Since February 2026, Google Threat Intelligence Group (GTIG) has tracked a significant evolution in how malicious actors harness artificial intelligence. Their updated report reveals a shift from experimental AI use to industrial-scale integration in adversarial workflows. Drawing on Mandiant incident response data, Gemini analytics, and GTIG's own research, the findings paint a picture of a dual-threat landscape: AI serves both as a powerful engine for attacks and as a high-value target. Below, we answer key questions about the most concerning developments, from AI-generated zero-day exploits to autonomous malware and supply chain attacks targeting AI supply chains.
1. How are adversaries using AI to discover vulnerabilities and generate exploits?
GTIG reports the first confirmed instance of a threat actor using a zero-day exploit that appears to have been developed with AI assistance. A criminal group planned a mass exploitation event, but proactive counter-discovery by GTIG may have prevented it. State-aligned actors from the People's Republic of China (PRC) and the Democratic People's Republic of Korea (DPRK) are also heavily investing in AI for vulnerability discovery. These adversaries leverage generative models to accelerate the identification of software flaws and automatically craft exploit code, reducing the time from discovery to weaponization. The trend signals a democratization of exploit development, as AI tools lower the skill barrier for creating sophisticated, targeted attacks.
2. How is AI-augmented coding helping adversaries evade defenses?
AI-driven coding tools are enabling adversaries to build polymorphic malware and complex infrastructure suites much faster than before. For example, suspected Russia-nexus groups now use AI-generated decoy logic in malware to confuse detection systems. They also automate the creation of obfuscation networks—layers of proxies and redirectors that shield command-and-control servers. By generating code that constantly changes its signature without human intervention, attackers can bypass signature-based antivirus and intrusion detection. This AI-augmented development cycle allows small teams to produce what previously required large, coordinated efforts, making defense evasion scalable and adaptive.
3. What is the significance of autonomous malware like PROMPTSPY?
GTIG's analysis of PROMPTSPY reveals a shift toward fully autonomous attack orchestration. This malware integrates with large language models (LLMs) to interpret system states and dynamically generate commands, effectively manipulating victim environments without real-time human direction. Previously unreported capabilities show PROMPTSPY can offload tasks such as reconnaissance, lateral movement, and data exfiltration to an AI agent. This allows adversaries to scale operations massively—a single compromised machine can act as an autonomous node, adapting its behavior based on the network conditions it encounters. It marks a transition from manually controlled malware to self-directed digital soldiers.
4. How are AI tools being used for information operations and research?
Adversaries employ AI as a high-speed research assistant throughout the attack lifecycle, from target profiling to payload customization. In information operations (IO), the impact is even more visible. The pro-Russia campaign Operation Overload exemplifies how AI generates synthetic media and deepfake content at scale to fabricate digital consensus. These tools produce convincing fake social media accounts, comment threads, and video clips that amplify divisive narratives. Agentic workflows—where AI autonomously schedules posts and interacts with real users—make these campaigns persistent and difficult to dismantle. The result is an industrialized approach to manipulating public opinion.
5. How do adversaries obtain anonymized, premium access to LLMs?
Threat actors have developed professionalized middleware and automated registration pipelines to bypass model usage limits on commercial AI services. They cycle through accounts programmatically, using stolen credit cards or trial abuse to gain premium-tier access without attribution. This infrastructure enables large-scale misuse—such as generating phishing emails or malicious code—without triggering rate restrictions. The same pipelines can also resell access on underground forums, creating an illicit economy around AI services. GTIG notes that this obfuscated access allows adversaries to operate at scale while remaining hidden from service providers' abuse teams.
6. What are the risks of supply chain attacks targeting AI environments?
Groups like TeamPCP (UNC6780) are now focusing on AI environments and software dependencies as an initial access vector. By compromising open-source libraries, model registries, or development pipelines, attackers can inject backdoors into AI systems that are then deployed by unsuspecting organizations. These supply chain attacks have multiple downstream effects: stolen training data, poisoned models, and compromised inference outputs. For example, infecting a widely used Python package for machine learning could affect thousands of companies. GTIG warns that as AI adoption grows, the software supply chain becomes a critical attack surface that requires enhanced vetting and monitoring.