine rather than exceptional.

Whether organizations can patch vulnerabilities faster than AI can discover them remains the real question. The window between discovery and exploitation is shrinking, and defenders are racing against automated systems that never sleep.

Time will tell if defensive AI can keep pace with offensive AI. For now, the first confirmed case is a warning shot, not the main event.

Artūras Malašauskas is an AI Systems Integrator with 20+ years of production-grade web engineering experience. He has designed, shipped, and scaled enterprise Python/PHP systems for logistics, SaaS, and public-sector clients. For the past year, he has focused exclusively on AI integrations: deploying open-source LLMs, building generative media pipelines (image, audio, video), and engineering multi-agent workflows for real production environments. His standard: reproducibility, security, cost-efficient inference—no vaporware. He documents and evaluates emerging AI tooling, separating verified capabilities from marketing noise. Technical editor at: muza-ai.eu, ai-verslas.lt, ai-naujinos.lt Connect on LinkedIn