State Hackers Weaponize Gemini AI Across Attack Lifecycle

Google's Threat Intelligence Group disclosed Wednesday that state-backed hackers from four nations are actively abusing Gemini AI to support every phase of cyberattacks—from initial reconnaissance through malware development and data exfiltration. The company also revealed two malware families that integrate Gemini's API to dynamically generate and execute malicious code.

The report lands days after we covered North Korean hackers using AI-generated deepfakes in real-time Zoom calls. This new disclosure shows that nation-state AI abuse goes far beyond social engineering tricks.

Who's Using Gemini

Google's report documents systematic abuse by government-linked groups from China, Iran, North Korea, and Russia. Iranian actors account for the heaviest usage, with APT42 responsible for more than 30 percent of all Iranian APT activity involving Gemini.

Chinese groups including APT31, Temp.HEX (Mustang Panda), APT41, and UNC795 used Gemini for:

• Automated vulnerability analysis against U.S. targets
• Remote code execution research and WAF bypass techniques
• Code debugging and web shell development
• Building dossiers on specific individuals, including targets in Pakistan

One Chinese actor created a fabricated "expert cybersecurity persona" and asked Gemini to analyze SQL injection test results against named U.S. organizations—effectively trying to turn the AI into a penetration testing assistant.

APT42 (Iran) leveraged Gemini for social engineering personas, Python and Rust development, and accelerating debugging workflows. The group targets military and political figures in the U.S. and Israel.

UNC2970 (North Korea), a Lazarus Group affiliate, used Gemini to synthesize open-source intelligence on cybersecurity and defense companies. The group's AI usage fits a pattern—other North Korean clusters have adopted AI-generated malware in cryptocurrency theft campaigns.

Russian groups experimented with Gemini to modify existing malware and evade signature-based detection, though Google provided fewer specifics on these operations.

Two AI-Powered Malware Families

The most alarming finding: threat actors have built malware that calls Gemini's API during execution to generate payloads on the fly.

HonestCue is a downloader framework discovered in late 2025 that sends prompts to Gemini's API and receives C# source code as the response. The malware then uses the legitimate .NET CSharpCodeProvider framework to compile and execute the payload directly in memory—leaving no artifacts on disk.

This design accomplishes something that static malware can't: each execution produces different code. Traditional signature-based antivirus becomes essentially useless because there's nothing consistent to signature. The malware asks an AI to write its second stage, compiles it on the spot, and runs it without touching the filesystem.

Google hasn't attributed HonestCue to a specific nation-state campaign. Researchers assess it's likely a proof-of-concept from a small team testing the approach for future operations.

CoinBait is a credential-harvesting phishing kit masquerading as cryptocurrency exchanges. Built using Lovable AI, it's attributed to UNC5356, a financially motivated cluster. The kit shows artifacts indicating AI code generation throughout its React-based frontend.

100,000 Prompts to Steal the Model

Beyond operational abuse, attackers attempted to extract Gemini's reasoning capabilities through what security researchers call "model distillation."

Google detected systematic querying campaigns targeting Gemini with over 100,000 prompts designed to replicate the model's behavior across non-English languages. The apparent goal: build a knockoff model by harvesting query-response pairs as training data.

As security researcher Farida Shafik noted: "Every query-response pair is a training example for a replica. The model's behavior is exposed through every API response."

This attack vector has nothing to do with cybercrime—it's intellectual property theft at scale. But it demonstrates how AI platforms face threats from multiple directions simultaneously.

Why This Matters

The mass reconnaissance of LLM infrastructure we reported in January showed attackers mapping AI deployments. This Google report reveals what comes after mapping: systematic abuse across operations.

AI tools don't fundamentally change what attackers do. They accelerate it. Reconnaissance that took days now takes hours. Phishing lures get generated in seconds rather than minutes. Code debugging happens faster. Malware polymorphism—already a challenge—becomes trivial when an API generates unique payloads per execution.

The HonestCue technique in particular should concern defenders. Antivirus vendors have spent decades building signature databases. A malware family that generates its payloads at runtime from an AI API sidesteps that entire defensive layer. Behavioral detection and memory analysis become the only reliable detection methods.

What Google Is Doing

Google says it has disabled accounts and infrastructure tied to documented abuse. The company implemented targeted defenses in Gemini's classifiers to refuse assistance with similar attack patterns and conducts regular security testing against adversarial prompts.

But there's an inherent tension in AI security. The same features that make these tools useful—code generation, research assistance, language translation—are exactly what attackers exploit. You can't build a useful AI assistant that won't help with "coding tasks" while also preventing malware development.

Organizations running Gemini deployments should review their API access controls and logging. The reconnaissance campaigns targeting AI infrastructure aren't hypothetical—they're documented. And now we know what attackers do once they've found exposed endpoints.