First AI-Built Zero-Day Used by Criminals in Planned Mass Hack Campaign

Google's Threat Intelligence Group has identified what it believes is the first documented case of cybercriminals using AI to discover and weaponize a zero-day vulnerability for a large-scale attack campaign.

The Vulnerability

The zero-day was a two-factor authentication bypass in a popular open-source web administration platform. According to Google, attackers employed an AI model to both identify the flaw and develop an exploitable tool from it. The company collaborated with the unnamed vendor to patch the issue before the campaign could gain momentum, potentially disrupting the operation.

Characteristics of the AI-Generated Exploit

The Python exploit script displayed telltale signs of machine generation, including:

"Educational docstrings" typical of LLM-generated code
A hallucinated CVSS score
Structured code that reflected LLM training data patterns

The underlying vulnerability stemmed from developers hard-coding a trust exception into the authentication flow. Google noted that "frontier LLMs excel at identifying these types of high-level flaws and hardcoded static anomalies," contrasting AI's capability with traditional fuzzing and static analysis tools.

Broader AI Threat Landscape

John Hultquist, chief analyst at Google Threat Intelligence Group, stated: "The reality is that it's already begun. For every zero-day we can trace back to AI, there are probably many more out there."

The report documents additional AI-assisted threats:

North Korean APT45 using AI to process thousands of exploit checks
Chinese state operators experimenting with vulnerability hunting
Malware padded with AI-generated obfuscation code
Android backdoors leveraging AI APIs for autonomous device navigation

Significance

This marks a fundamental shift in the threat landscape. Previously, zero-day discovery required highly skilled human researchers with deep technical knowledge. AI tools are democratizing this capability, potentially enabling a much larger pool of attackers to discover and exploit previously unknown vulnerabilities at scale.