Threat Actors Exploit Google’s Gemini to Accelerate Cyberattacks
Google Threat Intelligence Group (GTIG) recently reported that cybercriminals—in particular, state-sponsored threat actors from North Korea, Iran, China, and Russia—are misusing Gemini, Google’s large language model (LLM), to support all stages of their attack lifecycle. Specifically, GTIG observed threat actors using Gemini to code and script tasks, accelerate reconnaissance, research publicly known vulnerabilities, and enable malware development and post-compromise activity. Examples of State-Sponsored Threat Actor’s Use of Gemini GTIG documented several examples of state-backed actors integrating Gemini into their operations, including: North Korea: GTIG observed the North Korean government-backed group UNC2970 use Gemini to synthesize open-source intelligence (OSINT ) and profile high-value targets to support campaign planning and reconnaissance. Iran: The Iranian sponsored actor APT42 used generative AI models, including Gemini, to search f...