AI-generated zero-days and autonomous malware reach the wild
Google's May 2026 threat report documents the first zero-day an attacker built with AI, plus malware that calls a model at runtime to decide its next move.
What is this?
On May 11, 2026, Google Threat Intelligence Group (GTIG) published its latest AI Threat Tracker, a follow-up to its February 2026 report drawing on Mandiant incident response, Gemini abuse telemetry, and GTIG’s own research. Two findings stand out. First, GTIG says it observed — for the first time — a threat actor successfully using AI to both discover and weaponize a zero-day vulnerability. Second, it details malware that no longer ships its logic as static code but queries a language model at runtime to decide what to do next.
The report frames this as a transition “from nascent AI-enabled operations to the industrial-scale application of generative models within adversarial workflows.” For defenders, the useful signal is not panic but specificity: the report shows exactly how attackers are wiring models into their tooling, which is what tells you where to look.
How it works
The zero-day case involved criminal actors preparing a mass-exploitation operation. According to GTIG, an AI model was likely used to identify a flaw and produce a Python script that bypasses two-factor authentication on a popular open-source, web-based system administration tool. GTIG worked with the vendor to disclose and patch the flaw before the campaign launched. Notably, the report says neither Gemini nor Anthropic’s Mythos-class model was the model the attacker used.
What makes this worth studying is the forensic tell. GTIG assessed the exploit as AI-generated because of stylistic fingerprints in the code: an abundance of educational docstrings, a clean textbook-Pythonic structure with detailed help menus, and — the giveaway — a hallucinated CVSS score baked into the script. A human exploit developer does not invent a severity rating for their own zero-day; a model trained on vulnerability write-ups does, because that is what the surrounding text usually contains.
The autonomous-malware case is the Android backdoor GTIG tracks as PROMPTSPY. It contains a module named “GeminiAutomationAgent” that runs a hardcoded prompt with a benign persona. At runtime the malware serializes the device’s visible UI hierarchy into an XML-like format via the Accessibility API, sends it to the gemini-2.5-flash-lite model over an HTTP POST in JSON mode, and receives a structured JSON response that dictates its next actions toward a supplied goal. The model becomes the command-and-control brain, interpreting live device state instead of following a fixed script. GTIG documents related evasive families (PROMPTFLUX, HONESTCUE) that use models to dynamically modify or obfuscate themselves, linked to suspected Russia-nexus actors.
The report also catalogs supporting behavior: PRC- and DPRK-linked actors using expert-persona prompting — one cluster directed a model to act as a “senior security auditor” or “C/C++ binary security expert” to research embedded-device targets — and experimentation with a repository packaged as a coding-agent skill plugin bundling a distilled knowledge base of more than 85,000 real-world vulnerability cases. Rounding it out: obfuscated premium-model access through middleware and account-cycling, and the pro-Russia influence operation “Operation Overload” generating synthetic media at scale.
Why it matters
The single most useful line comes from GTIG chief analyst John Hultquist: “There’s a misconception that the AI vulnerability race is imminent. The reality is that it’s already begun. For every zero-day we can trace back to AI, there are probably many more out there.”
Two shifts matter for defenders. The zero-day finding compresses the timeline from “a model can suggest exploit ideas” to “a model produced a working, weaponized exploit that reached an operational plan.” The autonomous-malware finding breaks a long-standing detection assumption: static analysis and signatures work partly because malware carries its logic with it. When the logic lives in a hosted model and arrives as JSON at runtime, the sample on disk is thinner and its behavior is decided elsewhere — and can change between runs.
None of this means AI has produced a new class of unstoppable attack. The 2FA-bypass campaign was caught and shut down before use, and the most common adversarial use of models remains mundane research and troubleshooting. The point is directional: AI lowers the barrier and raises the speed, so the marginal attacker gets more capable.
Defenses
The encouraging half of the report is that the same capabilities cut both ways. Google notes it uses AI agents such as Big Sleep to find vulnerabilities and CodeMender to help fix them automatically, and its proactive discovery is what disrupted the zero-day campaign. Defenders should treat AI-assisted vulnerability research and patch generation as table stakes, not novelty.
Against runtime-reasoning malware like PROMPTSPY, the model endpoint is the choke point. Because the backdoor depends on reaching a hosted model to receive instructions, egress control matters: monitor and restrict outbound connections to model APIs from endpoints that have no business making them, and treat unexpected Accessibility-API usage plus outbound LLM calls as a high-signal combination. The C2 traffic is model-shaped — JSON goal/response exchanges — which gives detection engineering something concrete to hunt for.
Against AI-generated exploit code, the hallucinated-CVSS tell generalizes: LLM-authored artifacts carry stylistic residue (over-commented docstrings, textbook structure, fabricated metadata). These are weak signals individually but useful in triage, and worth capturing as detection heuristics rather than dismissing. More broadly, treat model providers’ abuse-mitigation as part of your supply chain: obfuscated premium-access middleware exists precisely to defeat provider-side controls, so account-abuse signals from vendors are threat intelligence you can act on.
Finally, the state-actor persona-prompting details are a reminder that “expert persona” jailbreaks remain a live technique against assistant models; hardening tool-integrated coding agents against this framing is the same defensive work that protects legitimate users.
Status
This is a threat-intelligence report describing observed adversary behavior, not a single product vulnerability with an assigned identifier. The AI-developed zero-day was responsibly disclosed and patched before deployment; GTIG did not name the affected administration tool.
| Item | Detail |
|---|---|
| Source | Google Threat Intelligence Group, “GTIG AI Threat Tracker” |
| Published | May 11, 2026 (follows the February 2026 GTIG report) |
| Headline finding | First observed case of an attacker using AI to discover and weaponize a zero-day |
| Target of zero-day | 2FA bypass in a popular open-source web-based system administration tool (undisclosed) |
| AI-generation tells | Educational docstrings, textbook Pythonic structure, hallucinated CVSS score |
| Autonomous malware | PROMPTSPY (Android) — “GeminiAutomationAgent” module driving actions via gemini-2.5-flash-lite at runtime |
| Evasive families | PROMPTFLUX, HONESTCUE (dynamic self-modification, suspected Russia-nexus) |
| Defender tooling cited | Big Sleep (vulnerability discovery), CodeMender (automated fixing) |
Both sources are within the last 90 days. The takeaway is measured but real: AI is now both a weapon and a target in live operations, and the most durable defenses — egress control, provider abuse signals, AI-assisted patching, and hardening assistants against persona jailbreaks — are extensions of practices defenders already know, applied to a faster adversary.