The race to weaponize AI is not coming—it has already started.
A threshold has been crossed in the long contest between digital offense and defense: Google's threat intelligence team has documented the first zero-day exploit bearing the unmistakable signatures of AI-generated code, confirming that state and criminal actors from China, North Korea, and Russia have moved from experimenting with generative AI to deploying it as a routine instrument of attack. What was once a theoretical warning has become an operational reality, as adversaries now wield AI to accelerate exploit development, automate reconnaissance, and sustain intrusions at a scale and speed that outpaces traditional human-driven methods. The deeper implication is not merely that AI is being used as a weapon, but that AI systems themselves have become targets — a recursion that places the technology at the center of both the threat and the defense.
- Google has confirmed the first zero-day exploit developed with AI assistance, targeting a widely used web administration tool and bearing telltale signs of machine-generated code — educational comments, a hallucinated severity score, and suspiciously tidy structure.
- State-linked groups are no longer experimenting: North Korea's APT45 is validating thousands of exploits with AI, Chinese actors are using agentic tools to probe foreign companies for weaknesses, and Russian groups are embedding AI-generated decoy logic into malware campaigns against Ukraine.
- A new generation of agentic attack tools — OpenClaw, Hexstrike, Strix — can conduct reconnaissance, switch attack vectors, and verify vulnerabilities across large target sets with minimal human oversight, making sustained intrusion campaigns dramatically cheaper to run.
- Threat actors are quietly building hidden infrastructure to access premium AI models at scale, automating account creation, cycling credentials, and combining access across multiple providers to fuel operations beneath platform detection thresholds.
- The supply chain itself is now a vector: attackers have compromised repositories tied to AI tooling like LiteLLM, stealing credentials from build environments in moves that could grant access to internal AI systems — turning defenders' own tools into entry points.
Google's threat intelligence team has documented what it believes is the first zero-day exploit developed with AI assistance — a flaw in a widely used open-source web administration tool that allowed attackers to bypass two-factor authentication. The payload carried the fingerprints of machine-generated code: educational comments embedded in the exploit, a hallucinated severity score, and the clean, almost textbook structure of its Python implementation. Google worked with the developer to patch the vulnerability before it could be weaponized at scale, and errors in the attackers' own implementation appear to have blunted its effectiveness. But the threshold has been crossed.
John Hultquist, chief analyst at Google's Threat Intelligence Group, was direct: the race to weaponize AI has already begun. For every AI-assisted exploit that researchers can trace and attribute, he suggested, many more are likely operating undetected. State actors from China, North Korea, and Russia have moved beyond general experimentation into specialized, operational use. North Korea's APT45 has used AI to validate thousands of exploits. Chinese-linked groups have deployed agentic tools to probe foreign technology companies for weaknesses and built fleet management applications that may have concealed the origin of intrusion traffic. Russian actors have woven AI-generated decoy logic into malware families targeting Ukrainian organizations and used AI to generate or manipulate media for information warfare.
A new class of threat has emerged alongside these state operations: agentic systems capable of conducting reconnaissance, testing vulnerabilities, and validating attacks across large target sets with minimal human oversight. Tools like OpenClaw, Hexstrike, and Strix can maintain context across tasks and switch between attack vectors — making sustained, large-scale campaigns far more sustainable and harder to interrupt.
One striking case involved PROMPTSPY, an Android backdoor that weaponizes Google's own Gemini API to interpret a device's interface and issue commands, including replays of biometric authentication gestures. The malware could resist removal by placing an invisible overlay over the uninstall button. Google disabled associated assets and found no infected apps on Google Play, but the existence of PROMPTSPY signals something larger: AI systems have themselves become targets for weaponization.
Threat actors are also building concealed infrastructure to access premium AI models at scale, automating account creation and cycling credentials across providers including Google, Anthropic, and OpenAI. More troubling still, attackers have begun targeting the AI software supply chain directly — compromising repositories linked to tools like LiteLLM to steal cloud credentials from build environments. Such access could open doors not only to corporate systems but to internal AI tools that could then be turned against their owners. The report's central finding is unambiguous: adversaries now treat AI as both weapon and target, and the shift from trial deployments to routine operational use has already occurred.
Google's threat intelligence team has documented what it believes is the first zero-day exploit developed with artificial intelligence assistance—a vulnerability in a widely used open-source web administration tool that allowed attackers to bypass two-factor authentication. The flaw required valid credentials to exploit, but the discovery marks a threshold moment in cybersecurity: the shift from theoretical concern about AI-powered attacks to documented, operational reality.
The exploit bore the fingerprints of machine-generated code. Educational comments scattered through the payload, a hallucinated CVSS severity score, and the tidy, almost textbook structure of the Python implementation all pointed to AI involvement. Google's Threat Intelligence Group worked with the software developer to patch the vulnerability before it could be weaponized at scale, and mistakes in the attackers' implementation appear to have further limited its effectiveness. But the core finding stands: criminal and state-backed actors from China, North Korea, and Russia are no longer experimenting with generative AI in their operations. They are deploying it.
John Hultquist, chief analyst at Google Threat Intelligence Group, framed the shift bluntly: the race to weaponize AI is not coming—it has already started. For every AI-assisted zero-day that security researchers can trace and attribute, he said, there are likely many more operating undetected. Threat actors are using these tools to accelerate the speed and scale of their attacks, to test operations against targets, to build more sophisticated malware, and to persist in networks longer. State actors have shown particular appetite for the technology, but criminal groups—with their history of broad, aggressive campaigns—pose an equally serious threat.
State-linked groups have moved beyond general experimentation into specialized applications. APT45, a North Korean actor, has used AI to validate thousands of exploits and expand its arsenal of attack tools. Chinese-linked groups including APT27 have deployed AI to support infrastructure development and concealment, using it to build fleet management applications that may have underpinned relay networks designed to hide the origin of intrusion traffic. Russian-linked actors have integrated AI-assisted malware into campaigns against Ukrainian organizations, embedding large volumes of decoy logic into code families like CANFAIL and LONGSTREAM. Other Russian operations have leveraged AI to generate or alter media for information warfare.
A new class of threat has emerged: agentic systems that can carry out reconnaissance, vulnerability testing, and attack validation with minimal human oversight. Tools like OpenClaw, Hexstrike, and Strix maintain context across multiple tasks, switch between different attack vectors, and verify vulnerabilities with limited intervention. Google observed a China-linked actor using these systems to probe a Japanese technology company for weaknesses, demonstrating how agentic tools make large-scale reconnaissance sustainable and difficult to interrupt.
One particularly striking example involved PROMPTSPY, an Android backdoor that weaponizes Google's Gemini API to interpret a device's user interface and issue commands—clicks, swipes, and even replays of biometric authentication gestures. The malware could resist removal by placing an invisible overlay on top of the uninstall button. Google disabled associated assets and found no infected apps on Google Play, though the existence of PROMPTSPY underscores how AI systems themselves have become targets for weaponization.
Threat actors are also working to secure scalable, concealed access to premium AI models. Chinese-linked clusters including UNC6201 and UNC5673 have deployed tooling that automates premium account creation, bypasses CAPTCHA challenges, and cycles through accounts to avoid billing limits and platform restrictions. Some groups use relay services to combine access to multiple accounts from Google, Anthropic, and OpenAI, creating a hidden infrastructure for AI-powered operations.
Perhaps most concerning is the shift toward targeting AI systems themselves through the wider software supply chain. Attackers have compromised repositories and packages linked to tools like LiteLLM, stealing cloud credentials and tokens from build environments. Similar attacks on AI-related dependencies could grant intruders access not only to traditional corporate systems but to internal AI tools and models—which could then be repurposed for reconnaissance, data theft, or follow-on attacks. Google uses its own AI systems to detect vulnerabilities and patch code, feeding findings from malicious activity back into product safety work. But the report's central message is unambiguous: adversaries now treat AI as both a weapon and a target, and the transition from trial deployments to routine operational use has already occurred.
Notable Quotes
For every zero-day we can trace back to AI, there are probably many more out there. State actors are taking advantage of this technology, but the criminal threat shouldn't be underestimated.— John Hultquist, chief analyst at Google Threat Intelligence Group
The Hearth Conversation Another angle on the story
When Google says this is the first AI-assisted zero-day they've traced, what does that actually mean? How do they know it was AI and not just a human writing sloppy code?
The code had signatures—educational comments, a hallucinated CVSS score, structural patterns that are characteristic of large language model output. It's not a fingerprint that proves AI involvement beyond doubt, but it's enough to say this one almost certainly was. The real point is that for every one they can trace, there are probably many more they can't.
So these state actors—APT45, APT27—they're not just using AI to write malware. What else are they doing?
They're using it to validate exploits at scale, to build infrastructure that hides their tracks, to generate convincing fake media for information operations. APT45 alone used AI to validate thousands of exploits. That's not experimentation anymore. That's operational deployment.
The agentic tools—OpenClaw, Hexstrike—those sound different from just using ChatGPT to write code. What makes them dangerous?
They can maintain context, switch between tools, verify vulnerabilities, all with minimal human oversight. A human attacker has to be awake, has to make decisions. An agentic system can probe a target continuously, learning as it goes. That's reconnaissance at a scale that's hard to detect and harder to stop.
What about the supply chain angle? Why does it matter if attackers compromise LiteLLM or other AI tools?
Because those tools sit between attackers and the models they want to use. If you compromise the dependency, you get access to the credentials and tokens flowing through it. That gives you a backdoor not just to corporate systems but to the internal AI tools companies are building. You're not attacking the frontier model—you're attacking the infrastructure around it.
Is Google saying this is inevitable, or is there something defenders can actually do?
They're saying the race has started and we're already behind. But they're also using their own AI to detect vulnerabilities and patch code. The message isn't hopelessness—it's that this is now a permanent part of the threat landscape. You have to assume adversaries have access to AI, and you have to build defenses accordingly.