State-sponsored cyber threat actors, particularly those based in Iran and China continue to misuse Google’s Gemini to enhance all stages of their operations, from reconnaissance and phishing lure creation to command-and-control (C2 or C&C) development and data exfiltration.
This is according to Google’s latest GTIG AI Threat Tracker report, released February 13.
The tech giant said that Google DeepMind and GTIG have identified an increase in model extraction attempts or “distillation attacks,” a method of intellectual property theft that violates Google’s terms of service.
The company said it had taken steps to thwart malicious activity, including Google detecting, disrupting, and mitigating model extraction activity.
“While we have not observed direct attacks on frontier models or generative AI products from advanced persistent threat (APT) actors, we observed and mitigated frequent model extraction attacks from private sector entities all over the world and researchers seeking to clone proprietary logic,” it added.
Google found that for government-backed threat actors, large language models (LLMs) have become essential tools for technical research, targeting, and the rapid generation of nuanced phishing lures.
The latest report “highlights how threat actors from the Democratic People’s Republic of Korea (DPRK), Iran, the People’s Republic of China (PRC), and Russia operationalized AI in late 2025 and improves our understanding of how adversarial misuse of generative AI shows up in campaigns we disrupt in the wild,” it added.
GTIG has not yet observed APT or information operations (IO) actors achieving breakthrough capabilities that fundamentally alter the threat landscape.
“We have also observed activity demonstrating an interest in using agentic AI capabilities to support campaigns, such as prompting Gemini with an expert cybersecurity persona, or attempting to create an AI-integrated code auditing capability,” it added.
The report said that the group tagged as APT31 employed a highly structured approach by prompting Gemini with an expert cybersecurity persona to automate the analysis of vulnerabilities and generate targeted testing plans.
“The PRC-based threat actor fabricated a scenario, in one case trialing Hexstrike MCP tooling, and directing the model to analyze remote code execution (RCE), web application firewall (WAF) bypass techniques, and SQL injection test results against specific US-based targets,” its said.
“This automated intelligence gathering to identify technological vulnerabilities and organizational defense weaknesses. This activity explicitly blurs the line between a routine security assessment query and a targeted malicious reconnaissance operation. Google has taken action against this actor by disabling the assets associated with this activity,” it added.
UNC795, also a China-based group, relied heavily on Gemini throughout their entire attack lifecycle. GTIG observed the group consistently engaging with Gemini multiple days a week to troubleshoot their code, conduct research, and generate technical capabilities for their intrusion activity.
The threat actor’s activity triggered safety systems, and Gemini did not comply with the actor’s attempts to create policy-violating capabilities.
The group also used Gemini to create an AI-integrated code auditing capability, likely demonstrating an interest in agentic AI utilities to support their intrusion activity.
“Google has taken action against this actor by disabling the assets associated with this activity,” the company said.
“We observed activity likely associated with the PRC-based threat actor APT41, which leveraged Gemini to accelerate the development and deployment of malicious tooling, including for knowledge synthesis, real-time troubleshooting, and code translation,” the report said.
“In particular, multiple times the actor gave Gemini open-source tool README pages and asked for explanations and use case examples for specific tools. Google has taken action against this actor by disabling the assets associated with this activity,” it added.
Meanwhile, in addition to leveraging Gemini for the aforementioned social engineering campaigns, Google said “the Iranian threat actor APT42” uses Gemini as an engineering platform to accelerate the development of specialized malicious tools.
Google said this group is actively engaged in developing new malware and offensive tooling, leveraging Gemini for debugging, code generation, and researching exploitation techniques.
“Google has taken action against this actor by disabling the assets associated with this activity,” the firm said.
