The First AI-Generated Zero-Day Exploit: Inside Google's Discovery of LLM-Written Malware in the Wild

# The First AI-Generated Zero-Day Exploit: Inside Google's Discovery of LLM-Written Malware in the Wild

Date: May 11, 2026

Tags: News, Cybersecurity, AI Threats, Zero-Day

On May 11, 2026, Google's Threat Intelligence Group (GTIG) published a bombshell report documenting something cybersecurity experts have feared for years: the first confirmed instance of a zero-day exploit written by artificial intelligence, found in the wild and aimed at mass exploitation.

This isn't a proof-of-concept from an academic lab. This is real. A criminal organization used an LLM to discover a vulnerability, write a working exploit, and prepare to deploy it at scale against a popular open-source web administration tool. Only Google's proactive intervention prevented what could have been a catastrophic campaign.

Here's everything we know — and what it means for the future of cybersecurity.

The Exploit:

Bypassing Two-Factor Authentication

The target was an unnamed open-source web-based system administration tool — the kind of software that IT teams everywhere use daily to manage servers, user access, and infrastructure. The exploit developed by the threat actors was designed to completely bypass the tool's two-factor authentication (2FA) protection.

2FA has long been considered a gold standard for account security. If an AI model can find a way around it in a widely-deployed admin tool — and translate that discovery into working exploit code — the implications are staggering.

The exploit itself was written in Python, but it wasn't the code's functionality alone that tipped off Google's analysts. It was how the code looked.

"Textbook Pythonic":

How Google Knew It Was AI-Written

GTIG's forensic analysis of the exploit code revealed several telltale signs of LLM generation:

- Educational docstrings throughout the script — detailed explanations of what each function does, the kind of verbose documentation a human attacker would never include

- A hallucinated CVSS score — the exploit claimed a CVSS severity rating that didn't correspond to any real scoring system, a classic LLM hallucination

- Structured, textbook Pythonic format — the code used a clean, pedagogical style highly characteristic of LLM training data, including a complete ANSI color class and detailed help menus

- High-level semantic logic bug discovery — rather than a memory corruption or input sanitization issue (the kind of bugs fuzzing tools find), the vulnerability was a semantic logic flaw that AI systems are particularly adept at identifying

Google confirmed that its own Gemini model was not involved. Which LLM the threat actors used remains unclear, though GTIG's report notes that Chinese and North Korean state-sponsored groups (APT27, APT45, UNC2814, and others) have been systematically experimenting with various models for vulnerability research.

Not an Isolated Incident

This zero-day wasn't the only alarming finding in GTIG's report. The broader threat landscape reveals a rapid maturation of AI-powered cyber operations across multiple fronts:

State-Sponsored Vulnerability Research

Threat actors associated with China (PRC) and North Korea (DPRK) have developed sophisticated, persona-driven jailbreaking techniques to coerce AI models into vulnerability research. GTIG observed UNC2814 instructing models to act as "senior security auditors" and "C/C++ binary security experts," feeding them extracted firmware from embedded devices (including TP-Link routers and OFTP implementations) to hunt for pre-authentication remote code execution vulnerabilities.

AI-Generated Malware Obfuscation

Russian-linked actors have begun using AI to generate decoy logic within malware like CANFAIL and LONGSTREAM. The decoy code exists solely to confuse analysts and sandbox environments, with the real malicious payload buried beneath a layer of LLM-generated noise.

PROMPTSPY:

Autonomous Android Malware

The PROMPTSPY Android backdoor, first documented by ESET earlier this year, represents another frontier. This malware integrates directly with Google's Gemini API at runtime, sending it XML descriptions of the device screen and receiving step-by-step instructions on how to interact with the interface — all to maintain persistence on compromised devices. GTIG discovered a previously unreported module called "GeminiAutomationAgent" that uses hardcoded prompts to assign a benign persona to the model, bypassing safety features. The malware can even replay lock patterns and PINs using AI-driven analysis of screen geometry.

Operation Overload

A Russian-aligned information operation dubbed "Overload" deployed AI voice cloning to impersonate real journalists in synthetic news videos pushing anti-Ukraine narratives. This is AI-augmented propaganda at industrial scale.

The Bigger Picture:

An AI-vs-AI Arms Race

The most sobering takeaway from Google's report is the acknowledgment that the same technology enabling these attacks is also the best defense against them.

Google itself uses AI agents like Big Sleep to autonomously identify software vulnerabilities before attackers find them, and CodeMender to automatically fix security flaws using Gemini's reasoning capabilities. The company's secure AI framework (SAIF) provides a taxonomy for understanding ML-focused risks, including Insecure Integrated Components and Rogue Actions.

But the report also highlights a troubling trend: supply chain attacks targeting AI environments. A group tracked as "TeamPCP" (UNC6780) has begun compromising AI software dependencies as an initial access vector, then pivoting to broader network environments for ransomware deployment and extortion.

What This Means for Practitioners

For anyone responsible for infrastructure security, this report should be a wake-up call on multiple levels:

1. 2FA is no longer a safety net. If AI can find semantic logic flaws that bypass authentication in popular admin tools, defense-in-depth strategies need to assume authentication bypass is possible.

2. AI-generated code is indistinguishable from human-written code at scale. Security teams need to update their code review processes. The old assumption that "we'd spot a malicious commit" no longer holds when an AI can generate clean, well-documented exploit code that passes human review.

3. Threat actors are innovating faster than defenders. The gap between academic demonstration and operational deployment is shrinking to near zero. PROMPTSPY went from theoretical concept to active malware in months.

4. LLM access is becoming a black market commodity. GTIG documented professionalized middleware services that offer anonymized, premium-tier access to AI models, complete with automated account cycling to bypass usage limits. Threat actors no longer need API keys — they can buy access on the dark web.

The Silver Lining

Google's proactive discovery and disruption of this zero-day campaign is itself notable. The exploit never reached mass deployment because GTIG identified it, notified the vendor, and coordinated a fix. The same AI capabilities that write malicious code can also detect it — provided defenders have the visibility and tools to look.

This is the defining tension of modern cybersecurity. AI is a force multiplier for offense and defense alike, and the side that moves faster wins. The first AI-generated zero-day has arrived. It won't be the last.

Sources: Google Threat Intelligence Group — "GTIG AI Threat Tracker: Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access" (May 11, 2026), SecurityWeek, BleepingComputer, ESET research on PROMPTSPY.