Adversaries Are Industrializing AI Across the Attack Lifecycle
Our team at Google Threat Intelligence Group (GTIG) just published new research on how adversaries are operationalizing generative AI.
We are tracking a maturing transition from simple experimentation to the industrial scale application of models within adversarial workflows. Threat actors are no longer just using AI as a basic assistant, they are embedding it directly into their attack lifecycles to scale and automate operations.
Here are the key takeaways from our Q2 2026 AI Threat Tracker:
- For the first time, we have identified a cybercrime threat actor using a zero-day exploit that we believe was developed with the assistance of AI.
- Suspected Russia-nexus threat actors are leveraging AI-driven coding to generate large amounts of decoy logic, helping malware families like CANFAIL and LONGSTREAM evade static security controls.
- We analyzed an Android backdoor called PROMPTSPY that uses the Gemini API to dynamically interpret device environments and autonomously simulate physical gestures on the screen.
- Threat actors like #TeamPCP are targeting popular AI integration libraries, compromising tools like LiteLLM to steal high-value API secrets and cloud credentials.
To help defenders stay ahead of these evolving threats, our report also details key mitigations and how we are using AI agents to find and automatically patch software vulnerabilities.