ctipilot.ch

Home · Live brief · Daily brief 2026-05-12

GTIG AI Threat Tracker (May 2026): First Confirmed AI-Generated Zero-Day Exploit ITW and the Behavioural Class of AI-Augmented Malware

high threat discovered 2026-05-12 05:00 UTC deep dive

Entities: Google Threat Intelligence Group NCSC-CH TeamPCP

Part of run 2026-05-12-cd1ab844 (intel · Claude Opus 4.7)

ANNUAL REPORT — this is the dedicated treatment of the periodic Google Threat Intelligence Group AI Threat Tracker per PD-9: cherry-picked findings high-relevance to a Swiss / EU public-sector SOC; not a re-summary of the underlying daily-coverage items the GTIG report itself revisits.

Background. GTIG (Google's threat-intelligence merger of Mandiant and the historical Google TAG) has been publishing recurring AI-threat-landscape briefings since the original Adversarial Misuse of Generative AI report (January 2025); CERT-FR's CERTFR-2026-ACT-016 agentic-AI advisory (covered in this brief's 2026-05-10 daily) and the NCSC-CH BACS assessment on AI in vulnerability management (covered same day) lay the European policy floor for the same threat surface. Where the predecessors documented LLM abuse as augmentation of existing tradecraft (phishing-content generation, recon, social-engineering scripts), the May 2026 AI Threat Tracker is the first report to publicly attribute an AI-generated functional zero-day exploit observed in active criminal use (Google Cloud Threat Intelligence — AI vulnerability exploitation initial access, 2026-05-11).

The first AI-generated zero-day exploit observed in the wild

GTIG describes a criminal campaign that used an LLM-generated Python exploit script targeting an unnamed widely-deployed open-source web-based systems-administration tool. The underlying flaw is a 2FA-bypass arising from a semantic logic error: developers hardcoded a trust assumption in one code path that contradicts the authentication-enforcement logic in another. GTIG's editorial point is that this bug class is exactly where LLMs outperform classical static analysis and fuzzers — semantic intent mismatch is undetectable to a fuzzer because the program does not crash, and undetectable to a typical SAST rule because both code paths individually are syntactically defensible.

GTIG attributes the script to LLM generation with high confidence based on structural artefacts atypical of human exploit authors: abundant "educational" docstrings explaining each function's purpose to a hypothetical reader; a hallucinated CVSS score embedded in comments; ANSI-colour helper imports and a --help menu scaffold characteristic of LLM training-data formatting; consistent variable-naming patterns that read like a tutorial rather than an exploit. Mapped to T1190 Exploit Public-Facing Application at runtime, and notable as the first publicly attributed instance of an LLM operating as the exploit author rather than as a phishing-content generator. Responsible-disclosure coordination patched the underlying tool before mass exploitation took hold; GTIG explicitly believes the disclosure disrupted the campaign.

AI-augmented malware families: CANFAIL, LONGSTREAM, PROMPTFLUX, HONESTCUE

The same GTIG release documents four malware families that integrate LLM calls into runtime behaviour rather than into development:

  • CANFAIL and LONGSTREAM (Russia-nexus) insert LLM-generated inert decoy code blocks and daylight-saving-time API calls at runtime to inflate benign-looking telemetry, polluting downstream behavioural-sequence detectors. Mapped to T1553 Subvert Trust Controls (as an EDR-evasion variant) and T1027 Obfuscated Files or Information (LLM-generated junk code as obfuscation).
  • PROMPTFLUX uses the Gemini API at runtime to generate just-in-time self-modifying code for EDR evasion — a logical extension of the polymorphism / packer class, but with the unique property that no two execution-instance signatures need ever match because the LLM is the polymorphism engine.
  • HONESTCUE requests VBScript-obfuscation stubs from Gemini at runtime, weaponising the cloud-API surface as the obfuscator's compiler.

State-actor abuse of Gemini: UNC2814 (PRC), APT45 (DPRK), APT27, UNC5673 (TEMP.Hex / PRC)

GTIG documents state-affiliated actor usage of Gemini for: ORB-fleet management (operating relay-network proxies), recursive-prompting validation of CVE / PoC quality at scale, and persona-driven jailbreaking attempts against embedded-device firmware analysis (TP-Link, the OFTP industrial protocol). UNC5673 (TEMP.Hex) is specifically called out for operating Claude-Relay-Service and CLI-Proxy-API tooling to pool illicit LLM access across Southeast Asian government-targeting operations — meaning the operational unit of compromise has shifted to include stolen LLM API keys as a primary objective, not a side-channel. This is the structural reason TeamPCP's SANDCLOCK stealer (§ 4 UPDATE) now explicitly enumerates LLM API keys alongside cloud credentials: there is a developed criminal market for stolen LLM access keys, driven by both volume billing arbitrage and access to higher-rate-limit / less-monitored model tiers.

Defender takeaway for Swiss / EU public-sector estates running AI workloads: treat LLM API keys as Tier-1 secrets equivalent to cloud-administrator credentials. Specifically: rotate at the same cadence; store in the same KMS / HSM-backed secret manager; enable usage-anomaly alerting at the LLM provider (rate-limit baselines per service principal, geographic / ASN anomalies, prompt-content categories outside business profile); audit any embedded-key check-ins to source control with the same gates as cloud-credential leak detection (T1552.001 Credentials In Files). The GTIG attribution that UNC5673 specifically targets government organisations means the threat profile applies directly to government developers and government-procured AI tooling.

Hardening / detection summary

Concrete posture changes a Swiss federal / cantonal / EU public-sector SOC can implement based on this report alone, in priority order:

  1. Egress allowlisting for LLM-API endpoints: only workloads where LLM access is justified should be permitted outbound to *.googleapis.com/v1beta/, api.openai.com/v1/, api.anthropic.com/, etc. — enforce at SWG and at host firewall on production servers. Catches PROMPTFLUX / HONESTCUE / CANFAIL-class runtime LLM calls from workloads that should not be making them.
  2. LLM-API-key secrets management: treat as Tier-1; rotate quarterly minimum; enable provider-side usage alerting on per-key baselines.
  3. Exploit-artefact LLM-output heuristics added to triage pipelines for PoC scripts pulled from public sources — docstring-density / hallucinated-metadata / ANSI-bootstrap pattern, used as a triage prior, not a verdict.
  4. CI/CD secrets hygiene at the runner level — directly applicable both to the AI-key theft trend and to the SANDCLOCK / TeamPCP Jenkins compromise carried as the § 4 UPDATE. OIDC-federated short-lived credentials where the platform supports it; no long-lived PATs in runner environment.
  5. Behavioural-sequence detector cross-validation: where ML-based EDR is in use, validate against API-call-sequence pollution by sampling current detection thresholds against synthetic LLM-generated benign sequences.
ai-abuse nation-state espionage supply-chain organized-crime china-nexus russia-nexus north-korea-nexus global