AI Threats in 2026: How Adversaries Are Weaponizing Generative Models

The Google Threat Intelligence Group (GTIG) reports a major transition: adversaries are moving from experimental AI use to industrial-scale application of generative models. Based on Mandiant incident response, Gemini insights, and GTIG research, this Q&A explores the dual nature of AI as both a sophisticated engine for attacks and a high-value target. From zero-day exploits to autonomous malware, the landscape is evolving rapidly.

How are threat actors using AI to discover vulnerabilities and generate exploits?

For the first time, GTIG has identified a threat actor using a zero-day exploit believed to be developed with AI. The criminal group planned a mass exploitation event, but proactive counter-discovery may have prevented its use. Additionally, threat actors linked to the People's Republic of China (PRC) and the Democratic People's Republic of Korea (DPRK) have shown significant interest in capitalizing on AI for vulnerability discovery. AI models can analyze codebases, identify weaknesses, and even craft exploit code faster than traditional methods. This marks a shift from human-led research to AI-assisted reconnaissance, enabling adversaries to target zero-days at scale. The GTIG report emphasizes that while full automation isn't yet standard, the trend is accelerating, making defensive AI tools critical for timely patch management and threat hunting.

What role does AI play in defense evasion and malware development?

AI-driven coding has accelerated the development of infrastructure suites and polymorphic malware by adversaries. These AI-enabled development cycles facilitate defense evasion through obfuscation networks and AI-generated decoy logic. Suspected Russia-nexus threat actors have integrated such techniques into their malware, making detection harder. For example, AI can generate multiple variants of malicious code that change signatures dynamically, evading signature-based antivirus systems. It also helps create realistic decoy network traffic to mislead analysts. The report notes that AI-augmented development reduces the time and expertise needed to build sophisticated evasion tools, lowering the barrier for less-skilled attackers. This trend underscores the need for behavior-based detection and AI-enhanced security operations.

What is PROMPTSPY and how does it signal a shift to autonomous malware?

PROMPTSPY is an AI-enabled malware that represents a shift toward autonomous attack orchestration. Instead of relying on pre-programmed instructions, it uses models to interpret system states, dynamically generate commands, and manipulate victim environments. The GTIG analysis reveals previously unreported capabilities, including integration with AI to offload operational tasks. This allows threat actors to scale adaptive attacks without human intervention. For instance, PROMPTSPY can analyze network configurations, select the best exploit paths, and modify its behavior in real time based on defensive responses. This autonomy reduces the attacker's footprint and speeds up the attack lifecycle. It also poses challenges for incident response, as traditional indicators of compromise may change rapidly. The report marks PROMPTSPY as a precursor to fully autonomous malware frameworks.

How are adversaries using AI for information operations and research?

Adversaries leverage AI as a high-speed research assistant throughout the attack lifecycle, especially for information operations (IO). For example, the pro-Russia campaign “Operation Overload” uses AI to fabricate digital consensus by generating synthetic media and deepfake content at scale. This enables the creation of fake personas, manipulated videos, and coordinated propaganda that can influence public opinion. AI also helps automate the research phase: it can summarize intelligence, draft phishing emails, or analyze target profiles. The report highlights a shift toward agentic workflows that operationalize autonomous attack frameworks, making IO more efficient and harder to attribute. As AI-generated content becomes indistinguishable from human-created material, detection and media literacy become crucial defenses.

How do threat actors illicitly access premium LLM models?

Threat actors now pursue anonymized, premium-tier access to large language models through professionalized middleware and automated registration pipelines. This infrastructure allows them to bypass usage limits, scale misuse, and subsidize operations via trial abuse and programmatic account cycling. For example, attackers might use stolen credit cards or generate fake identities to create multiple accounts, then resell access or use it for malicious tasks like crafting phishing lures or generating exploit code. The report notes that obfuscated LLM access is a growing enabler of AI-driven attacks, as it provides adversaries with powerful tools without alerting service providers. Countermeasures include stronger identity verification, rate limiting, and anomaly detection to flag suspicious usage patterns.

What are the supply chain risks targeting AI environments?

Adversaries like “TeamPCP” (aka UNC6780) have begun targeting AI environments and software dependencies as an initial access vector. These supply chain attacks compromise libraries, frameworks, or infrastructure used by AI systems, enabling stealthy infiltration. For instance, by poisoning a widely used machine learning library, attackers can introduce backdoors or data leaks across multiple organizations. The GTIG report warns that such attacks can result in widespread compromise, as AI supply chains often share components across industries. Because AI models rely on large datasets and complex dependencies, they present a broad attack surface. Organizations should vet their software supply chains, use integrity checks, and monitor for unusual behavior in AI pipelines.

For more details on specific campaigns, see the Operation Overload discussion or PROMPTSPY analysis.