ACCORDING to Google, Google DeepMind and GTIG report a rise in model extraction or “distillation” attacks aimed at stealing AI intellectual property, and state-backed actors from North Korea, Iran, China and Russia are using AI for research, targeting and phishing. The report notes that threat actors increasingly use large language models to craft polished phishing messages and conduct “rapport-building” campaigns to bypass warnings about poor grammar.
It highlights that the North Korea–linked hacker group UNC2970 used Gemini to gather intelligence on targets and support cyber operations, with target profiling including major cybersecurity and defence firms. The Iran-linked group APT42 also used generative AI tools like Gemini to boost reconnaissance and social engineering, while Google disrupted the activity and disabled related assets.
In September 2025, Google tracked HONESTCUE, malware that uses the Gemini API to generate malicious C# code on demand, and in November 2025 GTIG found COINBAIT, a phishing kit tied to UNC5356 and built with AI assistance. Google notes it disabled accounts linked to this abuse and is strengthening safeguards, red teaming, and secure AI development through frameworks like SAIF. 13 February 2026.