Gemini AI Is Being Used Across the Attack Chain
Artificial Intelligence

Google Warns Gemini AI Is Being Used Across the Attack Chain

By Sean Doyle · · 7 min read

Google’s Threat Intelligence Group (GTIG) says Gemini AI is being misused by multiple threat clusters to support end-to-end intrusion workflows, spanning reconnaissance, phishing development, tool creation, and post-compromise tasks. The activity includes state-backed actors and financially motivated operators using large language models for target research, translation, coding support, vulnerability experimentation, and operational troubleshooting.

The findings are detailed in GTIG’s “AI Threat Tracker” report, which documents how threat actors are integrating generative AI into day-to-day tradecraft rather than using it only for generic productivity. GTIG’s assessment also highlights a trend that matters for defenders: the abuse is increasingly blended into routine operational work, making it harder to spot as a distinct “AI-driven” phase in an incident timeline.

What Google Says Threat Actors Are Doing With Gemini AI

GTIG describes repeated usage patterns that map cleanly to common stages of intrusion activity. Instead of presenting AI as a magic “auto-hack” button, the report frames it as an accelerant for work attackers already do, especially in the areas where speed, scale, and language flexibility matter.

  • Reconnaissance and target profiling: Building background on organizations, roles, infrastructure, and likely security controls to inform later actions.
  • Phishing and social engineering support: Generating lure text, refining tone, and translating content for target regions and industries.
  • Development and troubleshooting: Iterating on scripts, fixing bugs, and accelerating basic tool development.
  • Vulnerability research and testing workflows: Requesting testing plans, triage steps, and explanation of exploit paths inside staged or fabricated scenarios.
  • Post-compromise assistance: Helping with command syntax, data handling, and operational problem-solving after initial access.

GTIG also notes a recurring prompt tactic: actors pose as researchers, students, or defenders participating in exercises to elicit guidance that might otherwise be blocked. The practical takeaway is that guardrail bypass attempts often look like “benign” questions on the surface, but the intent becomes clear when prompts are chained into actionable operational steps.

State-Backed Groups Named in the Report

Google’s report explicitly references activity linked to multiple regions, including clusters associated with China, Iran, North Korea, and Russia. In GTIG’s view, these actors used Gemini AI for tasks like target research, phishing content creation, translation, and technical support work that speeds up campaign execution.

One example described involves a China-linked actor using an “expert cybersecurity” framing and a fabricated scenario to request vulnerability analysis, including remote code execution considerations and testing plans. Another China-linked cluster used Gemini AI for code fixes, research, and technical guidance related to intrusion capabilities.

GTIG also describes Iranian-linked activity where Gemini AI was leveraged to assist social engineering and to accelerate development work through debugging and code generation. The report’s broader point is not that AI replaces operators, but that it compresses time spent on tasks that used to be slower, especially when attackers are operating across languages and time zones.

Why “No Major Breakthrough” Still Matters

GTIG’s report stresses that it has not observed a dramatic leap where Gemini AI suddenly enables entirely new categories of intrusion by itself. That statement is important, but it can be misunderstood. The risk is not that every attacker becomes an expert overnight. The risk is that competent operators become faster, and less competent operators can clear basic hurdles more reliably.

That speed advantage shows up in practical places defenders care about:

  • Phishing throughput: More plausible lures in less time, tuned to specific roles and local language quirks.
  • Operational resilience: Faster troubleshooting keeps campaigns moving when tooling breaks or environments differ from expectations.
  • Iteration cycles: Attackers can refine scripts and techniques rapidly, even when they lack deep expertise.
  • Lower friction experimentation: More actors can “try” vulnerability testing or payload ideas without a large upfront investment.

In other words, “no breakthrough” is not the same as “no impact.” It means the impact is incremental, distributed, and harder to quantify, which is often exactly what makes it dangerous at scale.

HonestCue and the Shift Toward AI-Enabled Malware Workflows

One of the more operationally interesting details discussed by GTIG is how certain malware frameworks integrate AI into development or execution workflows. The report references HonestCue, described as a proof-of-concept malware framework observed in late 2025 that uses the Gemini API to generate C# code for a second-stage payload, which is then compiled and executed in memory.

This matters because it illustrates a direction defenders should expect more of: AI as a “runtime assistant” inside tooling, not just a chatbot used by the operator at the keyboard. GTIG also documents other examples of AI-related experimentation and “just-in-time” techniques, including malware families that query models to regenerate code or generate commands during execution.

Even when some of these examples are experimental or early-stage, they provide a preview of how attackers may attempt to reduce static indicators and make tooling more adaptable over time.

How Defenders Should Interpret AI Use in Real Incidents

From an incident response and detection perspective, AI assistance can be easy to over-index on. The most useful framing is simpler: treat AI as an efficiency layer that improves the attacker’s ability to do normal attacker things.

That means defenders should focus on the same fundamentals, while adjusting expectations around timing and scale:

  • Expect faster campaign iteration: Lure content, tooling variations, and operator playbooks may change more frequently.
  • Watch for multilingual operations: Translation and localization support reduces friction for targeting regions outside an actor’s native language.
  • Harden email and identity workflows: Better-written social engineering increases the value of strong MFA, phishing-resistant authentication, and robust conditional access.
  • Instrument developer and admin endpoints: If attackers are using AI to move faster on tooling, endpoint telemetry and behavior-based detection become more important than static signatures.
  • Monitor for anomalous API usage: GTIG also discusses model extraction and distillation attempts, which can involve large prompt volumes and systematic querying patterns.

On the AI-provider side, Google says it has taken disruption actions and implemented targeted defenses in classifiers to make abuse more difficult, while continuing to test and harden safeguards.

Model Extraction and Distillation Attempts

Beyond direct cybercrime enablement, GTIG flags a separate class of risk: model extraction and subsequent knowledge distillation. In these scenarios, actors with authorized access methodically query a model at scale to reproduce behaviors and accelerate competing model development at lower cost.

GTIG describes this as a commercial and intellectual property risk that is scalable and can undermine AI-as-a-service business models. While it is not framed as an immediate data exposure risk for typical end users, it is relevant because it drives providers to tighten controls, and it highlights how AI platforms are becoming targets in their own right.

What This Means for Security Teams Right Now

The GTIG report does not claim that Gemini AI is creating unstoppable attackers. The more realistic concern is that it compresses time and effort across the entire intrusion lifecycle. When that happens, defenders lose the quiet advantages they often rely on: slower lure crafting, slower tooling development, and more obvious language mistakes that help filter malicious content.

Organizations should treat the report as a signal to tighten controls that block common intrusion paths regardless of the attacker’s tooling, including phishing-resistant authentication, least privilege, strong logging on identity and endpoint layers, and rapid containment playbooks for initial access events. If AI makes attackers faster, response speed and visibility matter even more.

GTIG’s full “AI Threat Tracker” report, including additional examples and defensive context, is published by Google here: GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools.

Sean Doyle

Sean is a tech author and security researcher with more than 20 years of experience in cybersecurity, privacy, malware analysis, analytics, and online marketing. He focuses on clear reporting, deep technical investigation, and practical guidance that helps readers stay safe in a fast-moving digital landscape. His work continues to appear in respected publications, including articles written for Private Internet Access. Through Botcrawl and his ongoing cybersecurity coverage, Sean provides trusted insights on data breaches, malware threats, and online safety for individuals and businesses worldwide.

View all posts →

Related Posts

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.