In the final quarter of 2025, Google Threat Intelligence Group (GTIG) observed a notable increase in threat actors integrating artificial intelligence (AI) across their operations to accelerate attack workflows. AI tools were leveraged for reconnaissance, social engineering, and malware development, yielding significant productivity gains for malicious actors. This report updates findings from November 2025, highlighting the evolution of AI-enabled threats and measures taken to mitigate them.
GTIG and Google DeepMind identified a rise in model extraction attempts, known as “distillation attacks,” where actors attempt to replicate proprietary model logic. While no direct attacks on frontier models or generative AI products by advanced persistent threat (APT) actors were observed, frequent extraction attempts from private sector entities and researchers were mitigated. Government-backed threat actors increasingly used large language models (LLMs) for technical research, target development, and generating sophisticated phishing lures. Countries observed operationalizing AI in these contexts included North Korea, Iran, China, and Russia.
Model extraction attacks exploit legitimate API access to systematically probe AI models, extracting knowledge to train derivative models. While knowledge distillation has legitimate uses, unauthorized extraction from Google’s Gemini models violates terms of service. GTIG disrupted these attempts globally and strengthened model safeguards to prevent intellectual property theft. A notable campaign targeted Gemini’s reasoning capabilities, attempting to coerce outputs for replication. Google successfully mitigated over 100,000 such prompts in real time.
Threat actors have applied AI for reconnaissance, target profiling, and social engineering. LLMs enabled faster, hyper-personalized phishing campaigns and “rapport-building” interactions, allowing actors to bypass traditional linguistic or cultural red flags. For example, Iranian APT42 used Gemini to research potential targets, craft persuasive personas, and translate content for localized campaigns. North Korean UNC2970 similarly leveraged AI for defense-target profiling and tailored phishing efforts.
Threat actors explored agentic AI capabilities to autonomously support malware development, penetration testing, and coding. PRC-based APT31 and UNC795 employed Gemini for automated vulnerability analysis, tool generation, and code auditing, integrating AI into multiple stages of operations. Additionally, malware families like HONESTCUE used Gemini’s API to generate second-stage malicious code, while the COINBAIT phishing kit relied on AI-generated code and web interfaces for credential harvesting.
GTIG observed underground marketplaces offering AI tools for offensive purposes, including “Xanthorox,” a service claiming independent AI but relying on commercial models. Threat actors exploited exposed API keys and misconfigured tools, creating a black market for AI resources. Google mitigated these risks by disabling accounts and monitoring abuse vectors.
Google emphasizes proactive measures to safeguard AI models and users. Efforts include disabling malicious assets, enhancing classifiers, and applying safety measures to prevent misuse. GTIG works with industry partners to share best practices, red team models, and develop secure AI frameworks. Experimental agents like Big Sleep and CodeMender demonstrate AI’s potential for proactive vulnerability detection and automated patching.
AI adoption by threat actors is rapidly evolving, with increased sophistication in malware development, phishing, and reconnaissance. GTIG continues to monitor, mitigate, and share intelligence on emerging AI threats, aiming to strengthen defenses for organizations and the broader AI ecosystem. Indicators of compromise (IOCs) are available through GTIG’s collection for registered users to assist in threat hunting.
