Google has established itself as one of the leading names in the artificial intelligence segment. The company offers multiple services with advanced features powered by its Gemini AI models. These have proven to be quite useful and effective for multiple domains, be it academic, professional, or general. However, it seems that malicious actors around the world are also turning to Google’s AI services to boost their cyber operations.
In a blog post, the Google Threat Intelligence Group (GTIG) has revealed the detection of over 57 malicious groups linked to China, Iran, North Korea, and Russia, who turned to Gemini to carry out their attacks. In many cases, APT groups have ties to government agencies. Recently, US officials have been particularly concerned about the rise in popularity of DeepSeek and the potential national security risks associated. However, it seems that they must also be vigilant about local AI platforms reaching the wrong hands.
Cyber operations of more than 57 APT groups are powered by Gemini, Google’s AI
The researchers define the attackers as Advanced Persistent Threat (APT) groups. They have turned to Google’s AI to facilitate multiple complex tasks, making their campaigns more efficient. The report says that APTs have used Gemini for “coding, payload development, gathering information about potential targets, researching publicly known vulnerabilities, and enabling post-compromise activities, such as defense evasion” (via The Hacker News).
According to the GTIG report, Iranian criminal actors from the APT42 group are the “heaviest users of Gemini.” More specifically, they account for over 30% of Gemini usage for cyberattacks worldwide. APT42 primarily targeted NGOs (Western and Middle Eastern), media outlets, academic platforms, legal services, and activist groups. The group even used Gemini to impersonate journalists or organizers. APT42 also attempts to obtain relevant data from military Chinese and American industries.
Chinese APT groups also rely on Google’s AI for cyber operations. Gemini has been useful for tasks such as reconnaissance, coding, troubleshooting, and exploiting security holes in network equipment. On the other hand, Russian APT groups rely on Gemini primarily to encrypt existing malicious code and convert it into other languages.
North Korea infiltrates Western IT companies with the help of Gemini
North Korea, one of the most active countries in cyber attacks, is not far behind. North Korean APT groups used Google’s AI to infiltrate Western IT companies through remote job applications.
“Of note, North Korean actors also used Gemini to draft cover letters and research jobs—activities that would likely support North Korea’s efforts to place clandestine IT workers at Western companies,” the GTIG report says. “A North Korea-backed group used Gemini to draft cover letters and proposals for job descriptions, researched average salaries for specific jobs, and asked about jobs on LinkedIn. The group also used Gemini for information about overseas employee exchanges. Many of the topics would be common for anyone researching and applying for jobs.”
Restriction-free LLMs available on underground forums
Google also detected LLMs that were manipulated to circumvent all ethical or security restrictions. These LLMs were available on underground forums for anyone willing to pay for them. The list includes WormGPT, WolfGPT, EscapeGPT, FraudGPT, and GhostGPT, among others. These tools can facilitate tasks such as creating phishing emails, generating templates for business email compromise (BEC) attacks, and designing malicious websites.
The GTIG report adds that Google is “actively deploying defenses” against prompt injection attacks. They also call for cooperation with the government. “American industry and government need to work together to support our national and economic security,” the researchers say.
