North Korean Hackers Use AI to Find Vulnerabilities

Alphabet's Google said in a threat intelligence report Tuesday that state-sponsored actors linked to the Democratic People's Republic of Korea and the People's Republic of China have shown "significant interest" in applying artificial intelligence to uncover previously unknown software vulnerabilities. The Korea Herald reported that Google's report identified activity from a North Korean cluster tracked as APT45, which allegedly used AI-driven workflows that sent thousands of repetitive prompts to recursively analyze cybersecurity blind spots for possible exploitation. The report also described using AI to detect and block a criminal group exploiting a "zero-day exploit" that was being prepared for "mass exploitation." The Korea Herald cited Yonhap when noting context around Anthropic's Claude Mythos and its restricted access for defence security testing.

The Google report, as quoted by the Korea Herald, frames the observed technique as automated, high-volume prompt sequences that iterate on vulnerability discovery rather than one-off manual probes. The article does not publish the report's raw prompts, tooling details, or exact detection telemetry, and it does not provide technical indicators of compromise in the public summary.

Industry-pattern observations: Automated prompt-driven reconnaissance lowers the marginal cost of enumerating subtle attack surfaces, enabling adversaries to scale vulnerability discovery across large codebases and exposed services. For defenders, this trend increases the value of automation in defensive pipelines, including continuous fuzzing, adversary-in-the-loop red teaming, and AI-assisted detection, but it also raises false-positive and signal-to-noise challenges when telemetry volumes grow.

Editorial analysis: Public reporting that a major cloud company identified nation-state-aligned actors using AI for vulnerability research constitutes an observable escalation in offensive tooling sophistication. While the Korea Herald article attributes the primary claims to Google's threat intelligence report, the piece also places the finding alongside discussions of Anthropic's Claude Mythos, which Yonhap noted was restricted to select organisations for security testing. The combined signals suggest heightened attention across both offensive and defensive communities to AI-assisted security workflows.

Observers should track follow-up technical releases from Google or other vendors for IoCs, indicators of attacker tooling, and detection heuristics; watch academic and vendor postings for shared methodologies on prompt-based vulnerability discovery; and monitor whether additional private-sector incident reports corroborate mass-scale AI-assisted exploitation attempts. The Korea Herald article does not quote Google beyond the report excerpts, and no public, detailed tooling samples were published in the story.