Google has identified a zero-day exploit believed to have been developed using artificial intelligence, marking a significant development in the cyber threat landscape. The report, compiled by Google’s Threat Intelligence Group and Mandiant, details how a notable cybercrime group used AI to create an exploit that could bypass two-factor authentication on an open-source web-based administration tool. The script displayed characteristics typical of AI models, such as structured Python code and educational documentation, indicating that AI assistance played a role in its creation. Additionally, Google’s findings highlight that state-sponsored actors from China and North Korea are increasingly leveraging AI for vulnerability discovery and exploit development, paving the way for more sophisticated cyber threats.

APT45: APT45 is a North Korean state-sponsored cyber operation group conducting espionage and disruptive attacks, tracked for using advanced tactics including AI-augmented analysis. The group employed thousands of repetitive AI prompts to analyze vulnerabilities and validate exploits.
Strix: Strix is an open-source AI agent framework designed for automated penetration testing, vulnerability discovery, and proof-of-concept generation in web applications. A China-linked actor deployed Strix as an agentic tool in attacks targeting a Japanese tech firm and an East Asian cybersecurity company.
Gemini: Gemini is Google’s advanced AI model integrated into security tools for analyzing cyber threats and processing large-scale data. The company drew on data collected by Gemini to summarize observations on AI use in the cyber threat landscape.
Google: Google is a leading technology company that operates extensive cybersecurity operations, including threat monitoring and vulnerability research through specialized teams. In this report, Google identified the first zero-day exploit believed to be developed using artificial intelligence, highlighting its role in advancing threat detection.
UNC2814: UNC2814 is a suspected Chinese state-sponsored cyber espionage group tracked by Mandiant and GTIG, primarily targeting telecommunications providers and government organizations since at least 2017. The group used a persona-driven jailbreak technique on AI models to enhance vulnerability research on embedded devices.
Mandiant: Mandiant is a Google Cloud cybersecurity firm specializing in incident response, threat intelligence, and advanced persistent threat tracking through reports like M-Trends. It collaborated with GTIG and Gemini on data collection for the new report detailing AI in cyber threats.
Hexstrike: Hexstrike is an AI-powered offensive security platform enabling automated reconnaissance, vulnerability exploitation, and penetration testing, often used in red teaming but increasingly abused by threat actors. Google observed a China-linked actor deploying Hexstrike in recent cyberattacks.
Google Threat Intelligence Group: Google Threat Intelligence Group (GTIG) is Google’s specialized unit focused on identifying, analyzing, and mitigating cyber threats targeting Alphabet properties and broader ecosystems, regularly publishing reports on emerging risks like AI misuse. GTIG contributed key data and analysis to the report on the AI-generated zero-day exploit and state-sponsored AI activities.

{“Threat Landscape Evolution”: “Google’s report covers shifts toward autonomous malware and AI-enhanced evasion tactics by cybercrime groups.”, “State-Sponsored AI Adoption”: “Chinese and North Korean actors are actively using AI for vulnerability discovery, including agentic tools and recursive prompt engineering.”}