Google Says It Caught Hackers Using AI to Build a First-Ever Zero-Day Cyberattack

Level 3 — Intermediate

Google's Threat Intelligence Group, known as GTIG, disclosed on Monday, May 11, 2026, what it described as the first publicly documented case of a criminal hacking group using a large language model to develop an end-to-end zero-day exploit. The team said it had 'high confidence' that the unnamed group had been using an AI assistant to find, write and weaponize a software flaw, then prepared to deploy the resulting exploit at scale.

According to the GTIG report, the vulnerability lived in a Python script bundled with an open-source web-based system administration tool widely used by small and medium-sized businesses. The script handled the two-factor authentication step, and the AI-generated exploit allowed attackers to bypass the second factor entirely, granting full administrative access. Google said it does not believe its homegrown Gemini model was used; analysts at Bloomberg and BleepingComputer have suggested an open-weight model marketed under the name 'OpenClaw' may have been involved.

Google worked with the impacted vendor to coordinate responsible disclosure and shipped an emergency patch before the threat actor could trigger the mass-exploitation operation. The patch is now available, and Google has published indicators of compromise so that defenders worldwide can scan for any prior probing.

The case has rattled the cybersecurity community. For more than a year, researchers had warned that frontier-grade AI assistants could shorten the cycle from vulnerability discovery to operational malware from weeks to hours. Until now, public evidence had been limited to academic demonstrations and small-scale criminal experimentation. Google's report signals that the era of fully AI-assisted cybercrime has now arrived, and it has reignited debate over export controls, model-access licensing and the responsibilities of model providers when their tools are misused.

large language model: An artificial intelligence system trained on massive amounts of text to understand and generate language.

exploit: A piece of code or technique that takes advantage of a flaw in software.

weaponize: To turn something into a usable tool for an attack.

Python: A widely used programming language popular in scripting, web tools and AI.

open-source: Software whose source code is freely available for anyone to inspect, modify or share.

responsible disclosure: A process of privately telling a vendor about a security flaw so they can fix it before it becomes public.

indicators of compromise: Technical clues that suggest a system has been hacked.

export controls: Government rules that restrict who may receive certain technologies.

Level 4 — Advanced

Google's Threat Intelligence Group on Monday, May 11, 2026, published what it characterized as the first publicly documented operational case of a criminal threat actor using a frontier large language model to construct and weaponize a previously unknown software vulnerability, and to stage that vulnerability for what GTIG bluntly called a 'mass exploitation event.' The Bloomberg-, Washington-Post- and CNBC-reported disclosure described the attack chain as fully AI-assisted, with the model handling reconnaissance, exploit drafting, and operational obfuscation under a now-classified codename Google has internally labeled 'Mythos.'

The vulnerability, a two-factor-authentication bypass embedded in a Python script that ships with a popular open-source web-based system-administration suite, allowed an attacker to retrieve full administrative access without triggering any of the suite's auditing hooks. According to GTIG, the AI model proposed an off-by-one race condition in the TOTP comparator, generated a polished proof-of-concept that exercised the race window reliably, and even produced an obfuscation harness with conditional decryption keyed on the victim host's locale settings — a level of operational craft that researchers describe as approaching state-sponsored toolkits.

Google said it does not believe its in-house Gemini family powered the operation, and Bloomberg, citing multiple sources familiar with the investigation, reported that an open-weight model distributed under the alias 'OpenClaw' is the leading suspect. The Pentagon has reportedly designated Anthropic — another frontier-AI developer — a supply-chain risk in a separate but parallel disclosure, intensifying scrutiny over whether closed-weight, open-weight or hybrid distribution models present the greatest exploitation surface. GTIG coordinated a responsible-disclosure cycle with the affected vendor, shipped a patch and seeded indicators of compromise into the Mandiant feed before announcing the activity publicly.

The episode is widely seen as the watershed inflection point for a debate that has been building for two years inside both the cybersecurity and AI-policy communities. Senators Mark Warner, Marsha Blackburn and Bobby Scott reintroduced a bipartisan bill on Monday afternoon that would empower the new federal AI commission to compel pre-deployment red-team disclosures from any developer offering a frontier-class model commercially. Industry response has been mixed: Microsoft and OpenAI publicly endorsed pre-deployment red-team standards; Meta and Mistral pushed back, warning that overly prescriptive controls would entrench incumbent labs and disadvantage the open-source ecosystem on which the global vulnerability-research community depends.

threat actor: An individual or group that conducts hostile actions against computer systems.

operational obfuscation: Techniques used to hide the workings of malicious code from defenders.

auditing hooks: Software points that log activity for later review by security teams.

race condition: A software flaw that occurs when two or more processes access shared data simultaneously and produce unintended results.

TOTP: Time-based One-Time Password, a common second factor in authentication.

proof-of-concept: A small demonstration that shows an idea or attack technique can work.

supply-chain risk: The danger that a problem with one supplier could harm a company that relies on it.

red team: A group that simulates real-world attacks to test the defenses of a system.

Level 1 — Absolute Beginner

Level 2 — Elementary

Level 3 — Intermediate

Level 4 — Advanced

Google Says It Caught Hackers Using AI to Build a First-Ever Zero-Day Cyberattack

Multiple Choice

True or False

Fill in the Blank