Researchers at **Google Threat Intelligence Group (GTIG)** have uncovered evidence suggesting that a zero-day exploit targeting a widely-used open-source web administration tool was likely developed using artificial intelligence. The exploit, designed to bypass two-factor authentication (2FA), was detected before it could be widely deployed. ### AI-Assisted Exploit Development According to **GTIG**, the structure and content of the Python exploit code strongly suggest the use of an AI model in identifying and weaponizing the vulnerability. "For example, the script contains an abundance of educational docstrings, including a hallucinated **CVSS** score, and uses a structured, textbook Pythonic format highly characteristic of LLMs training data," the report states. The specific large language model (LLM) used remains unknown, but **Google** has ruled out the involvement of its own **Gemini** model.  Further evidence points to the nature of the flaw itself – a high-level semantic logic bug, which AI systems are particularly adept at identifying, unlike traditional methods like fuzzing or static analysis that typically uncover memory corruption or input sanitization issues. ### Prompt Action and Mitigation **Google** promptly notified the affected software developer, enabling them to take swift action to mitigate the threat and prevent widespread exploitation. "For the first time, **GTIG** has identified a threat actor using a zero-day exploit that we believe was developed with AI," **GTIG** researchers emphasized. ### Broader Trend of AI in Cybercrime This incident is not isolated. **Google** notes that Chinese and North Korean hacking groups, including **APT27**, **APT45**, **UNC2814**, **UNC5673**, and **UNC6201**, have been leveraging AI models for vulnerability discovery and exploit development, building upon trends observed earlier this year. Russia-linked actors have also been observed using AI-generated decoy code to obfuscate malware such as **CANFAIL** and **LONGSTREAM**.  **Google** also highlighted "Overload," a Russian operation employing AI voice cloning to impersonate journalists in disinformation campaigns targeting Ukraine. The **PromptSpy** backdoor for **Android**, documented by **ESET**, was also mentioned for its integration with **Gemini** APIs, enabling autonomous device interaction. This malware uses a "GeminiAutomationAgent" module with a hardcoded prompt to bypass safety features and calculate UI geometry for automated device interaction, including replaying authentication patterns or PINs. Threat actors are increasingly industrializing access to premium AI models through automated account creation, proxy relays, and account-pooling infrastructure, according to **Google**.