State-sponsored threat actors from China, Iran, Russia, and North Korea have exploited Google’s Gemini AI in 2025 for malicious cyber activities, despite Google’s efforts to mitigate misuse. According to the AI Threat Tracker report by Google’s Threat Intelligence Group (GTIG), adversaries have evolved from merely using AI for productivity to leveraging it across various attack stages, including phishing and malware development.
Notable incidents include a China-linked actor masquerading as a capture-the-flag participant to gain exploitation guidance and an Iranian group, MUDDYCOAST, posing as university students to develop custom malware, inadvertently exposing their command-and-control infrastructure. Other groups similarly used Gemini for reconnaissance, phishing campaign creation, and cryptocurrency-related scams.
Furthermore, experimental malware such as PROMPTFLUX and PROMPTSTEAL illustrates the ongoing evolution of cyber threats, with capabilities to modify code dynamically or request commands via AI during operations. Google’s detection methods involve post-usage account degradation, creating potential exploitation windows for threat actors.
Source link
