State-sponsored hackers are increasingly integrating artificial intelligence into cyber operations. Google’s Threat Intelligence Group (GTIG) reports that actors linked to Iran, North Korea, China, and Russia are using models such as Google’s Gemini to enhance reconnaissance, phishing, and malware development.
According to Google’s late-2025 AI Threat Tracker, large language models are now embedded across multiple stages of the attack lifecycle. GTIG researchers state that for government-backed threat actors, AI models have become essential tools for technical research, target profiling, and generating high-fidelity phishing lures.
Iranian group APT42 reportedly used Gemini to create official-looking email addresses and conduct detailed research to craft credible pretexts. The group refined language and translated content to avoid traditional phishing red flags, such as grammatical errors. North Korean actor UNC2970 used Gemini to profile defence-sector targets, mapping job roles and gathering salary data. GTIG noted that this activity increasingly blurs the line between legitimate professional research and malicious reconnaissance.
Beyond social engineering, Google identified a rise in model extraction attempts targeting Gemini. One campaign used more than 100,000 prompts in an effort to replicate the model’s reasoning capabilities. GTIG also observed malware such as HONESTCUE leveraging Gemini’s API to dynamically generate C# code, enabling fileless execution directly in memory. Separately, phishing kits like COINBAIT were likely accelerated using AI code-generation platforms.
Despite these developments, GTIG reports no breakthrough capabilities that fundamentally change the threat landscape. However, AI is increasing the speed, scale, and efficiency of cyber operations. For enterprise security teams, particularly in regions facing persistent state-sponsored threats, the findings highlight the need to strengthen defences against AI-augmented reconnaissance, phishing, and automated malware generation.
Source:
https://www.artificialintelligence-news.com/news/state-sponsored-hackers-ai-cyberattacks-google/
