Google Says Attackers Used AI to Find a Zero-Day and Prepare a Mass Cyberattack

A threshold moment in AI-enabled offensive security

Google says it has identified what it describes as the first known case of an attacker using artificial intelligence to discover and weaponize a zero-day vulnerability. According to reporting on a new Google Threat Intelligence Group report, the company says it stopped the planned mass cyberattack before it could be carried out.

If that assessment holds, it marks an important transition in the cyber landscape. Security researchers have long expected large language models and related AI systems to become useful for offensive vulnerability research. The significance here is not that AI might someday help attackers. It is that a major threat intelligence team now says it has seen that threshold crossed in a real case.

What Google says it found

The report summarized by The Decoder describes attackers using AI at scale for cyber operations. The most striking claim is the zero-day case itself: a threat actor reportedly used AI to discover and weaponize a previously unknown vulnerability. Google says the planned campaign was disrupted before becoming a mass attack.

That finding matters because zero-days occupy a premium tier of cyber risk. They exploit vulnerabilities unknown to defenders at the time of use, which means conventional patching offers no immediate protection. If AI materially lowers the cost or increases the speed of finding such flaws, the balance between offense and defense could become more unstable.

The report also says state-backed actors from China and North Korea are using AI to hunt for vulnerabilities. That widens the picture from a single incident to a strategic pattern: governments and associated groups may already be incorporating AI into cyber reconnaissance and exploit development workflows.

The ecosystem around AI-assisted attacks

One detail highlighted in the source report is the GitHub project called wooyun-legacy, described as a Claude plugin built on more than 85,000 real vulnerability cases from the Chinese platform WooYun. Its stated purpose is to help AI models analyze code more effectively.

That example illustrates a broader point. The risk is not only that frontier models become stronger in the abstract. It is that attackers can surround those models with specialized datasets, tools, and plugins that make them more effective at security-specific tasks. In other words, usable offensive capability may emerge from the combination of a general-purpose model and domain-targeted scaffolding.

The report also says Russia-linked groups are embedding AI-generated obfuscation code in malware. One example given is Android malware called PROMPTSPY, which uses the Gemini API to control devices autonomously. That signals another layer of change: AI is not only being used to discover flaws, but also to shape payload behavior and concealment.

Criminal groups are also said to be targeting AI supply chains, including popular open-source packages. That reflects how the attack surface has expanded around AI adoption. As more organizations depend on open components, model-connected tooling, and fast-moving package ecosystems, adversaries have more places to insert compromise.

Defense is becoming AI-vs-AI

Google is not presenting the report as a story of unchecked escalation. The company says it has developed AI-based countermeasures of its own, including tools called Big Sleep and CodeMender. The exact details of those systems are not described in the supplied material, but the strategic implication is plain: defenders are increasingly responding to AI-assisted offense with AI-assisted defense.

That sets up a more dynamic competition than earlier waves of cyber automation. Past defensive tools often focused on rules, signatures, heuristics, or anomaly detection. The newer generation may involve systems capable of understanding code, modeling vulnerability patterns, and accelerating patch or mitigation work.

Still, defensive acceleration does not automatically erase offensive advantage. If AI helps attackers scale reconnaissance, generate variants, and analyze targets more rapidly, defenders may face a larger volume of plausible threats even if they also have better tools.

Why this matters now

The biggest practical consequence of the report may be that it shortens the timeline for how seriously organizations treat AI-enabled offensive capability. Security leaders have often discussed this as an approaching challenge. A documented case of AI-assisted zero-day discovery would move the discussion from forecast to operating reality.

That does not mean every attacker suddenly has frontier-level capability. Effective exploitation still depends on access, engineering skill, operational security, and target selection. But the report suggests AI may now be materially useful at one of the highest-value steps in the intrusion chain.

For defenders, that means vulnerability management, software supply chain security, and code review may all need to be re-evaluated under the assumption that attackers can search for weaknesses faster and with better pattern recognition than before.

The significance of the first confirmed case

In cyber policy and threat intelligence, first confirmed cases matter because they reset expectations. This report appears to do that. It suggests AI has moved from a support tool for phishing, translation, or low-level scripting into the domain of exploit discovery itself.

That is the point at which AI ceases to be an auxiliary cyber concern and becomes part of the core contest over software security. Google’s claim that it stopped the attack is encouraging. The larger implication is less comfortable. The industry may now be entering a period where the race to find and fix critical vulnerabilities is increasingly shaped by machines working on both sides.

This article is based on reporting by The Decoder. Read the original article.