Cybercriminals are leveraging artificial intelligence to exploit vulnerabilities, scale operations, and gain initial access to targeted systems or networks. This is highlighted in a report by the Google Threat Intelligence Group (GTIG).
For the first time, GTIG identified a hacker who utilized a zero-day exploit developed with AI. The hacker intended to deploy it for a mass attack, but Google experts managed to thwart the threat.
North Korea-linked attackers have also shown significant interest in using AI to identify vulnerabilities.
Programming with neural networks has accelerated the development of infrastructure toolkits and polymorphic malware. This technology facilitates bypassing security systems and allows for the integration of deceptive logic. GTIG associates such developments with Russia.
AI aids in autonomous operations. Analysts emphasized that malware like PROMPTSPY "indicates a shift towards independent orchestration of attacks." These models interpret the state of a system to dynamically generate commands and manipulate the victim's environment.
"This approach enables cybercriminals to offload operational tasks to AI for scalable and adaptive activity," the report states.
Hackers continue to use AI as a high-speed research assistant to support the attack lifecycle. Concurrently, they are shifting towards agent-based workflows for automation.
Criminals aim to gain anonymous access to premium-level models to illegally bypass limits. This infrastructure allows for widespread abuse of services.
GTIG noted that hackers like TeamPCP (also known as UNC6780) have begun using AI environments and software dependencies to gain initial access to victims' infrastructure.
Google's cyber division experts emphasized that they are taking proactive measures to stay ahead of the constantly evolving threats.
In September 2025, the threat analysis team at the startup Anthropic discovered and disrupted the first-ever AI-driven cyber espionage campaign.