Google: Over 57 Nation-State Threat Groups Using AI for Cyber Operations - The Hacker News

Google: Over 57 Nation-State Threat Groups Using AI for Cyber Operations Ravie LakshmananJan 30, 2025Artificial Intelligence / Data Security Over 57 distinct threat actors with ties to China, Iran, North Korea, and Russia have been observed using artificial intelligence (AI) technology powered by Google to further enable their malicious cyber and information operations. "Threat actors are experimenting with Gemini to enable their operations, finding productivity gains but not yet developing novel capabilities," Google Threat Intelligence Group (GTIG) said in a new report. "At present, they primarily use AI for research, troubleshooting code, and creating and localizing content." Government-backed attackers, otherwise known as Advanced Persistent Threat (APT) groups, have sought to use its tools to bolster multiple phases of the attack cycle, including coding and scripting tasks, payload development, gathering information about potential targets, researching publicly known vulnerabilities, and enabling post-compromise activities, such as defense evasion. Describing Iranian APT actors as the "heaviest users of Gemini," GTIG said the hacking crew known as APT42, which accounted for more than 30% of Gemini use by hackers from the country, leveraged its tools for crafting phishing campaigns, conducting reconnaissance on defense experts and organizations, and generating content with cybersecurity themes. APT42, which overlaps with clusters tracked as Charming Kitten and Mint Sandstorm, has a history of orchestrating enhanced social engineering schemes to infiltrate target networks and cloud environments. Last May, Mandiant revealed the threat actor's targeting of Western and Middle Eastern NGOs, media organizations, academia, legal services and activists by posing as journalists and event organizers. The adversarial collective has also been found to research military and weapons systems, study strategic trends in China's defense industry, and gain a better understanding of U.S.-made aerospace systems. Chinese APT groups were found searching Gemini for ways to conduct reconnaissance, troubleshoot code, and methods to burrow deep into victim networks through techniques like lateral movement, privilege escalation, data exfiltration, and detection evasion. While Russian APT actors limited their use of Gemini to convert publicly available malware into another coding language and adding encryption layers to existing code, North Korean actors employed Google's AI service to research infrastructure and hosting providers. "Of note, North Korean actors also used Gemini to draft cover letters and research jobs—activities that would likely support North Korea's efforts to place clandestine IT workers at Western companies," GTIG noted. "One North Korea-backed group utilized Gemini to draft cover letters and proposals for job descriptions, researched average salaries for specific jobs, and asked about jobs on LinkedIn. The group also used Gemini for information about overseas employee exchanges. Many of the topics would be common for anyone researching and applying for jobs." The tech giant further noted that it has seen underground forum posts advertising nefarious versions of large language models (LLMs) that are capable of generating responses sans any safety or ethical constraints. Examples of such tools include WormGPT, WolfGPT, EscapeGPT, FraudGPT, and GhostGPT, which are explicitly designed to craft personalized phishing emails, generate templates for business email compromise (BEC) attacks, and design fraudulent websites. Attempts to misuse Gemini have also revolved around research into topical events, and content creation, translation, and localization as part of influence operations mounted by Iran, China, and Russia. In all, APT groups from more than 20 countries used Gemini. Google, which said it's "actively deploying defenses" to counter prompt injection attacks, has further emphasized the need for heightened public-private collaboration to raise cyber defenses and disrupt threats, stating "American industry and government need to work together to support our national and economic security." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  artificial intelligence, cybersecurity, data security, Google, hacking, Malware, Phishing, Threat Intelligence Trending News Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Load More ▼ Popular Resources Identity Controls Checklist: Find Missing Protections in Apps Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths