For the first time, Google’s Threat Intelligence Group (GTIG) has identified a threat actor using a zero-day exploit they believe was developed with AI. A criminal group used a large language model to write a working exploit script that bypassed two-factor authentication in a popular open-source admin tool. The group was preparing to use the exploit in a mass-attack campaign when Google identified it and worked with the vendor to disclose and patch the flaw.

The structural signatures that gave GTIG confidence in the assessment are telling: the exploit script contained a hallucinated CVSS score in its docstrings (the in-code comments left by the developer), a textbook Python format characteristic of AI-generated code, down to extra code that prints the terminal output in color. These are small stylistic tells that a human exploit developer wouldn’t bother with.

That’s the headline finding from GTIG’s Q2 2026 AI Threat Tracker, published May 11. The TLDR version: adversaries have moved beyond basic experimentation to industrial-scale use of generative AI, and they’re doing several different things with it. Google is calling out specific groups by name, including state-sponsored clusters from China and North Korea, financially motivated cybercrime crews like TeamPCP, and Russia-linked operators targeting Ukraine. Each one uses AI at a specific phase of the attack lifecycle.

Below, I walk through what they’re doing and where it lands, mapping each use to the part of the kill chain a CISSP holder already operates against.

Here’s a quick tour.

Researching their targets

Before the attack comes the homework. Adversaries are using large language models to map out their victims. They generate detailed organizational hierarchies for departments such as finance and HR, identify which third-party vendors a target enterprise relies on, and even fingerprint the specific make and model of the computer a high-value executive uses. In one documented case, a threat actor asked an AI model to identify a target’s laptop from photographs.

Two China-linked actors stand out. The cluster GTIG tracks as UNC2814 prompts Google’s Gemini to act as a “senior security auditor” or “C/C++ binary security expert” before asking it to analyze the firmware of embedded devices like TP-Link routers. A separate China-linked group used a public agentic framework called Hexstrike, combined with a knowledge-graph memory system, to maintain persistent state on a target’s attack surface and pivot autonomously between reconnaissance tools.

The shared pattern: AI as a research force multiplier. Tasks that used to take a human analyst hours of OSINT can now happen at machine speed.

Developing new exploits

The identified zero-day matters for what it reveals about how AI changes vulnerability research. The 2FA bypass came from a hardcoded trust assumption in the developer’s authentication logic. It’s a high-level semantic flaw that fuzzers and static analyzers routinely miss. AI models, reading the developer’s intent across the codebase, increasingly find them.

Writing stealthier malware

AI also appears inside the malware itself. Sometimes it’s used to hide the malicious code. Sometimes it’s used to operate it in real time.

Two Russia-linked malware families, CANFAIL and LONGSTREAM, target Ukrainian organizations and contain LLM-generated decoy code. LONGSTREAM checks the system’s daylight saving status 32 times in a row, for no operational reason except to make the malicious file look like routine administrative work.

And then there is PROMPTSPY. The Android backdoor sends the device’s current screen layout to Google’s Gemini API and asks the model where to tap next. The model returns coordinates. The malware taps. ESET first identified the malware. GTIG extended the analysis to describe what they call the first widely-reported example of an AI service driving real-time malware behavior in the wild.

Industrializing account abuse

AI providers cap usage. Attackers don’t want to be capped. So they industrialized account abuse.

Two China-linked clusters, UNC6201 and UNC5673, run automated registration pipelines that bypass CAPTCHA and SMS verification to create premium accounts at scale. Middleware aggregators such as Claude-Relay-Service and CLIProxyAPI allow attackers to pool API keys from Gemini, Claude, and OpenAI accounts via a single OpenAI-compatible interface. Anti-detect browsers mask the fingerprints. The whole ecosystem looks professionalized. GTIG documents five tool categories with named examples for each.

Manufacturing scale

The same scaling impulse shows up in influence operations. The pro-Russia campaign Operation Overload used suspected AI voice cloning to make real journalists appear to say things they never said, splicing the synthetic audio into manipulated video to lend credibility to false narratives. Russia, Iran, China, and Saudi Arabia are all using AI to produce political content at volume, though most of the breakthrough capability claims for these campaigns have not yet appeared in observed operations.

Going after the AI supply chain

The frontier models themselves are well-defended. So attackers are going after the connecting layers: the libraries, the package managers, the skill marketplaces, and the API gateways that AI systems depend on.

A cybercrime cluster known as TeamPCP (also tracked as UNC6780) compromised the GitHub repositories of LiteLLM, BerriAI, Trivy, and Checkmarx in late March 2026. They embedded a credential stealer called SANDCLOCK that extracted AWS keys and GitHub tokens from affected build environments. The stolen credentials were sold to ransomware and data-theft-extortion groups, turning a single supply chain compromise into multiple downstream payloads.

A parallel pattern hit the OpenClaw skill marketplace. Researchers found malicious packages distributed as legitimate skills, containing hidden routines that abused OpenClaw’s elevated system access to run unauthorized code. Both incidents are supply chain attacks specifically targeting the AI dependency layer.

How does MITRE ATLAS help?

All six behaviors above need names. Once a threat has a technique ID, you can record it in a risk register, assign an owner, select a control, and audit the result. MITRE ATLAS is the canonical vocabulary for AI-specific adversary tactics, the AI extension of MITRE ATT&CK. I previously wrote a longer piece on ATLAS for readers who want the deeper context.

A question worth asking follows: how well does ATLAS cover what GTIG just documented?

The answer is partial. Some of GTIG’s findings map cleanly to pre-existing ATLAS techniques. Several map to techniques MITRE added or updated in their early May (v5.6.0) release. A handful have no direct ATLAS coverage, but the framework is responsive, and it’s still catching up.

Already in the catalog

Four of GTIG’s findings map to ATLAS techniques that predate the May update:

• PROMPTSPY’s autonomous orchestration is fully covered. AML.T0040 (AI Model Inference API Access), AML.T0103 (Deploy AI Agent), AML.T0102 (Generate Malicious Commands), and AML.T0053 (AI Agent Tool Invocation) describe the architecture pattern PROMPTSPY uses.

• LLM account abuse and middleware proxies map to AML.T0008.005 (AI Service Proxies), AML.T0021 (Establish Accounts), and AML.T0016.002 (Obtain Capabilities: Generative AI). These were added in earlier ATLAS releases.

• TeamPCP’s AI supply chain compromise maps to AML.T0010.001 (AI Supply Chain Compromise: AI Software).

• Operation Overload’s voice-cloning campaign maps to AML.T0088 (Generate Deepfakes), the technique GTIG used in their own appendix to attribute this finding. T0088 covers the synthesis of high-fidelity audio and video to impersonate authoritative figures.

These map straight into a register today without waiting for anything new.

Just added

ATLAS Data v5.6.0 (atlas.mitre.org, view the diff) added or updated four entries relevant to the behaviors above:

• Deepfake-assisted phishing (AML.T0052.001, new) is a phishing-specific subtechnique that extends the pre-existing T0088 Generate Deepfakes. GTIG didn’t document a deepfake-phishing-specific incident in this report, but ATLAS's addition of this subtechnique signals the framework’s anticipation of voice cloning moving from influence operations into phishing pretexts (CEO fraud, executive impersonation).

• Code repository reconnaissance (AML.T0095.000, new subtechnique under the new parent AML.T0095 Search Open Websites/Domains) covers the GTIG-documented use of public code repos for AI-related secrets and configuration discovery.

• LLM Jailbreak (AML.T0054, updated) now reflects persona-driven prompting patterns, including acting as a “senior security researcher” jailbreak that GTIG attributed to UNC2814.

• OpenClaw command-and-control case study (AML.CS0051, updated) formalizes the OpenClaw skill marketplace compromise pattern.

The release timing: MITRE published v5.6.0 on May 4. GTIG published their threat report on May 11. The framework was updated in close parallel with the threat intelligence cycle.

Not yet in the catalog

Three GTIG findings have no dedicated ATLAS technique:

• AI-developed zero-day exploits. The lead finding from the GTIG report, the criminal-actor 2FA bypass developed with AI assistance, doesn’t have a specific ATLAS technique. The closest is AML.T0017 (Develop Capabilities), which is generic. There’s no “adversary uses AI to discover vulnerabilities in target systems” entry.

• AI-generated polymorphic malware code. The LLM-generated decoy code in CANFAIL and LONGSTREAM, including LONGSTREAM’s 32 daylight-saving checks, has no dedicated technique. ATLAS covers prompt-side obfuscation under AML.T0068, but adversary use of AI to generate malware code with camouflage logic isn’t named.

• Agentic frameworks as offensive tools. The PRC-nexus actor using Hexstrike with the Graphiti memory system for autonomous reconnaissance has no matching ATLAS entry. The framework covers adversaries' use of AI inference APIs and includes AML.T0103 for deploying defender- or victim-owned agents, but offensive use of full agentic frameworks against victims remains a gap.

The gap is ATLAS-specific. GTIG’s own appendix maps these findings to conventional MITRE ATT&CK techniques: T1587.001 (Develop Capabilities: Malware) for CANFAIL and LONGSTREAM, T1587.004 (Develop Capabilities: Exploits) for the AI-developed zero-day, T1027.014 (Polymorphic Code) for PROMPTFLUX, and T1027.016 (Junk Code Insertion) for the decoy code patterns. Traditional ATT&CK covers the underlying behaviors. ATLAS hasn’t yet named them in AI-specific form.

The gap is informative. The biggest single GTIG finding (AI used to develop a real zero-day exploit) sits in the no-direct-mapping bucket. Frameworks update on incident-disclosure timelines, and it makes sense that the threat intelligence is ahead of the vocabulary.

How to harness ATLAS

Four things a CISSP-led security program can do this quarter with what’s in front of us:

1. Map ATLAS technique IDs into your existing risk register. The directly-mapped findings are the easy lift. Risk: AI dependency supply chain compromise. Threat: AML.T0010.001. Mitigation: AML.M0023 AI Bill of Materials and AML.M0014 Verify AI Artifacts. Owner: AppSec team. Same structural pattern your ATT&CK-anchored entries already use, with ATLAS-formal mitigation IDs rather than generic supply chain practices.

2. Add the v5.6.0 techniques where they apply. Deepfake-assisted phishing belongs in your security awareness training program now, not next year. The technique has a corresponding mitigation (AML.M0034 Deepfake Detection), and your tabletop exercises can use it as a scenario starter. Code repository reconnaissance fits into your secrets management and source control hygiene program.

3. Document the gaps as monitoring needs. This is the part most risk registers will miss. For each GTIG finding that doesn’t have an ATLAS technique (AI-developed zero-days, AI-generated polymorphic malware, offensive agentic frameworks), the register entry should explicitly say “no standard taxonomy entry; monitor framework releases for coverage.” A risk register that names where the framework has gaps is stronger than one that pretends the gaps don’t exist.

4. Track ATLAS releases. The framework moved from “no v5.6.0” to “four directly-relevant new entries” in less than a month after the underlying incidents became publicly known. Release tags live at github.com/mitre-atlas/atlas-data/releases. The canonical user-facing technique pages are at atlas.mitre.org. Subscribing to release notifications is a one-time setup with ongoing value.

Six attacker behaviors, named groups behind each, and a framework that’s partially there. Your risk register needs both the techniques the framework has named and the gaps it hasn’t.

Are you seeing any of these six behaviors already in your environment? Reply or drop it in the comments.