First AI-crafted zero-day exploit thwarted. PROMPTSPY automates Android attacks. Supply chain risks hit AI gateways. Essential defense insights.

Continue reading
The Google Threat Intelligence Group (GTIG) has documented a definitive evolution from experimental AI usage to industrial-scale adversarial operations. For the first time, a criminal threat actor developed a zero-day exploit using artificial intelligence—a two-factor authentication bypass in a popular open-source system administration tool—with the intention of mass exploitation.
Proactive counter‑discovery by GTIG prevented its deployment, but the event confirms that AI‑generated exploits are no longer theoretical. Concurrently, state‑sponsored actors from the People’s Republic of China, the Democratic People’s Republic of Korea, and Russia are systematically leveraging large language models for vulnerability discovery, polymorphic malware creation, and autonomous attack orchestration.
Traditional vulnerability scanners and fuzzers excel at detecting memory corruption and input sanitization errors, but they struggle with high‑level semantic logic flaws. Frontier LLMs, by contrast, demonstrate an increasing ability to perform contextual reasoning—effectively reading a developer’s intent to correlate enforcement logic with hardcoded exceptions. The AI‑generated zero‑day exploit discovered by GTIG contained a hallucinated CVSS score and textbook Pythonic formatting, hallmarks of LLM output. This vulnerability stemmed not from a common coding mistake but from a hardcoded trust assumption that the LLM was able to identify.
State‑sponsored actors have adopted sophisticated approaches to AI‑augmented vulnerability research. The PRC‑affiliated threat actor UNC2814 used persona‑driven jailbreaking, directing the model to act as a senior C/C++ binary security expert to audit TP‑Link firmware and Odette File Transfer Protocol implementations.
Meanwhile, APT45, a DPRK‑nexus actor, automated its research by sending thousands of recursive prompts to analyze different CVEs and validate proof‑of‑concept exploits using agentic frameworks such as OpenClaw and OneClaw. These techniques allow adversaries to scale vulnerability discovery with minimal human oversight.
Among the most technically sophisticated threats detailed in the GTIG report is PROMPTSPY, an Android backdoor that uses the Gemini API to perform autonomous device interaction. Unlike conventional malware that relies on hardcoded commands or human operators, PROMPTSPY contains an autonomous agent module named `GeminiAutomationAgent`. This module serializes the victim device’s visible user interface hierarchy into an XML‑like format via the Accessibility API and sends it to the `gemini-2.5-flash-lite` model through an HTTP POST request in JSON mode. The LLM calculates the geometry of the targeted interface bounds and returns structured commands—such as CLICK or SWIPE—which the malware parses to simulate physical gestures.
To maintain persistence, PROMPTSPY employs a novel multi‑layered defense. If the victim attempts to uninstall the backdoor, its `AppProtectionDetector` module identifies the on‑screen coordinates of the “Uninstall” button and renders an invisible overlay that silently intercepts touch events, making the button appear unresponsive. The malware can also capture biometric data, replaying authentication gestures to regain access for follow‑on exploitation.
Critical components, including Gemini API keys and the VNC relay server, can be updated dynamically via the command‑and‑control channel, ensuring operational resilience even when specific infrastructure endpoints are blocked. Google has disabled the assets associated with this activity, and Google Play Protect automatically protects Android users against known versions of PROMPTSPY. For further guidance on securing Android environments, refer to the Android Security Bulletin.
Adversaries are increasingly using LLMs to generate decoy logic and just‑in‑time code modifications that evade static signature‑based detection. GTIG has tracked multiple malware families with LLM‑enabled obfuscation capabilities. For example, CANFAIL, associated with Russia‑nexus intrusion activity targeting Ukrainian organizations, contains developer comments that explicitly describe certain blocks of code as unused filler content—likely generated at the threat actor’s request to camouflage malicious functionality.
Similarly, LONGSTREAM incorporates large volumes of coherent but inactive code, such as thirty‑two instances of queries checking the system’s daylight saving status, to appear benign. Another family, HONESTCUE, interacts with the Gemini API to request specific VBScript obfuscation techniques for just‑in‑time self‑modification. These AI‑augmented development cycles accelerate the creation of obfuscation networks and polymorphic malware, enabling threat actors to stay ahead of traditional signature‑based defenses.
The cyber crime threat actor TeamPCP, also tracked as UNC6780, has demonstrated that AI software ecosystems are now primary targets for supply chain compromise. TeamPCP gained initial access through compromised PyPI packages and malicious pull requests to popular GitHub repositories, including those associated with LiteLLM (an AI gateway utility for integrating multiple LLM providers), Trivy, and Checkmarx.
The actor embedded the SANDCLOCK credential stealer to extract high‑value cloud secrets such as AWS keys and GitHub tokens directly from build environments, later monetizing those credentials through partnerships with ransomware and data theft extortion groups.
This attack vector aligns with two risks outlined in Google’s Secure AI Framework (SAIF) taxonomy: Insecure Integrated Component (IIC), where compromised external dependencies undermine the system, and Rogue Actions (RA), where an attacker exploits an AI system’s elevated permissions to execute unauthorized commands.
The compromise of LiteLLM is particularly noteworthy because the package is widely used; exposure of AI API secrets from affected victims could grant attackers access to internal models for reconnaissance, data exfiltration, or deeper network pivoting. To understand how to mitigate such supply chain risks, review the Secure AI Framework by Google.
Beyond direct attacks on AI systems, threat actors have professionalized the procurement of anonymized, premium‑tier access to LLMs. GTIG has observed an emerging ecosystem of custom middleware, proxy relays, and automated registration pipelines designed to bypass safety guardrails and billing constraints. PRC‑nexus clusters such as UNC6201 and UNC5673 use publicly available tools like `Claude-Relay-Service` and `CLI-Proxy-API` to aggregate multiple Gemini, Claude, and OpenAI accounts, enabling account pooling and cost‑sharing.
They combine these with auto‑registration scripts that handle CAPTCHA bypass and SMS verification, effectively industrializing their adversarial workflows while subsidizing operations through trial abuse and programmatic account cycling. Anti‑detection browsers like Roxy Browser further mask hardware fingerprints to evade platform bans.
Google is not merely tracking these threats—it is actively countering them with AI‑powered defense. The Big Sleep AI agent, developed by Google DeepMind and Project Zero, autonomously searches for unknown software vulnerabilities. It has already discovered a real‑world security vulnerability and assisted in finding another that was imminently going to be used by threat actors, allowing GTIG to cut it off beforehand.
Complementing this, CodeMender uses the advanced reasoning capabilities of Gemini models to automatically fix critical code vulnerabilities. These initiatives prove that AI can be as powerful a tool for defenders as it is for adversaries.
Google also collaborates with industry partners through the Coalition for Secure AI (CoSAI) and integrates automated security scanning into platforms like OpenClaw’s ClawHub marketplace, where every skill is analyzed using VirusTotal’s Code Insight capability. For a deeper understanding of how to red team AI models against indirect prompt injection and other emerging threats, explore the research from Google DeepMind.
The findings from the Google Threat Intelligence Group demand immediate updates to organizational threat models. Security leaders must assume that adversaries can generate logic‑flaw zero‑days using LLMs and therefore shift from signature‑based detection to behavioral and semantic code analysis. AI supply chains must be hardened by scanning all dependencies—including OpenClaw skills, LiteLLM, and other AI gateway utilities—with automated tools.
Anomaly detection for LLM API usage, such as recursive prompts or JSON‑mode spatial requests, should be implemented alongside rate‑limiting and behavioral analytics on API keys. Finally, adopting proactive AI agents like Big Sleep can help organizations find and patch vulnerabilities before adversaries weaponize them. The arms race has accelerated, but as GTIG confirms, the same technology that enables attackers can become the defender’s most powerful asset.

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.