State-Sponsored Espionage Enters the AI Era: Google Reveals Extensive Abuse of Gemini
In a landmark disclosure that underscores the dual-edged nature of artificial intelligence, Google’s Threat Intelligence Group (GTIG) has released a comprehensive report detailing how state-sponsored actors from China, Iran, North Korea, and Russia are systematically exploiting Gemini AI. The report, released this week, provides the most granular evidence to date that Generative AI is no longer just a theoretical risk in cybersecurity but an active operational tool across every stage of the attack lifecycle.
From refining phishing lures to generating polymorphic malware code, adversaries are leveraging the capabilities of Large Language Models (LLMs) to accelerate their campaigns. Perhaps most alarmingly, Google has highlighted a new sophisticated class of threat: "distillation attacks," where cybercriminals attempt to steal the intellectual property of the AI models themselves to build uncensored, private versions of the technology.
As the AI landscape fractures between open innovation and securitized control, the revelations come at a pivotal moment. While Google battles unauthorized usage by rogue states, the U.S. Department of Defense finds itself in a public standoff with AI leader Anthropic over safety constraints, painting a complex picture of the future of weaponized AI.
The Rise of "Distillation" Attacks: Stealing the Brain of the AI
One of the most technically significant findings in the Google report is the prevalence of model extraction, or "distillation" attacks. Unlike traditional data theft, which targets user information or credentials, distillation attacks target the AI model’s cognitive architecture.
Google reported disrupting a massive campaign involving over 100,000 generated prompts designed to probe Gemini’s logic, reasoning, and linguistic capabilities. The attackers’ goal was not to disrupt the service but to replicate it. By systematically querying the model and recording its outputs, adversaries can create a dataset to train smaller, "student" models that mimic Gemini’s performance.
Why Distillation Matters:
- Intellectual Property Theft: It allows competitors or bad actors to clone proprietary technology without incurring the massive training costs of a frontier model.
- Bypassing Safety Filters: Once an attacker has "distilled" the model’s capabilities into their own private system, they can remove the safety guardrails (RLHF) that companies like Google and OpenAI painstakingly implement. This results in an uncensored model capable of writing malware or generating hate speech without restriction.
- Scalability: Google notes that these attacks are highly scalable and often automated, turning legitimate API access into a siphon for high-value intelligence.
Global Threat Actors and Their Tactics
The report details a "relentless barrage" of activity, attributing specific AI-enhanced tactics to well-known Advanced Persistent Threat (APT) groups. The diversity of these attacks illustrates that AI is being adopted not just by elite hacking units, but across the spectrum of cyber espionage.
The following table summarizes the key actors identified by Google and their specific misuse of Gemini:
| Group Name | Origin | Primary Objective | AI Tactic Used |
|---|---|---|---|
| UNC2970 | North Korea | Defense Sector Espionage | OSINT synthesis, profiling targets for "Operation Dream Job" |
| APT42 | Iran | Phishing & Credential Theft | Translation, persona development, drafting persuasive emails |
| UNC4841/UNC3886 | China | Technical Exploitation | Vulnerability research, code generation, script optimization |
| APT44 (Sandworm) | Russia | Critical Infrastructure Sabotage | Overcoming technical limitations in wartime operations |
| Financially Motivated Groups | Global | Profit/Ransomware | Developing "Honestcue" malware, AI-driven phishing kits |
North Korea: The Recruitment Charade
North Korean group UNC2970, linked to the infamous Lazarus Group, has integrated Gemini into its long-running "Operation Dream Job." This campaign targets employees in the defense and aerospace sectors with fake job offers to infiltrate secure networks. Google’s analysis reveals that UNC2970 uses Gemini to scrape and synthesize Open Source Intelligence (OSINT) from LinkedIn and other platforms. By feeding profiles into the AI, the group generates highly personalized, credible recruitment materials that bypass the skepticism of security-conscious targets. The AI allows them to map technical roles and salary structures with unprecedented speed.
Iran: The Social Engineering Engine
For Iranian actors like APT42, the barrier to entry for effective social engineering has historically been language and cultural nuance. Gemini has effectively lowered this barrier. The group utilizes the model to draft phishing emails that are grammatically perfect and culturally attuned to their targets in Israel and the U.S. Furthermore, APT42 uses the AI for post-compromise activity, such as parsing stolen data to rapidly identify high-value email addresses and credentials, accelerating the "breakout" time after an initial breach.
China: Automating the Kill Chain
Chinese state-sponsored groups have shown a preference for technical integration. Rather than just using AI for text, they are employing Gemini for code analysis. The report highlights how groups like UNC4841 use the model to suggest optimizations for scripts or identify bugs in potential exploits. This suggests a shift toward "AI-assisted hacking," where human operators use LLMs as a force multiplier to identify zero-day vulnerabilities or write polymorphic code that evades antivirus signatures.
Automated Malware and the "Honestcue" Threat
Beyond state espionage, the report sheds light on the commercial cybercrime sector's adoption of AI. A standout discovery is "Honestcue," a malware framework explicitly designed to leverage the Gemini API.
Honestcue operates as a downloader and launcher that sends natural language prompts to the Gemini API and receives malicious C# source code in response. Because the code is generated dynamically and executed in memory, it creates a "fileless" attack footprint that is incredibly difficult for traditional endpoint detection systems to flag. This represents a significant evolution: malware is no longer a static file but a dynamic set of instructions generated on the fly by a cloud-based AI.
Similarly, Google identified "ClickFix" campaigns—social engineering attacks that use AI to generate convincing technical support instructions. These instructions trick users into copying and pasting malicious scripts into their own terminals, exploiting the victim's trust in "fix-it" guides.
The Defense Dilemma: Anthropic vs. The Pentagon
While Google fights to keep criminals out of its AI ecosystem, a different battle is brewing in Washington regarding who is allowed in. As confirmed by reports from Axios and The Wall Street Journal this week, the U.S. Department of Defense (DoD) is clashing with AI provider Anthropic over the latter's strict usage policies.
Defense Secretary Pete Hegseth has threatened to label Anthropic a "supply chain risk" and cut ties with the company. The core of the dispute lies in Anthropic's "Constitutional AI" approach, which includes refusals to assist with weapons development or lethal operations. While these safeguards are designed to prevent the exact kind of misuse Google is seeing from Iran and North Korea, the Pentagon views them as a liability.
"Our warfighters need to have access to the models that provide decision superiority in the battlefield," a DoD official stated, criticizing models that "won't allow you to fight wars." This tension was exacerbated by the revelation that Anthropic’s Claude model was reportedly used via Palantir during the January raid that captured Venezuelan President Nicolás Maduro. The incident highlights the "Dual-Use Dilemma": the very safeguards intended to prevent AI from becoming a tool of terror are now being framed as obstacles to national security.
Strategic Implications for the Industry
The convergence of these two stories—Google’s report on criminal abuse and the Pentagon’s row with Anthropic—paints a stark picture of the AI security landscape in 2026.
For cybersecurity professionals, the Google report confirms that the "barrier to entry" for sophisticated attacks has collapsed. Script kiddies can now generate complex malware, and non-native speakers can craft perfect phishing lures. The "distillation" attacks serve as a warning to all enterprise AI adopters: your model is your IP, and it is under active siege.
For policymakers, the contradiction is glaring. The industry is simultaneously being asked to lock down models to prevent state-sponsored abuse (Google’s challenge) and open up models to enable state-sanctioned military operations (Anthropic’s challenge). As threat actors like UNC2970 and APT42 continue to innovate, the West's ability to balance innovation, safety, and defense capabilities will define the next era of cyber warfare.
Google’s response has been to strengthen its "robust ecosystem" of defenses, disrupting the accounts and infrastructure associated with these actors. However, as the "Honestcue" malware demonstrates, as long as APIs are open for business, they remain open for exploitation.
