Google: State hackers using Gemini AI across all stages of cyberattacks
A Google Threat Intelligence report says actors tied to China, Russia, Iran and others are using Gemini for reconnaissance, phishing, exploit development and follow‑on actions, prompting account blocks and model updates.
- Google found Gemini used for reconnaissance, phishing lure creation, exploit coding, command and control and data exfiltration.
- Chinese-linked actors used Gemini for vulnerability analysis and penetration testing including RCE, WAF bypass and SQL injection trials.
- North Korean and Iranian actors used Gemini to profile high value targets and generate tailored phishing personas and emails.
- State actors also experimented with politically targeted propaganda and satire generated by the model.
- Underground toolkits like Xanthorox combine general models via MCP servers rather than relying on bespoke attack models, creating demand for stolen API keys.
- Google has disabled accounts, blocked assets and updated Gemini protections while warning AI‑assisted attacks are likely to evolve.