State-sponsored hackers are utilizing advanced tooling to enhance their cyberattacks, with threat actors from Iran, North Korea, China, and Russia leveraging models like Google’s Gemini to escalate their campaigns. According to a recent report from Google’s Threat Intelligence Group (GTIG), these hackers are able to create sophisticated phishing campaigns and develop malware.
The latest quarterly AI Threat Tracker report, released today, highlights how government-backed attackers are now incorporating artificial intelligence into the attack lifecycle, including reconnaissance, social engineering, and malware development. This shift was observed during the final quarter of 2025 by the GTIG.
Researchers at GTIG mentioned in their report that “large language models have become crucial tools for government-backed threat actors for technical research, targeting, and the rapid creation of sophisticated phishing baits.”
Reconnaissance Efforts by State-sponsored Hackers Targeting the Defense Sector
APT42, an Iranian threat actor, reportedly used Gemini to enhance its reconnaissance and targeted social engineering activities. By employing AI, the group was able to generate authentic-looking email addresses for specific entities and conduct research to establish credible pretexts for approaching targets.
Similarly, North Korean government-backed actor UNC2970, known for targeting defense sectors and posing as corporate recruiters, utilized Gemini to assist in profiling high-value targets. Their reconnaissance included gathering information on major cybersecurity and defense companies, identifying technical job roles, and collecting salary details.
GTIG observed a surge in model extraction attempts, also referred to as “distillation attacks,” aimed at stealing intellectual property from AI models. While there were no direct attacks on advanced models by threat actors, frequent model extraction attacks were disrupted by Google’s systems.
Emergence of AI-integrated Malware
GTIG identified malware samples, known as HONESTCUE, that leverage Gemini’s API to generate functionality. This malware is designed to evade traditional detection methods through multi-layered obfuscation. Additionally, GTIG discovered COINBAIT, a phishing kit likely accelerated by AI code generation tools.
Abuse of AI Chat Platforms in ClickFix Campaigns
In a novel social engineering campaign observed in late 2025, threat actors exploited generative AI services like Gemini to distribute ATOMIC malware targeting macOS systems. By manipulating AI models to create deceptive content, attackers hosted their initial attack stage using shareable links to AI chat transcripts.
Thriving Underground Marketplace for Stolen API Keys
GTIG’s investigation into underground forums revealed a persistent demand for AI-enabled tools and services. State-sponsored hackers and cybercriminals were found to rely on stolen credentials to access commercial AI products, such as Xanthorox, which was powered by multiple AI products including Gemini.
Google’s Response and Mitigations
Google has taken proactive measures against identified threat actors by disabling accounts associated with malicious activity and strengthening its models to prevent similar attacks in the future. The company remains committed to developing AI responsibly and disrupting malicious activities.
GTIG emphasized that despite advancements in AI technology, no threat actors have fundamentally altered the cybersecurity landscape. The report underscores the evolving role of AI in cybersecurity and the ongoing race between defenders and attackers to leverage its capabilities.
For enterprise security teams, especially in regions like the Asia-Pacific where state-sponsored hackers are active, the report serves as a reminder to enhance defenses against AI-augmented cyber threats.
Photo by SCARECROW artworks
Explore more about AI and big data from industry experts at AI & Big Data Expo events in Amsterdam, California, and London. These events are part of TechEx and offer valuable insights into the latest technology trends.
AI News is brought to you by TechForge Media. Discover upcoming enterprise technology events and webinars here.
Be the first to comment