ON 12 February 2026, Google reported that the North Korea‑linked threat actor UNC2970 used its Gemini generative AI model to conduct reconnaissance on targets, with campaigns described as weaponising the tool to accelerate multiple phases of the cyber attack life cycle.
According to Google Threat Intelligence Group (GTIG) in a report shared with The Hacker News, UNC2970 used Gemini to synthesise OSINT and profile high‑value targets, including information on major cybersecurity and defence companies and mapping specific technical job roles and salaries. GTIG characterised the activity as blurring the line between routine research and malicious reconnaissance, enabling the crafting of tailored phishing personas and identification of soft targets for initial compromise.
The article notes UNC2970 overlaps with Lazarus Group, Diamond Sleet, and Hidden Cobra, and mentions other groups that have integrated Gemini into their workflows, such as UNC6418, Temp[.]HEX or Mustang Panda, APT31 or Judgement Panda, APT41, UNC795, and APT42, each with various espionage or operational aims.
It also highlights HONESTCUE as a Gemini‑driven downloader/launcher and COINBAIT as an AI‑generated phishing kit linked to UNC5356, while noting a broader wave of model‑extraction attacks and related advisories.