Nation-State Hackers Embrace Gemini AI for Malicious Campaigns
Nation-State Hackers Embrace Gemini AI for Malicious Campaigns
https://www.infosecurity-magazine.com/news/nation-state-hackers-gemini-ai/
Publish Date: 2026-02-12 07:45:00
Source Domain: www.infosecurity-magazine.com
Many government-backed cyber threat actors now use AI throughout the attack lifecycle, especially for reconnaissance and social engineering, a new Google study found.
In a report published on February 12, ahead of the Munich Security Conference, Google Threat Intelligence Group (GTIG) and Google DeepMind shared new findings on how cybercriminals and nation-state groups used AI for malicious purposes during the last quarter of 2025.
The researchers observed a wide range of AI misuse by advanced persistent threat (APT) groups. They used AI for tasks including coding and scripting, gathering information about potential targets, researching publicly known vulnerabilities and enabling post-compromise activities.
Iran, China and North Korea Use AI to Boost Cyber-Attacks
In one instance, Iranian government-backed actor APT42 leveraged generative AI models to search for official email addresses for specific entities and conduct reconnaissance on potential business partners to establish a credible pretext.
Google researchers also observed a North Korean government-backed group (UNC2970) using Gemini, one of Google’s large language models (LLM), to synthesize open-source intelligence (OSINT) and profile high-value targets to support campaign planning and reconnaissance. The group typically impersonates corporate recruiters in their campaigns to target defense companies.
In another APT campaign, TEMP.Hex, a Chinese-nexus group also known as Mustang Panda, Twill Typhoon and Earth Preta, used Gemini and other AI tools to compile detailed information on specific individuals, including targets in Pakistan, and to collect operational and structural data on separatist organizations in various countries.
“While we did not see direct targeting as a result of this research, shortly after the threat actor included similar targets in Pakistan in their campaign. Google has taken action against this actor by disabling the assets associated with this activity,” the report…
