AI Threat Landscape 2026: How Adversaries Weaponize Generative Models for Cyber Attacks

Since our February 2026 report on AI-related threat activity, Google Threat Intelligence Group (GTIG) has tracked a significant shift: what began as experimental AI use by adversaries has matured into industrial-scale operations. This article, based on Mandiant incident response engagements, Gemini insights, and GTIG's proactive research, reveals a dual threat landscape where AI both powers sophisticated attack chains and becomes a prime target itself. Below, we break down six key developments.

AI-Powered Vulnerability Discovery and Zero-Day Exploits

For the first time, GTIG identified a threat actor using a zero-day exploit believed to have been developed with AI. The criminal group planned a mass exploitation event, but GTIG's proactive counter-discovery may have prevented its use. This marks a turning point—AI is now directly enabling the creation of previously unknown vulnerabilities.

State-aligned actors from the People's Republic of China (PRC) and the Democratic People's Republic of Korea (DPRK) have also shown intense interest in leveraging AI for vulnerability research. Their activities suggest that AI-assisted reverse engineering and fuzzing are becoming standard tools in their arsenals.

AI-Augmented Malware Development and Defense Evasion

AI-driven coding has accelerated the creation of infrastructure suites and polymorphic malware. Adversaries now employ generative models to rapidly iterate obfuscation networks and integrate AI-generated decoy logic directly into malicious code. For example, suspected Russia-nexus threat actors have used these techniques to evade detection by security tools.

The result? Malware that constantly changes its signature and behavior, making traditional signature-based defenses obsolete. This AI-augmented development cycle is now a key enabler for persistent, stealthy operations.

Autonomous Malware Operations: The Rise of PROMPTSPY

AI-enabled malware like PROMPTSPY signals a shift toward autonomous attack orchestration. Instead of following static command structures, this malware uses large language models to interpret system states and dynamically generate commands. It can manipulate victim environments without human intervention.

GTIG's analysis of PROMPTSPY reveals previously unreported capabilities, including the integration of AI for real-time decision-making in target reconnaissance. This approach allows threat actors to offload operational tasks to AI, scaling their attacks while adapting to defenses in real time.

AI as a Research Assistant and Information Operations Accelerator

Adversaries continue to use generative AI as a high-speed research assistant throughout the attack lifecycle. From phishing email drafting to exploit code refinement, AI accelerates every phase. More concerning is the shift toward agentic workflows—autonomous frameworks that can plan and execute attacks with minimal human oversight.

In information operations (IO), AI tools fabricate digital consensus by generating synthetic media and deepfake content at scale. A prime example is the pro-Russia IO campaign "Operation Overload," which leveraged generative models to flood platforms with deceptive narratives, mimicking grassroots support.

Obfuscated Access to Premium LLMs

To bypass usage limits and maintain anonymity, threat actors have professionalized the way they access generative AI models. They use custom middleware and automated registration pipelines to secure premium-tier access at scale. This infrastructure enables large-scale misuse—such as mass phishing generation—while subsidizing operations through trial abuse and programmatic account cycling.

The underground market now offers "API-as-a-Service" for LLMs, allowing even low-skilled attackers to weaponize advanced AI without direct exposure.

Supply Chain Attacks on AI Environments

Adversaries like TeamPCP (aka UNC6780) have begun targeting AI software dependencies and cloud environments as an initial access vector. These supply chain attacks compromise libraries, frameworks, or model registries that AI systems rely on. Once inside, attackers can exfiltrate training data, poison models, or move laterally to more valuable targets.

The consequences are severe: a single compromised dependency can cascade through an entire AI pipeline, affecting multiple downstream applications and users.