AI Built the First Zero-Day That Bypasses 2FA: Inside Google's Interception of a Mass Attack

An AI-built zero-day exploit uses a large language model to perform the work that previously required a skilled vulnerability researcher: reviewing source code, identifying logic flaws, constructing a proof-of-concept, and packaging it into a deployable script. The process compresses what once took specialists weeks into hours.

In the case GTIG documented, the targeted flaw was a semantic logic vulnerability, not a memory-corruption bug. Developers had embedded a hard-coded trust assumption into the authentication handler: under a specific code path, the application skipped the 2FA verification step when a particular session condition was present. A human auditor might spend days reading authentication logic looking for this kind of exception. An LLM prompted to review the codebase as a senior security auditor can traverse the entire code graph and flag trust assumption shortcuts in a single session.

The resulting Python script contained a structured argument parser, clean ANSI color output, and step-by-step docstrings explaining each phase of the bypass. These artifacts are consistent with LLM output but atypical for human-written exploits. Human exploit authors write terse, functional code. LLMs produce educational code with explanations, as if teaching a student the technique.

The flaw required valid credentials as a prerequisite. The attacker's operational plan involved an earlier credential acquisition phase followed by mass 2FA bypass across every reachable installation. Google assessed the threat actor was targeting a broad user population, not a single victim.

This is the operational pattern that makes AI-built zero-day exploits uniquely dangerous: AI lowers the skill floor for zero-day discovery while human operators retain full control over targeting scale.

Google identified four specific markers that attributed the exploit script to LLM generation with high confidence.

First, the script contained educational docstrings. Human exploit authors do not document their code for readability. Every function in the script included multi-line explanations written in the instructional tone of a code tutorial.

Second, the script included a hallucinated CVSS score. No published advisory had assigned a score to this vulnerability because the flaw had not yet been disclosed. The AI fabricated a plausible score and embedded it in the code comments -- a behavior characteristic of LLMs filling in expected fields rather than drawing from authoritative sources.

Third, the codebase followed textbook Pythonic structure. Clean formatting conventions, consistent import ordering, and descriptive variable names match the style patterns dominant in LLM training data. Human-written exploits in the wild are typically written for speed and disposability, not readability.

Fourth, the script included detailed help menus and clean ANSI color classes. These features improve user experience but add no exploitation capability. An LLM prompted to build a functional tool includes them automatically. A human building an attack script does not.

These fingerprints will not remain reliable detection signals for long. Adversaries who read the GTIG report will strip docstrings and introduce intentional style noise to defeat signature-based attribution. The real detection value here is confirmation that AI-generated exploit development is happening today, not as a future scenario.

The criminal group behind the 2FA bypass was not the only actor observed by GTIG using AI for vulnerability exploitation. Four nation-state nexus clusters are now confirmed to be integrating AI models into their offensive research workflows at scale.

APT45 is a North Korean state-sponsored group focused on financial theft and weapons program data acquisition. GTIG analysts observed APT45 sending thousands of repetitive prompts to AI models, recursively analyzing CVEs and validating proof-of-concept exploits. The workflow functions as a force multiplier: instead of one analyst reviewing a CVE manually, APT45 runs parallel AI sessions across its full target CVE list, filtering for exploitable candidates and enriching each with automated PoC validation.

UNC2814, a China-nexus intrusion set, used a persona-driven jailbreak technique to direct an AI model to act as a senior security auditor specializing in C/C++ binary security for firmware vulnerability research. GTIG documented UNC2814 analyzing TP-Link firmware and OFTP protocol implementations using this approach, targeting the embedded device attack surface.

APT27, another China-linked group, leveraged AI tools to accelerate development of fleet management applications used to coordinate Operational Relay Box (ORB) networks -- the proxy infrastructure APT27 uses to disguise attack attribution.

Russia-nexus threat actors embedded AI-generated code in CANFAIL and LONGSTREAM malware. The AI-generated segments serve as decoy logic: non-functional code realistic enough to consume analyst time during reverse engineering. LONGSTREAM embedded 32 repetitive daylight saving time queries as camouflage.

Defenders face AI at every point in the kill chain. Read the analysis of HONESTCUE, the first malware confirmed to use live Gemini API calls for operational decisions.

Beyond vulnerability discovery, GTIG documented AI integration directly inside deployed malware. PROMPTSPY is an Android backdoor that uses the Gemini 2.5 Flash Lite model as its operational decision engine. The malware serializes the Android UI hierarchy via the Accessibility API, sends it to Google's Generative Language API endpoint via HTTP POST in JSON mode, then parses the model's structured response to determine which screen elements to interact with through simulated gestures.

In practice, PROMPTSPY lets an attacker control a victim's Android device by describing objectives in natural language rather than writing hardcoded automation scripts. The malware can capture biometric authentication data and replay it, persist through Firebase Cloud Messaging, and execute commands without continuous human supervision. This is what Google researchers described as the transition from nascent AI-enabled operations to industrial-scale application of generative models within adversarial workflows.

TeamPCP, tracked as UNC6780, combined AI capabilities with supply chain compromise in March 2026. The group embedded the SANDCLOCK credential stealer inside malicious pull requests to the LiteLLM open-source project, targeting development environments that use the package to route API calls across AI providers. Extracted AWS keys and GitHub tokens were monetized through ransomware partnerships.

The supply chain angle matters: organizations that deploy AI tooling without vetting the software supply chain of those tools are expanding their attack surface. Every AI development library, API aggregator, and CLI wrapper in your environment is a potential insertion point for adversary code.

Every organization running open-source web administration tools, using AI development tooling, or relying on 2FA as a primary authentication control sits in this week's risk population. The shift is not about victim sophistication. It is about the scale at which AI enables attackers to identify and exploit vulnerabilities across all targets simultaneously.

Palo Alto Networks technology chief Lee Klarich issued a specific timeline in May 2026: "We now estimate a narrow three-to-five-month window for organizations to outpace the adversary before AI-driven exploits start to become the new norm." That window closes before Q3 2026.

Three specific risk factors elevate exposure. Organizations running open-source administration tools on internet-facing infrastructure face the highest immediate risk. The 2FA bypass Google documented was designed for mass exploitation of exactly this class of software.

Development environments that use LLM API aggregators -- including LiteLLM-based routing infrastructure -- are targets for supply chain compromise following the TeamPCP/UNC6780 attack pattern documented in March 2026.

Enterprises that rely on 2FA without monitoring for bypass conditions face an authentication control that adversaries are now specifically engineering AI to defeat. The FBI reported a 312% spike in AI-assisted cybercrime targeting US citizens between 2024 and 2026, with the average cost of an AI-enhanced breach exceeding $5.2 million.

Sector targeting mirrors existing APT priorities: financial services, critical infrastructure, defense industrial base, and organizations with access to high-value credentials or intellectual property. For a parallel view of how AI is accelerating ransomware group operations, see the SLOPOLY AI-generated malware breakdown.

Detecting AI-built exploits before execution requires moving earlier in the attack lifecycle than traditional endpoint detection provides. By the time an exploit runs on a system, the pre-deployment detection window has closed.

Audit open-source tool authentication logic for hard-coded trust exceptions. Any code path that short-circuits 2FA under conditional logic -- particularly session-based or environment-based overrides added for developer convenience -- is a priority review target.

Monitor for abnormal outbound connections to AI provider APIs from non-developer endpoints. Legitimate Gemini API access should originate from designated development systems. Traffic from production servers, operational workstations, or managed mobile devices may indicate AI-integrated malware following the PROMPTSPY pattern.

Audit AI development libraries and API aggregators in your software supply chain. Specifically review LiteLLM, Claude-Relay-Service, CLIProxyAPI, and similar tools for unauthorized pull requests, unexpected dependency updates, or anomalous credential access events following the TeamPCP model.

Implement behavioral monitoring on 2FA systems. Log and alert on authentication attempts that succeed without completing the expected verification flow, including cases where session tokens are issued without the normal 2FA sequence.

Hunt for AI code artifacts when analyzing unknown scripts. Flag files with educational docstrings, hallucinated CVE or CVSS references, and unusually clean Pythonic formatting -- these are indicators of LLM-generated exploit code.

Block known AI aggregation tools at the network perimeter, including CLIProxyAPI, OmniRoute, and Roxy Browser, which threat actors use to pool LLM access and evade usage-limit detection.

The Google GTIG finding is not a proof-of-concept warning about a hypothetical future threat. It is a confirmed incident from this week: a working zero-day exploit was built by AI, packaged for mass deployment, and intercepted before it caused widespread damage. The next one may not be intercepted.

The strategic implication is a permanent compression of the defender's response window. When AI reduces zero-day discovery from weeks to hours and exploit packaging from days to minutes, the window between a vulnerability existing and an exploit being deployed contracts sharply. Patch cycles measured in weeks are already insufficient for this threat model.

AI-powered attacks are 40 times more effective than conventional cyberattacks, according to CISA's 2026 assessment. That figure reflects cumulative acceleration across reconnaissance, exploitation, lateral movement, and persistence -- not any single capability.

Security teams that treat AI-assisted exploitation as an emerging threat to monitor in future quarters are already behind schedule. The three-to-five-month window Palo Alto Networks describes assumes defenders act immediately. Prioritize authentication hardening, AI tooling supply chain auditing, and early-warning monitoring specifically designed to detect AI-assisted exploitation activity before the window closes.