Google's Gemini AI models have become a core component of state-sponsored hackers' attack vectors. Although AI use has been growing in white and black hat hacking in recent years, Google now says it's used in all parts of the attack process, from target acquisition to coding, social engineering message generation, and follow-up actions after the hack, as outlined in Google's latest Threat Intelligence Group report.
Slowly, then all at once
Although AI producing malware and hackers using AI has been a fear expressed by many since the advent of mainstream large language models in 2023, it was only August 2025 that many hailed the arrival of the age of AI hacking. Large language models have grown capable enough to act as useful tools for hackers with enough versatility and reliability to be consistently effective.
The first AI-powered ransomware showed up just days later, and Anthropic claimed to have foiled the first AI-powered malware attack in November. There have been just as many instances of AI itself being vulnerable to attackers, too, and it's not like the AI developers even have perfect security records.
But Google's admission of Gemini's involvement in every facet of modern hacks is a new paradigm shift. It now has tracked incidents of nation-state hacking groups utilizing Gemini for everything, "from reconnaissance and phishing lure creation to command and control (C2) development and data exfiltration."
Hack variety
Different countries and their hacking groups are allegedly using Gemini comprehensively, the Google report explains. In China, for example, its threat actors had Gemini act as an expert cybersecurity persona to have it conduct vulnerability analysis and provide penetration testing plans for potential attack targets.
“The PRC-based threat actor fabricated a scenario, in one case trialing Hexstrike MCP tooling, and directing the model to analyze Remote Code Execution (RCE), WAF bypass techniques, and SQL injection test results against specific US-based targets,” the report reads.
North Korea, on the other hand, primarily uses Gemini as part of phishing attacks. It used Gemini to profile high-value targets to plan out attacks. It is particularly used to go after members of security and defence companies, and attempt to find vulnerable targets within their orbits.
Iran was much the same, with its government-backed hackers using Gemini to search for official emails for specific targets and to conduct research into business partners of potential targets. They also used AI to generate personas that might have a good reason to engage with a target by feeding Gemini biographical information.
... continue reading