Google Identifies State Hackers Using AI in Attacks

State-sponsored hacking groups are increasingly leveraging advanced AI tools to enhance the speed and sophistication of their cyber operations. According to a new report from Google’s Threat Intelligence Group (GTIG), threat actors linked to Iran, North Korea, China and Russia are using large language models such as Google’s Gemini to support phishing campaigns, reconnaissance and even malware development.

The latest quarterly AI Threat Tracker report highlights how government-backed attackers integrated artificial intelligence into multiple stages of the attack lifecycle during the final quarter of 2025. These stages include reconnaissance, social engineering and payload development.

GTIG researchers noted that for state-sponsored actors, large language models have become critical tools for technical research, target profiling and generating highly convincing phishing content.

Defence Sector a Key Reconnaissance Target

The Iranian threat group APT42 reportedly used Gemini to enhance reconnaissance efforts and targeted social engineering campaigns. The group leveraged AI to generate realistic email addresses for specific organisations and conducted detailed research to craft credible pretexts when approaching victims.

By using AI-driven language refinement and translation capabilities, APT42 created convincing personas and natural-sounding communication, helping them bypass common phishing indicators such as grammatical errors or awkward phrasing.

Similarly, North Korea-linked UNC2970 known for targeting defence organisations and impersonating corporate recruiters used Gemini to profile high-value individuals. The group researched cybersecurity and defence firms, analysed technical job roles and collected salary data to build tailored phishing personas. GTIG observed that this type of activity closely resembles legitimate professional research, making malicious intent harder to detect.

Rise in Model Extraction Attacks

Beyond operational misuse, Google DeepMind and GTIG observed a surge in “model extraction” or “distillation” attacks aimed at stealing proprietary AI capabilities.

One campaign targeting Gemini attempted to collect more than 100,000 prompts designed to extract reasoning patterns from the model. The scale and diversity of the prompts suggested an effort to replicate Gemini’s reasoning processes in other languages and contexts.

Although no advanced persistent threat (APT) actors were found directly attacking frontier AI systems, Google disrupted multiple extraction attempts from private-sector entities and researchers attempting to replicate proprietary logic. The company’s detection systems identified these activities in real time and deployed countermeasures to protect internal reasoning traces.

Emergence of AI-Integrated Malware

GTIG also identified a malware strain named HONESTCUE that utilises Gemini’s API to dynamically generate malicious functionality. This malware operates as a downloader and execution framework, sending prompts through Gemini’s API to receive C# source code in response.

The secondary stage executes entirely in memory, avoiding file-based detection methods and complicating traditional static analysis techniques.

In another case, GTIG tracked COINBAIT, a phishing kit likely accelerated through AI-assisted code generation. Disguised as a legitimate cryptocurrency exchange, the kit was built using an AI-powered development platform and designed to harvest user credentials.

Abuse of AI Chat Platforms in ClickFix Campaigns

In December 2025, researchers observed a new social engineering tactic in which attackers exploited public sharing features of generative AI platforms including Gemini, ChatGPT, Copilot, DeepSeek and Grok to host malicious instructions.

These campaigns distributed ATOMIC malware targeting macOS systems. Attackers generated realistic troubleshooting instructions containing embedded malicious command-line scripts. By sharing these AI-generated transcripts via trusted domains, they increased the credibility of the initial infection stage.

Underground Markets Fuel AI-Enabled Crime

Investigations into English- and Russian-language underground forums revealed continued demand for AI-powered hacking tools. However, most threat actors lack the resources to build custom AI systems and instead rely on stolen API credentials to access established commercial AI platforms.

One toolkit marketed as “Xanthorox” claimed to be a custom-built AI system capable of autonomous malware creation and phishing campaign development. GTIG’s analysis determined that the tool was actually powered by multiple commercial AI services, including Gemini, accessed through compromised API keys.

Google’s Mitigation Efforts

Google has responded by disabling accounts and infrastructure associated with malicious usage. The company also enhanced its AI classifiers and models to refuse assistance in similar malicious activities.

Despite the increasing use of AI in cyber operations, GTIG concluded that no state-sponsored actor has yet achieved a breakthrough capability that fundamentally changes the overall threat landscape.

The report underscores a growing reality in cybersecurity: AI is becoming a powerful tool for both attackers and defenders. For enterprise security teams particularly in regions such as Asia-Pacific where Chinese and North Korean threat actors remain active the findings highlight the need to strengthen defences against AI-enhanced reconnaissance and social engineering campaigns.