In May 2026, Google's Threat Intelligence Group (GTIG) published a new investigation detailing how attackers are increasingly integrating generative AI into large-scale operations.
GTIG reported its first detection of attackers planning to use AI-generated zero-day vulnerabilities for mass exploitation. Fortunately, the potential threat was identified and successfully blocked in time. Advanced large language models (LLMs) excel at identifying complex semantic logic flaws that traditional scanning tools often miss. This allows attackers to build sophisticated exploitation tools more efficiently.
AI has also significantly boosted attackers' coding productivity and evasion capabilities. They now use AI to accelerate the development of infrastructure toolkits and polymorphic malware. For example, LLMs can generate large amounts of "decoy logic" which consists of seemingly legitimate but functionally useless code segments that effectively confuse automated detection systems and hide the malware’s true intent.
Malware operations are evolving toward greater automation and autonomy. Some malware now incorporates autonomous agent modules that use LLMs to interpret the visual structure of systems. These agents dynamically generate commands to control victim environments, making decisions based on real-time device status rather than relying solely on human instructions.
In the realm of information operations, AI is shifting toward "agentic workflows." Attackers use autonomous attack frameworks to carry out multi-stage operations. They also generate synthetic media and deepfakes at scale to impersonate legitimate media outlets and journalists, thereby manufacturing public consensus and spreading targeted narratives.
To support these large-scale activities, attackers have developed advanced techniques for scalable LLM access. They employ specialized proxy services, relay agents, and automated registration processes to obtain anonymous high-tier model access. By bypassing usage restrictions and account bans through automated scripts and frequent account rotation, they maintain a steady supply of powerful AI capabilities while shifting operational costs to service providers.
The AI environment itself has become a prime target for supply chain attacks. Once attackers gain initial access, they deploy ransomware, steal cloud credentials, or conduct extortion. The increasing integration of AI systems has created new weak points in the security landscape.
While AI equips attackers with powerful new tools, it is also being used to strengthen defense. AI agents can proactively search for software vulnerabilities and automatically patch code. As AI-driven threats continue to grow, establishing effective security measures has become more urgent than ever.
Google has released its latest report on cybercriminals' abuse of AI
Links:
GTIG AI Threat Tracker: Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access (opens in a new window)