Hackers Observed Using AI to Develop Zero-Day for the First Time

Cybercriminals have been using AI to identify and exploit a zero-day vulnerability successfully for the first time, Google Threat Intelligence Group (GTIG) has warned.

Published on May 11, the GTIG AI Threat Tracker report said that “prominent” cybercrime threat actors partnered to plan a mass vulnerability exploitation operation.

An AI model was likely used to identify a zero-day vulnerability and weaponize it to exploit bypass two-factor authentication (2FA) protections on a popular open-source, web-based system administration tool.

GTIG worked with the system admin tool vendor to close the vulnerability and disrupt the campaign before the new zero-day could be exploited.

Google said this is the first evidence it has seen of a threat actor successfully using AI to support the discovery and weaponization of a zero-day vulnerability.

Neither the Google Gemini AI model nor Anthropic Mythos were used by the attacker, said the report.

Analysis of the code, which was implemented in Python, suggested hallmarks of being generated by AI. This included the highly structured use of educational docstrings and Pythonic format which are characteristic of training data used by large language models (LLMs).

The script also contained a hallucinated CVSS score, another indicator that it was developed by an AI rather than a human.

While this campaign was disrupted before it was deployed, the discovery of this AI-developed zero-day is an indication of how rapidly the AI threat landscape is evolving.

“There’s a misconception that the AI vulnerability race is imminent. The reality is that it’s already begun. For every zero-day we can trace back to AI, there are probably many more out there,” said John Hultquist, chief analyst at GTIG.

AI as an Enabler for Hackers

The GITG report detailed several examples of threat actors which have recently employed AI as part of their campaigns.

This included nation-state hacking and espionage groups. Google said that People’s Republic of China (PRC) and the Democratic People's Republic of Korea (DPRK) have demonstrated “significant interest” in capitalizing on AI for vulnerability discovery.

Cybercriminal groups have also continued to deploy AI as part of hacking campaigns with threat actors using AI models to help develop malware. GTIG also noted AI is being used for operational support tools which are more difficult to detect by anti-virus software and cybersecurity protections.

While attackers are using AI for more sophisticated activities including developing zero-days and malware obfuscation, the most common use of AI by threat actors is, much like regular users, using LLMs to conduct research and troubleshooting.

By automating intelligence gathering and task support, cybercriminals are allowing themselves additional time and resources to manage complex, multi-stage operations and more effective campaigns.

“Threat actors are using AI to boost the speed, scale, and sophistication of their attacks. It enables them to test their operations, persist against targets, build better malware, and make many other improvements,” said Hultquist.

“State actors are taking advantage of this technology, but the criminal threat shouldn’t be underestimated, especially given their history of broad, aggressive attacks,” he added.

Hackers Observed Using AI to Develop Zero-Day for the First Time

Danny Palmer

AI as an Enabler for Hackers

You may also like

Google's Naptime Framework to Boost Vulnerability Research with AI

Nation-State Hackers Embrace Gemini AI for Malicious Campaigns, Google Finds

Former Google Engineer Charged With Stealing AI Secrets

Expect Iran to Launch Cyber-Attacks Globally, Warns Google Head of Threat Intel

North Korean Hackers Use Deepfake Video Calls to Target Crypto Firms

What’s Hot on Infosecurity Magazine?

Australian Cyber Security Centre Issues Alert Over ClickFix Attacks

Fake Claude AI Site Drops Beagle Backdoor on Windows Users

One in Eight Workers Has Sold Their Corporate Logins

How Crowdsourced Security is Transforming the Public Sector Cybersecurity Landscape

Cline Kanban Flaw Lets Websites Hijack AI Coding Agents

CISA Urges Critical Infrastructure Providers to Make Plans to Remain Operational if hit by Cyber-Attack

Open Source is the Tip of the Iceberg: Why Proprietary Software, Hardware and Protocols Face Greater AI-Driven Security Risk

One in Eight Workers Has Sold Their Corporate Logins

Iran-Linked APT Posed as Chaos Ransomware Member in Espionage Campaign

OpenAI and Anthropic LLMs Used in Critical Infrastructure Cyber-Attack, Warns Dragos

How to Manage Large PST Files in Microsoft Outlook

NCSC Warns of an AI-Fuelled “Vulnerability Patch Wave”

Financial Services Under Pressure: Supply Chain Risk, Regulation and Operational Resilience

How To Enhance Security Operations with AI-Powered Defenses

How to Harness Advanced Intelligence Capabilities to Strengthen Cyber Defence

Behind the Curtain of Microsoft 365 Cybersecurity: Lessons from Overlooked Resilience Gaps

Why Resilience‑Focused Cloud Design Is Your Best Defense Against Modern Attacks

Securing M365 Data and Identity Systems Against Modern Adversaries

Anthropic Rolls Out Claude Security for AI Vulnerability Scanning

Inside the Code War: Defending Against Nation-State Cyber Threats

Interview: How YKK Is Securing the World’s Largest Zipper Manufacturing Operation

CISA and Partners Publish Zero Trust Guidance For OT Security

Most Cybersecurity Professionals Feel Undervalued and Underpaid

Cyber Resilience Under Pressure: Can Your Organisation Prove Control When it Matters Most?

Hackers Observed Using AI to Develop Zero-Day for the First Time

Written by

AI as an Enabler for Hackers

You may also like

What’s Hot on Infosecurity Magazine?