90/69 Friday, February 13, 2026
The Google Threat Intelligence Group (GTIG) has revealed that several state-backed hacker groups and advanced persistent threat (APT) actors have begun leveraging the Google Gemini model to support multi-stage cyberattacks. Observed activities include reconnaissance, generating phishing and social engineering content, writing and refining code, and testing target vulnerabilities. Attackers were found using AI to analyze techniques such as Remote Code Execution (RCE) and SQL injection, as well as to debug code-significantly accelerating malware development cycles.
Cybercriminals are increasingly integrating AI capabilities directly into their attack toolkits. Researchers identified malware called “HonestCue,” a framework that uses the Gemini API to generate C# code capable of executing payloads in memory. Another toolkit, “CoinBait,” impersonates digital asset trading platforms and shows evidence of AI-assisted development. Additionally, investigators uncovered the ClickFix campaign, which used AI-generated malicious advertisements in search results to trick users into executing commands that install data-stealing malware on macOS systems.
Beyond using AI as an operational tool, threat actors have also targeted the Gemini model itself through attacks such as model extraction and knowledge distillation. By sending large volumes of prompts, attackers attempt to learn and replicate Gemini’s decision-making processes to build lower-cost competing models. Google stated that such actions violate intellectual property rights and threaten the AI-as-a-service business model. The company has since suspended the related accounts and strengthened its safeguards to prevent further abuse.