Nation-state hackers ramping up use of Gemini for target reconnaissance, malware coding, Google says

Sophisticated hacking groups in China, North Korea and Iran are using Google’s Gemini AI tool to supercharge their attacks on rivals, refine malware and provide research on targets.

In one example highlighted in a report published Thursday, Google’s Threat Intelligence Group (GTIG) said it observed a known Chinese group using Gemini to compile information on specific people in Pakistan and structural data on separatist organizations in various countries. 

While Google said it disabled the assets used by the group, the company admitted that “the threat actor included similar targets in Pakistan in their campaign.”

Researchers found that advanced persistent threat (APT) groups were using the AI tool for coding and scripting tasks, gathering information about potential targets, researching publicly known vulnerabilities and enabling post-compromise activities. 

John Hultquist, chief analyst at GTIG, told Recorded Future News that it is difficult to compare how nation-states are using Gemini because North Korea and Iran were early to adopt AI to improve their social engineering but Chinese actors are developing a variety of agentic use cases.

The findings mirror much of what several other AI companies have reported over the last two years about how government-backed hacking groups are using popular, publicly-available large language models to streamline reconnaissance and act as a force multiplier during attacks. 

So far, APT groups are using LLMs like Gemini to bypass the manual labor that is typically required for profiling organizations, finding high-value targets and crafting convincing lure emails.

Gemini has allowed threat actors to “move from initial reconnaissance to active targeting at a faster pace and broader scale,” GTIG said. 

Synthesizing OSINT

GTIG attributed several incidents last quarter to known APT groups with long histories of hacking on behalf of governments, with countries using Gemini for varying purposes. 

Iranian group APT42 — also tracked as GreenCharlie, Charming Kitten and Mint Sandstorm — was seen using Gemini to search for official emails for specific entities and conduct reconnaissance on potential business partners to establish a credible pretext for a phishing email. 

The group — which has previously spoofed media brands and targeted Israeli journalists, cybersecurity professionals and computer science professors with phishing emails — was seen providing Gemini with the biography of a target and asking it to craft a good persona or scenario that would get them to engage. 

APT42 also used Gemini to translate phishing emails and to better understand phrases and references in other languages. Gemini was also used by APT42 to accelerate the development of malware, offensive tools, code generation and exploitation techniques. 

A North Korean group focused on attacking the defense sector used Gemini to “synthesize open-source intelligence (OSINT) and profile high-value targets to support campaign planning and reconnaissance.”

“This actor’s target profiling included searching for information on major cybersecurity and defense companies and mapping specific technical job roles and salary information,” GTIG said. 

“This activity blurs the distinction between routine professional research and malicious reconnaissance, as the actor gathers the necessary components to create tailored, high-fidelity phishing personas and identify potential soft targets for initial compromise.”

Multiple days a week

A variety of sophisticated Chinese groups deployed Gemini to automate the analysis of vulnerabilities and generate targeted testing plans, GTIG said. At least one group created a fake scenario and asked Gemini to trial out bypass techniques against specific U.S.-based targets — automating intelligence gathering to identify organizational defense weaknesses.

Another PRC-based group reportedly used Gemini multiple days a week to troubleshoot their code, conduct research on specific types of bugs and more. 

The report notes that threat groups from China, Iran, Russia and Saudi Arabia are also using Gemini to produce political satire and propaganda. 

GTIG also confirmed previous research from Cato Networks that found cybercriminals experimenting with malware that integrates LLM capabilities directly into an attack chain.

In September, the GTIG’s researchers saw malware samples that they named HONESTCUE which leveraged Gemini's API to outsource functionality generation. 

“Our examination of HONESTCUE malware samples indicates the adversary’s incorporation of AI is likely designed to support a multi-layered approach to obfuscation by undermining traditional network-based detection and static analysis,” the researchers said. 

HONESTCUE is a downloader and launcher framework that sends a prompt via Gemini's API and receives C# source code as the response, the researchers explained. HONESTCUE calls the Gemini API to generate code that operates the "stage two" functionality, which downloads and executes another piece of malware. 

GTIG noted that it has not associated this malware with any existing clusters of threat activity but said they “suspect this malware is being developed by developers who possess a modicum of technical expertise.”

“Specifically, the small iterative changes across many samples as well as the single VirusTotal submitter, potentially testing antivirus capabilities, suggests a singular actor or small group,” they said.