Now Playing
Nation-State AI Exploits, PromptSpy & Shadow LLM Markets
Audio is available on Spreaker — see link below.
Google confirms the first AI-generated zero-day 2FA bypass used in the wild, while nation-state groups from China, North Korea, and Russia deploy LLM-powered malware at operational scale. From PromptSpy's autonomous Android malware to shadow API markets on Taobao, today's briefing maps how AI is collapsing the exploit development timeline.
Audio is available on Spreaker — see link below.
For the first time, Google's threat intelligence team has confirmed a zero-day exploit developed by an AI being used in the wild to bypass two-factor authentication. That's not a simulation or a red team exercise.
The 2FA bypass isn't isolated. Alongside it, Google disclosed PromptSpy, an Android malware strain that runs a live Gemini API module as its core intelligence layer.
The nation-state picture is where this escalates from a technical story into a strategic one. Three major threat actor groups, China-nexus UNC2814, North Korea's APT45, and China-aligned APT27, are all running active LLM jailbreaking operations for exploit development and malware research.
Researchers identified seventeen shadow API relay services operating openly on Taobao and Xianyu, two major Chinese consumer marketplaces, providing unrestricted access to Claude and Gemini through proxy servers. These services bypass regional restrictions and usage limits.
Russia's contribution to this picture is CANFAIL and LONGSTREAM, two malware families targeting Ukrainian organizations that use LLM-generated decoy code to hide malicious functionality inside seemingly benign logic. This is the first documented deployment of Russian nation-state AI malware in a live conflict environment.
The implication that deserves the most attention isn't any single malware family. It's the timeline compression.
Chapter summary auto-generated from the verified script. Listen to the full episode for the complete content.