Google’s Threat Intelligence Group warned cyber adversaries are increasingly using generative AI tools to support multiple stages of the cyberattack lifecycle, from reconnaissance and vulnerability research to payload development, scripting, and post-compromise activity. Hackers are now using large language models to accelerate reconnaissance, malware development, privilege escalation, vulnerability research, phishing campaigns, and post-compromise activity across the cyberattack lifecycle.
In a new report examining how advanced persistent threat (APT) groups and coordinated information operations actors interacted with Gemini, Google said attackers showed particular interest in researching publicly disclosed vulnerabilities, generating malicious code, escalating privileges, evading detection, and automating operational tasks.
Google also observed threat actors using AI tools to assist with targeting government organizations, researching endpoint detection and response systems, accessing Microsoft Exchange environments using password hashes, developing remote access capabilities, and automating data extraction activities. The company noted that while most observed activity focused on accelerating existing attack workflows rather than enabling fully autonomous attacks, adversaries are steadily integrating AI into broader offensive operations.
In a series of new findings published this year, Google said state-backed and financially motivated threat actors linked to China, North Korea, Iran, and Russia are no longer merely experimenting with AI for productivity gains. Instead, attackers are integrating models such as Gemini and other commercial LLMs directly into offensive operations to automate targeting, refine malicious code, generate phishing content, analyze vulnerabilities, and improve operational scale and speed.
Google researchers observed adversaries using generative AI to conduct open-source intelligence gathering, profile high-value targets, identify exploitable weaknesses, generate malicious scripts, and support post-compromise actions once access had already been established inside victim environments. The company also documented attempts to bypass AI safety controls through persona-based jailbreaking techniques designed to coax models into producing restricted or malicious outputs.
One of the most significant disclosures involved what Google described as the first known case where attackers used AI assistance to identify and develop a zero-day exploit before launching a planned mass exploitation campaign. According to GTIG, the exploit targeted an unnamed open-source web-based system administration platform and aimed to bypass two-factor authentication through a semantic logic flaw tied to hardcoded trust assumptions. Google said it disrupted the campaign before threat actors could operationalize the exploit at scale.
The GTIG report found that actors linked to countries including Iran and China accounted for some of the highest volumes of misuse attempts, though many efforts to bypass Gemini’s safety controls relied on relatively unsophisticated jailbreak techniques and were unsuccessful. Google warned that the threat landscape is now shifting beyond theoretical misuse scenarios, with adversaries increasingly experimenting with AI-enabled malware and operational workflows capable of dynamically adapting during attacks.
“Threat actors are leveraging AI to augment various phases of the attack lifecycle,” GTIG wrote in its Monday blog post. “This includes supporting the development of vulnerability exploits and malware, facilitating autonomous execution of commands, enabling more targeted and well-researched reconnaissance, and improving the efficacy of social engineering and information operations.”
It observed that as the coding capabilities of AI models advance, adversaries increasingly leverage these tools as expert-level force multipliers for vulnerability research and exploit development, including for zero-day vulnerabilities. While these tools empower defensive research, they also lower the barrier for adversaries to reverse-engineer applications and develop sophisticated, AI-generated exploits.
“There’s a misconception that the AI vulnerability race is imminent. The reality is that it’s already begun. For every zero-day we can trace back to AI, there are probably many more out there,” John Hultquist, chief analyst at Google Threat Intelligence Group, wrote in an emailed statement. “Threat actors are using AI to boost the speed, scale, and sophistication of their attacks. It enables them to test their operations, persist against targets, build better malware, and make many other improvements. State actors are taking advantage of this technology, but the criminal threat shouldn’t be underestimated, especially given their history of broad, aggressive attacks.”
GTIG identified a threat actor using a zero-day exploit that it believes was developed with AI. The criminal threat actor planned to use it in a mass exploitation event, but proactive counter-discovery may have prevented its use. Hackers associated with the People’s Republic of China (PRC) and the Democratic People’s Republic of Korea (DPRK) have also demonstrated significant interest in capitalizing on AI for vulnerability discovery.
AI-driven coding has accelerated the development of infrastructure suites and polymorphic malware by adversaries. These AI-enabled development cycles facilitate defense evasion by enabling the creation of obfuscation networks and the integration of AI-generated decoy logic in malware that Google has linked to suspected Russia-nexus hackers.
The post noted that AI-enabled malware, such as PROMPTSPY, signals a shift toward autonomous attack orchestration, where models interpret system states to generate commands and manipulate victim environments. GTIG’s analysis of this malware reveals previously unreported capabilities and use cases for integration with AI. This approach allows threat actors to offload operational tasks to AI for scaled and adaptive activity.
Adversaries continue to leverage AI as a high-speed research assistant for attack lifecycle support, while shifting toward agentic workflows to operationalize autonomous attack frameworks. In information operations (IO) campaigns, these tools facilitate the fabrication of digital consensus by generating synthetic media and deepfake content at scale, exemplified by the pro-Russia IO campaign ‘Operation Overload.’ Hackers now pursue anonymized, premium-tier access to models through professionalized middleware and automated registration pipelines to illicitly bypass usage limits. This infrastructure enables large-scale misuse of services while subsidizing operations through trial abuse and programmatic account cycling.
GTIG highlighted that adversaries like ‘TeamPCP’ (aka UNC6780) have begun targeting AI environments and software dependencies as an initial access vector. These supply chain attacks result in multiple types of machine learning (ML)-focused risks outlined in the Secure AI Framework (SAIF) taxonomy, namely Insecure Integrated Component (IIC) and Rogue Actions (RA). Analysis of forensic data associated with these attacks reveals threat actors attempting to pivot from compromised AI software to broader network environments for initial access and engage in disruptive activities, such as ransomware deployment and extortion.
GTIG also identified multiple threat actors experimenting with AI models to develop malware and operational support tools to augment obfuscation capabilities. This has included AI applications to incorporate just-in-time dynamic modification of source code, enable dynamic payload generation, assist in development of operational relay box (ORB) network management tools, and generate decoy code. While often experimental, the transition underscores a move toward AI-driven, evasive software suites.
“We observed activity associated with the PRC-nexus threat actor APT27, which has leveraged Gemini to accelerate the development of a fleet management application likely to support the management of an operational relay box (ORB) network,” the blog added. “Our observations of the tool revealed a ‘maxHops’ parameter hardcoded to 3 hops, an indicator that the tool was related to development of an anonymization network rather than a VPN since those are typically set to 1 hop. Additionally, the tool lists MOBILE_WIFI and ROUTER as supported device types, suggesting it uses 4G or 5G SIM cards to provide residential IP addresses to potentially obfuscate the true origin of the intrusion activity.”
Additionally, GTIG has continued to observe Russia-nexus intrusion activity targeting Ukrainian organizations to deliver AI-enabled malware as part of their operations. Analysis confirms the use of CANFAIL and LONGSTREAM, which utilize LLM-generated decoy code to obfuscate their malicious functionality.
The post added that adversaries use LLMs to perform reconnaissance that would previously have required significant manual effort. “For instance, we have observed actors prompting models to generate detailed organizational hierarchies for specific departments and third-party relationships of large enterprises, particularly those involving high-value functions like finance, internal security, and human resources. This data allows for the creation of higher-fidelity phishing lures tailored to individuals with administrative privileges or access to sensitive data, moving beyond the commodity tactics of traditional bulk phishing.”
GTIG’s tracking of IO threats across open internet continues to uncover activity illustrating how hackers use AI tooling to enhance established tactics. For example, GTIG uncovered activity linked to the pro-Russia IO campaign ‘Operation Overload,’ involving video content that leveraged suspected AI voice cloning to impersonate real journalists. This likely represents an AI-supported advancement of the campaign’s established tactics, which have long included inauthentic video content designed to appropriate the branding and legitimacy of media and other high-profile organizations in support of campaign messaging.
As organizations continue integrating large language models (LLMs) into production environments, the AI software ecosystem has emerged as a primary target for exploitation. While frontier models themselves remain highly resilient to direct compromise, the orchestration layers, including open-source wrapper libraries, API connectors, and skill configuration files, can be vulnerable. GTIG has observed adversaries increasingly target the integrated components that grant AI systems their utility, such as autonomous skills and third-party data connectors.
Back in February, GTIG analysis identified that the defense industrial base is facing sustained and multifaceted cyber pressure from state-sponsored actors, criminal groups, and hacktivists, with targeting extending beyond military systems into defense contractors, personnel, and supply chains.
