AI-powered zero-day attacks are no longer theoretical. Google’s Threat Intelligence Group (GTIG) has identified a threat actor using artificial intelligence to develop a working zero-day exploit for the first time, marking a watershed moment in the evolution of cyber threats. The discovery reveals that attackers are moving beyond traditional vulnerability discovery methods and leveraging machine learning to identify and weaponize flaws that human researchers would likely miss.
Key Takeaways
- Google Threat Intelligence Group confirmed the first AI-developed zero-day exploit in the wild, targeting a web-based system administration tool.
- The attack bypassed two-factor authentication via a Python script, designed for mass exploitation before GTIG’s intervention.
- AI artifacts in the code—including hallucinated CVSS scores and highly annotated documentation—provided compelling evidence of machine involvement.
- Threat actors from China and North Korea have already begun leveraging AI across multiple attack phases, from reconnaissance to exploitation.
- This discovery represents what GTIG chief analyst John Hultquist called “the tip of the iceberg” for AI-augmented cyber operations.
How Hackers Used AI to Find and Weaponize a Zero-Day
The unnamed threat actor deployed an AI model to identify a semantic logic bug in a popular open-source administration tool—the kind of flaw that traditional fuzzing and static analysis tools typically miss. Rather than brute-force vulnerability hunting, the attacker leveraged AI’s ability to understand high-level code semantics and spot logical inconsistencies that expose security weaknesses. The resulting exploit came packaged as a Python script capable of bypassing two-factor authentication, a critical defense layer protecting millions of users.
What makes this discovery particularly alarming is the evidence trail left behind. GTIG researchers found distinct AI artifacts scattered throughout the malicious code: highly annotated documentation strings, a hallucinated CVSS score that does not exist in any official database, and structural patterns inconsistent with human coding practices. These fingerprints provided “high confidence” that an AI model—not a human attacker or known threat group tool—developed the exploit. The threat actor had clearly used AI not just for discovery but for the entire exploit development lifecycle, from initial vulnerability analysis to weaponization.
According to GTIG’s analysis, the attacker planned a “mass exploitation event” that could have compromised thousands of systems had the vulnerability remained unpatched. GTIG’s proactive counter-discovery thwarted the attack by alerting the unnamed vendor, who released a patch before the exploit could be deployed at scale.
AI-Powered Zero-Day Attacks Across the Threat Landscape
This is not an isolated incident. GTIG has identified multiple state-sponsored and cybercriminal groups experimenting with AI-augmented attack methods. China-linked threat actors, including APT27, have employed persona-driven jailbreaking techniques—framing requests as if they came from a “senior security auditor”—to extract vulnerability analysis from AI models. North Korea-linked groups like APT45 have taken a different approach, sending thousands of repetitive prompts to AI systems to analyze publicly disclosed vulnerabilities and proof-of-concept exploits, building a knowledge base for future attacks.
The sophistication varies. Some threat actors are using AI for initial reconnaissance and vulnerability discovery. Others are leveraging machine learning to automate malware development or enhance social engineering campaigns. What unites them is a recognition that AI fundamentally changes the economics of cyber attacks. Tasks that once required expert human analysts can now be partially automated, scaled, and deployed faster than defenders can respond.
This marks a dramatic shift from the early days of AI security research. Google’s Big Sleep AI agent, developed by DeepMind and Project Zero, proved the theoretical feasibility of AI-discovered zero-days roughly a year ago. What has changed is that threat actors are now operationalizing these techniques in real-world attacks, no longer content to wait for academic papers or security conferences to validate the approach.
What This Means for Cybersecurity Defenders
John Hultquist, GTIG’s chief analyst, framed the discovery with sobering clarity: “This is probably the tip of the iceberg and it’s certainly not going to be the last.” The implication is stark—if defenders are only now seeing the first confirmed AI-powered zero-day in the wild, many more are likely already in development across adversary networks.
The challenge for defenders is asymmetrical. Traditional vulnerability management relies on patching known flaws and monitoring threat intelligence feeds for emerging exploits. AI-powered zero-day attacks bypass these defenses by targeting semantic logic bugs that are difficult to detect with conventional tools. A vulnerability that exploits a subtle flaw in how code handles authentication logic—the kind of mistake that an AI model excels at identifying—may never appear in a public vulnerability database until it is too late.
Organizations cannot simply patch their way out of this problem. Instead, defenders must adopt a fundamentally different posture: assume that zero-days will be discovered faster, deployed more broadly, and weaponized more efficiently. This means investing in behavioral detection, threat hunting, and incident response capabilities that can identify exploitation attempts even when the underlying vulnerability remains unknown. It also means treating AI-augmented threat intelligence as a critical new domain, one where understanding how attackers use machine learning becomes as important as understanding their traditional tactics.
Is This Really the First AI Zero-Day, or Just the First We Know About?
GTIG’s confidence in this being the first confirmed AI-developed zero-day is high but not absolute. Hultquist acknowledged that “we finally uncovered some evidence this is happening,” implying that earlier attacks may have occurred without leaving detectable AI fingerprints. An attacker using a more sophisticated model, or one that produces code indistinguishable from human work, could have deployed AI-powered exploits months or years ago without triggering alarm bells.
The gap between “first confirmed” and “first actual” is significant. If threat actors have already learned to mask their AI involvement—removing annotation artifacts, eliminating hallucinated metadata, mimicking human coding patterns—then GTIG’s discovery represents not a breakthrough moment but a moment when the attackers became careless enough to leave evidence. By that logic, the real watershed moment occurred earlier, when threat actors first began experimenting with AI for vulnerability discovery, likely with far less fanfare.
What Happens Next?
The immediate consequence of GTIG’s discovery is a wave of scrutiny on AI security. Defenders will now actively hunt for the telltale signs of AI-developed exploits: unusual code patterns, hallucinated metadata, annotation artifacts. Threat actors, in response, will adapt. They will refine their techniques, use different AI models, or employ post-processing to remove evidence of machine involvement. This cycle of escalation mirrors the broader arms race between attackers and defenders, compressed into a new domain.
For organizations, the practical takeaway is uncomfortable: zero-day vulnerabilities are becoming easier to discover, and the defenders who relied on the assumption that zero-days are rare and hard to find are now operating under false premises. The arrival of AI-powered zero-day attacks does not necessarily mean more zero-days will be exploited tomorrow, but it does mean that the timeline for exploitation has compressed, and the pool of actors capable of discovering critical flaws has expanded.
Can AI models like Gemini be used for these attacks?
GTIG has “high confidence” that the zero-day was developed using an AI model, but the researchers explicitly ruled out Google’s Gemini and Anthropic’s Claude. The specific model remains unnamed, though the code artifacts suggest a different architecture or training approach. This distinction matters because it indicates that threat actors are not limited to consumer-facing AI assistants—they are experimenting with specialized models or alternative platforms that may lack the same safety guardrails.
How does Big Sleep fit into Google’s defense strategy?
Big Sleep, Google’s AI agent developed by DeepMind and Project Zero, discovered its first real-world zero-day in late 2024 and assisted in preempting another imminent exploit before GTIG’s latest discovery. The tool represents Google’s offensive defense strategy—using AI to find vulnerabilities before attackers do. However, Big Sleep operates within Google’s controlled environment and cannot protect the broader internet. Its existence proves that AI-powered vulnerability discovery works, but it also demonstrates that defenders are playing catch-up to threats that attackers may have already operationalized.
Should organizations assume their security tools can detect AI-powered zero-day attacks?
No. Traditional intrusion detection systems, endpoint protection platforms, and vulnerability scanners are designed to identify known attack patterns and disclosed vulnerabilities. An AI-powered zero-day, by definition, exploits a previously unknown flaw using a novel technique. Conventional security tools will not detect the exploitation until the attack is already underway. Organizations must supplement their security stack with behavioral analytics, threat hunting, and incident response capabilities that can identify suspicious activity even when the underlying vulnerability remains unknown.
The arrival of AI-powered zero-day attacks marks a genuine inflection point in cybersecurity. For years, security researchers have warned that artificial intelligence would eventually be weaponized at scale. Google’s discovery confirms that the warning was not hypothetical—it is happening now. The question is no longer whether threat actors will use AI to find and exploit vulnerabilities, but how quickly defenders can adapt to a threat landscape where the tools that once took human experts months to develop can now be generated by machines in days.
Edited by the All Things Geek team.
Source: TechRadar
