AI Has Entered a New Phase of Cyber Warfare: Hackers Are Now Finding Zero-Days
A Major Shift in Cybersecurity
In May 2026, Google’s Threat Intelligence Group (GTIG) confirmed a major escalation in cybercrime activity: hackers are now using AI large language models (LLMs) not just for phishing or automation, but for something far more advanced, discovering and exploiting previously unknown software vulnerabilities.
This marks a turning point in cybersecurity. According to Google, this development represents only the “tip of the iceberg,” suggesting that AI-driven attacks are likely already more widespread than currently detected.
First Confirmed AI-Generated Zero-Day Attack
GTIG reported the first known case of a cybercriminal group using AI to identify a zero-day vulnerability, a flaw previously unknown to software developers.
The attackers attempted to exploit a widely used open-source system administration tool, designing an exploit capable of bypassing two-factor authentication.
Although the attack was disrupted before deployment, the case is significant because it shows AI was likely used not just for assistance, but for active vulnerability discovery and weaponization.
How AI Was Detected in the Attack
Google researchers identified several indicators suggesting AI involvement:
The exploit code contained highly structured “textbook-style” formatting typical of LLM output. It included educational-style explanations embedded in the script. It also contained a fabricated CVSS severity rating, a known form of AI hallucination where systems generate plausible but incorrect data.
These patterns led researchers to conclude with high confidence that AI assistance played a role in the attack development process.
A New Era of Automated Hacking
The report highlights a broader trend: cybercriminals and state-linked groups are increasingly integrating AI into multiple stages of hacking operations.
This includes reconnaissance, vulnerability scanning, malware development, phishing campaigns, and even automated decision-making during attacks.
Groups linked to China, North Korea, Russia, and Iran are all reportedly experimenting with AI tools to increase speed and efficiency.
In some cases, AI is being used to analyze decades-old software alongside modern systems to find exploitable flaws at scale.
The Defensive Response from Tech Companies
While attackers evolve, defensive systems are also advancing.
Google has deployed AI systems like “Big Sleep,” designed to proactively identify vulnerabilities before hackers do. Another experimental system, “CodeMender,” aims to automatically fix critical code issues once discovered.
However, cybersecurity experts warn that defensive AI and offensive AI are now developing in parallel, creating a rapidly escalating technological arms race.
Why This Matters
Cyberattacks are no longer limited to human skill or manual effort. AI reduces the time needed to discover vulnerabilities, write exploit code, and launch coordinated attacks.
This lowers the barrier to entry for cybercrime and increases the potential scale of future attacks.
Google’s assessment is clear: this is not a future threat. It is already happening.
Sources: NewYork Times \ Google Threat Intelligence Group (GTIG) Report \ Google Cloud Security Blog \ CNBC Cybersecurity Reports \ The News International \ Infosecurity Magazine
