Google Unveils AI-Driven Insights on State-Sponsored Hackers’ Tactics
State-sponsored hackers are increasingly leveraging advanced tooling to enhance their cyberattack strategies, particularly utilizing models such as Google’s Gemini. According to a report from Google’s Threat Intelligence Group (GTIG), actors from nations like Iran, North Korea, China, and Russia are employing these technologies to craft sophisticated phishing schemes and develop malware.
The latest quarterly AI Threat Tracker report, released by GTIG, highlights how these government-backed attackers are integrating artificial intelligence into various phases of their attacks—ranging from reconnaissance and social engineering to malware creation. This trend has been particularly noticeable during the final quarter of 2025.
Researchers from GTIG stated that “large language models have become essential tools for technical research, targeting, and the rapid generation of nuanced phishing lures” among government-backed threat actors.
Targeting the Defence Sector
Iran’s APT42 is notably using Gemini to improve its reconnaissance and social engineering tactics. This group has employed AI tools to create seemingly legitimate email addresses for targeted entities and develop credible backstories for their approaches. Their efforts have included crafting believable personas and scenarios, translating messages between languages, and employing natural phrases to bypass classic phishing detection methods like grammatical errors or awkward phrasing.
Similarly, the North Korean group UNC2970 has utilized Gemini to profile significant targets by gathering information about major cybersecurity and defense firms, pinpointing specific job roles, and even analyzing salary data. This blurs the line between harmless professional research and malicious reconnaissance.
Model Extraction Attacks
GTIG has reported a rise in model extraction attempts, or “distillation attacks,” aiming to illegally acquire intellectual property from AI models. One major campaign involved collating over 100,000 specific prompts to pressure the Gemini model into revealing its reasoning processes, showcasing efforts to clone its reasoning capabilities in various non-English contexts.
Emergence of AI-Integrated Malware
GTIG has also tracked malware, known as HONESTCUE, that utilizes the Gemini API for functionality generation. This malware employs a complex method of obfuscation to evade traditional detection methods. It operates as a downloader and launcher that communicates with Gemini’s API to fetch C# source code and executes payloads directly in memory.
In addition, GTIG identified COINBAIT, a phishing kit potentially expedited by AI code generation tools that aims to mimic a prominent cryptocurrency exchange for credential theft.
Exploiting AI Chat Platforms
A novel social engineering technique was discovered where hackers use public generative AI services—such as Gemini and ChatGPT—to distribute deceptive content linked to ATOMIC malware targeting macOS systems. By manipulating these tools, attackers created realistic instructions with embedded malicious scripts disguised as “solutions.”
Underground Market Trends
The report revealed a continuous demand for AI-enabled tools within underground forums. Yet, many cybercriminals depend on existing commercial AI products instead of innovating their own. For instance, a toolkit named “Xanthorox” claims to generate autonomous malware and phishing campaigns but is fundamentally built on commercial products accessed through stolen credentials.
Google’s Countermeasures
In response to these threats, Google has taken action by disabling accounts related to malicious activities and enhancing its defensive models. The company is committed to developing AI in a responsible manner, striving to mitigate misuse while fostering the creation of secure environments.
The report serves as a potent reminder for enterprise cybersecurity teams, especially in regions where state-sponsored hackers are highly active, to enhance their defenses against the evolving tactics that integrate AI into social engineering and reconnaissance operations.
For further reading, check out the following linked articles:
Discover the pinnacle of WordPress auto blogging technology with AutomationTools.AI. Harnessing the power of cutting-edge AI algorithms, AutomationTools.AI emerges as the foremost solution for effortlessly curating content from RSS feeds directly to your WordPress platform. Say goodbye to manual content curation and hello to seamless automation, as this innovative tool streamlines the process, saving you time and effort. Stay ahead of the curve in content management and elevate your WordPress website with AutomationTools.AI—the ultimate choice for efficient, dynamic, and hassle-free auto blogging. Learn More
