Google Threat Intelligence Group Reports First AI-Developed Zero-Day Exploit Bypassing 2FA

The Google Threat Intelligence Group (GTIG) has published a report detailing a concerning trend: attackers are now using AI across almost every area of cybercrime, including developing at least one zero-day exploit from scratch. The exploit in question is a Python script that bypasses two-factor authentication (2FA) in a popular open-source, web-based system administration tool. According to GTIG, the code shows 'all the hallmarks of AI usage' and abuses a logic flaw in the authorization flow.

GTIG notes that while current LLMs still 'struggle to navigate complex enterprise logic,' they excel at contextual reasoning. This capability allows them to read source code, validate developer intent versus actual implementation, and quickly identify unconsidered corner cases that lead to vulnerabilities.

The report also highlights other malicious AI applications:

• Self-morphing malware: Malware that can modify its own source code, create exploit payloads dynamically, and even generate decoy code to evade detection.
• Gemini-powered backdoors: Attackers are leveraging Google's Gemini model to create backdoors, though specific implementation details are not yet disclosed.

The findings suggest a new era of cybercrime where AI automates not just exploit delivery but the discovery and creation of vulnerabilities themselves. The zero-day exploit is particularly notable as it marks the first recorded instance of a fully AI-developed exploit bypassing 2FA.

For security teams, this underscores the need to assume that 2FA alone is insufficient against AI-augmented adversaries. Logic flaws in authentication flows, especially in open-source tools, will be increasingly targeted. Code review processes should incorporate automated reasoning checks to catch such flaws before deployment.