Google's Threat Intelligence Group identified state-sponsored hackers from four nations systematically exploiting the company's own Gemini AI across every phase of cyber operations.
The November 2025 report reveals Chinese, Iranian, North Korean, and Russian advanced persistent threat groups have integrated the large language model into reconnaissance, phishing, malware development, and post-compromise activities.
Chinese threat actors including APT31 and Temp.HEX used expert cybersecurity personas to direct Gemini in automating vulnerability analysis. One documented case involved a China-based actor testing Hexstrike MCP tooling while directing the model to analyze remote code execution techniques, web application firewall bypass methods, and SQL injection test results against specific U.S.-based targets.
Iranian adversary APT42 deployed Google's language model to enhance social engineering campaigns and accelerate custom malicious tool development through debugging, code generation, and exploitation technique research.
The group reportedly used Gemini to translate local languages and regional references for targeted phishing operations.
North Korean groups UNC1069 and UNC4899 leveraged Gemini to support cryptocurrency theft operations and research software vulnerabilities. UNC1069 generated fake meeting excuses in Spanish to improve phishing success rates while also using deepfake videos impersonating crypto industry figures to spread malware disguised as a "Zoom SDK."
Russian actors incorporated Gemini into operational workflows for tasks ranging from target profiling and open-source intelligence gathering to phishing lure creation, translation, coding assistance, and vulnerability testing. APT28, also known as Fancy Bear, was among the groups observed using the AI tool.
Google discovered the first malware families using large language models during execution to dynamically alter behavior. PROMPTFLUX, written in Visual Basic Script, interacts with Gemini's API to request specific VBScript obfuscation and evasion techniques.
While the malware's "Thinking Robot" component is designed to prompt the LLM to rewrite its own source code, Google noted that the self-modification function is commented out and not currently in use. One variant of the malware was found to include a prompt that would rewrite the source code hourly by instructing Gemini to act as an 'expert VB Script obfuscator.'
Another malware family, HONESTCUE, uses API calls to Gemini to generate second-stage code that downloads and executes additional malware directly in memory using CSharpCodeProvider. This approach leaves no telltale artifacts on the victim's disk, making detection more difficult.
COINBAIT, a phishing kit created by APT UNC5356, shows signs of having been developed using the Lovable AI platform. The React single-page application disguised as a cryptocurrency exchange contains artifacts indicating AI-accelerated development.
Google observed large-scale model extraction attempts where organizations with authorized API access methodically queried Gemini with more than 100,000 prompts. This knowledge distillation technique allows adversaries to transfer AI behavior into new models without safety guardrails.
Google considers this intellectual property theft and a threat to AI-as-a-service business models.
The company disabled accounts and infrastructure associated with documented malicious activity. Google updated Gemini's safety systems to detect similar misuse and enhanced classifiers to refuse assistance with similar attack patterns. The company shared intelligence with Google DeepMind to strengthen model safeguards.
Security researcher Marcus Hutchins provided a counterargument on LinkedIn, calling out the likely exaggerated nature of companies "overblowing the significance of AI slop malware." He noted that some features like the "Thinking Robot" component were commented out and not in use, with no entropy to ensure self-modifying code differed from previous versions.
Despite these criticisms, Google expects threat actors to "move decisively from using AI as an exception to using it as the norm" to boost the speed, scope, and effectiveness of their operations. The report marks what Google calls a new operational phase of AI abuse involving tools that dynamically alter behavior mid-execution.
Underground criminal marketplaces selling AI tools matured in 2025, with vendors advertising AI-powered services for phishing, malware development, vulnerability research, and social engineering. These forums, especially in English and Russian, offer subscription-based pricing models similar to mainstream AI products.
Google's response included deploying additional tools to counter AI-augmented threats. The company introduced Big Sleep to help seek out software vulnerabilities and CodeMender to assist in patching vulnerabilities. These tools represent Google's approach to using AI defensively while preventing malicious use of its own models.
The weaponization of commercial AI platforms like Gemini underscores the dual-use nature of advanced language models. As threat actors demonstrate increasing sophistication in leveraging these tools, the cybersecurity industry faces challenges in how AI systems are designed, deployed, and defended against misuse.
