Technical description
360 Digital Security Group disclosed on April 24, 2026, that its internally developed Multi-Agent Collaborative Vulnerability Discovery System has uncovered close to 1,000 previously unknown vulnerabilities, including flaws in Microsoft Office and OpenClaw (an open-source AI agent framework), positioning the system as China's answer to Anthropic's Mythos model.
Attack vector
While specific technical details were not disclosed, 360 stated that AI evolved 'from an auxiliary tool to the core engine of vulnerability discovery,' suggesting automated fuzzing, exploit chain construction, and pattern recognition across codebases. Some vulnerability claims are disputed or credited to other researchers, per Natto Thoughts analysis.
Affected systems
Microsoft Office (unspecified components), OpenClaw AI agent framework, and approximately 998 other systems not yet publicly detailed. The breadth suggests targets span productivity software, AI/ML tooling, and potentially critical infrastructure.
Mitigation
Organizations should monitor CVE feeds and vendor advisories for forthcoming disclosures from 360's research. China's legal requirement that firms report vulnerabilities to state agencies before public disclosure creates an asymmetric threat window—assume state actors may have early access to exploit these findings before patches are available. Prioritize patching AI/ML frameworks and Microsoft productivity suite when updates are released.