A new report from Google Threat Intelligence Group (GTIG) reveals a coordinated campaign exploiting an AI-generated zero-day vulnerability. The attack targets an unnamed open-source web administration tool, using the flaw to bypass two-factor authentication (2FA). The researchers say they identified an active threat actor utilizing large language models (LLMs) to actively discover and weaponize software vulnerabilities in the wild.
As the targeted flaw involves a high-level semantic logic bug stemming from a hard-coded trust assumption, rather than typical memory corruption, it matches the bug classes LLMs excel at identifying. Researchers have assessed with high confidence that the resulting Python exploit script was AI-generated, based on the abundance of educational docstrings, its distinct textbook structure, and telltale hallucinations, including a completely fabricated CVSS score.
LLM vulnerability discovery capabilities compared with other discovery mechanisms (Source: GTIG)
The report notes that state-sponsored syndicates from China and North Korea are increasingly interested in using LLMs for continuous vulnerability discovery and exploit development. Simultaneously, Russia-linked adversaries actively use AI to generate decoy code that heavily obfuscates malware such as CANFAIL and LONGSTREAM, and to deploy advanced voice cloning for more convincing social engineering campaigns.
To demonstrate this evolution, researchers also highlighted an Android backdoor called PromptSpy, which integrates with Gemini APIs to bypass LLM safety features, calculate interface geometry, and autonomously replay device authentication patterns such as lock PINs.
PromptSpy malware is generally described as malicious software that steals clipboard data, keystrokes, and other sensitive information from infected devices. The name has been used in security reporting for spyware-focused threats, particularly in mobile and targeted-surveillance contexts.
For defenders, the widespread use of AI by threat actors is compressing attack timelines, meaning patch windows that once lasted weeks may now close in hours.[1]
On another note from our friends at SentinelLabs: Education technology giant, Instructure, recently confirmed a two-week-long cybersecurity incident after ShinyHunters breached its popular Canvas learning management system (LMS). The attackers initially infiltrated the network in late April, exfiltrating a staggering 3.6 terabytes of data encompassing an estimated 280 million records across nearly 8,900 global educational institutions.
Days later, the attackers struck again, actively exploiting multiple cross-site scripting (XSS) vulnerabilities within user-generated content features. After hijacking authenticated admin sessions, ShinyHunters deliberately defaced active Canvas login portals during the final exam season, displaying disruptive extortion messages and demanding immediate ransom negotiations.
Source: University of Texas at San Antonio
The mass exfiltration exposed critical student and teacher information, including names, email addresses, and private platform messages, though financial data remained secure. To mitigate escalating operational damage, Instructure abruptly suspended its Free-for-Teacher environments while quickly implementing critical safeguards. This week, the company reached an undisclosed agreement with ShinyHunters to halt the public leak, despite repeated warnings from the FBI that paying a ransom does not guarantee against future double or triple extortion. So far, ShinyHunters has removed Instructure from their dark web leak sites and seemingly confirmed the deletion of all stolen data.
Following intense federal scrutiny, the U.S. House Committee on Homeland Security has launched a formal investigation into the repeated breaches, questioning Instructure’s incident response capabilities and its data protection obligations. Lawmakers are demanding immediate briefings from corporate leadership to thoroughly review the severe educational disruptions and compromised security controls that continue to affect millions of vulnerable students, administrators, and teachers globally.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information (CTI) via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-20-7/
Comments