Technical description
Google's Threat Intelligence Group (GTIG) disclosed the first known case where cybercriminals used AI to discover and weaponize a previously unknown zero-day vulnerability. Multiple 'prominent cyber crime threat actors' partnered to identify a bug in a Python script that would allow bypassing two-factor authentication (2FA) on a popular open-source system. The groups then used AI-assisted code to weaponize the flaw. The vulnerability was thwarted before production exploitation, and Google disclosed it to the vendor.
Attack vector
The attack targets hidden trust assumptions in software login logic, leveraging AI's ability to reason about subtle behavioral weaknesses that conventional security tools often fail to detect. Attack chain: (1) AI identifies authentication bypass, (2) AI generates weaponized exploit code, (3) attackers deploy against production systems.
Affected systems
Unnamed popular open-source system (Python script-based). Additionally, Google identified: (1) APT45 (North Korean military group) using AI to test and validate thousands of exploit payloads, (2) Malware dubbed 'PromptSpy' using Gemini to autonomously navigate Android devices and generate control commands in real-time.
Mitigation
Immediate: Assume threat actors can now generate zero-day exploits from AI models in near-real-time (Google estimates ~30 minutes from patch disclosure to working exploit). Organizations must: (1) adopt AI-assisted vulnerability discovery (via Daybreak, Mythos, or equivalent) to find flaws before attackers, (2) reduce disclosure windows from 90 days to 30 days where feasible, (3) implement continuous patching and immutable infrastructure to reduce post-exploitation dwell time, (4) assume 2FA bypass is now a commodity attack path and add additional authentication factors (FIDO2, hardware tokens).