Over 57 Nation-State Threat Groups Using AI for Cyber Operations: Google

Google’s Threat Intelligence Group (GTIG) has uncovered that more than 57 nation-state threat actors from China, Iran, North Korea, and Russia are leveraging artificial intelligence (AI) technology, particularly Google's Gemini, to advance their cyber and information warfare tactics. These groups, commonly known as Advanced Persistent Threats (APT), are using AI for various malicious purposes, including cyberattacks, reconnaissance, phishing campaigns, and defense evasion.

According to Google’s report, APT groups are experimenting with Gemini to enhance their operations, gaining productivity advantages but not yet achieving novel capabilities. The primary uses of AI among these groups include:

• Coding and scripting tasks
• Developing malicious payloads
• Gathering intelligence on targets
• Researching known vulnerabilities
• Evading security defenses
• Crafting and localizing disinformation content

Iranian APTs: The Heaviest Users of Gemini

Among the identified threat actors, Iranian APT groups—particularly APT42 (also known as Charming Kitten and Mint Sandstorm)—emerged as the most frequent users of Gemini. APT42 alone accounts for over 30% of AI usage among Iranian hackers, using AI tools for:

• Crafting phishing campaigns
• Conducting reconnaissance on defense experts and organizations
• Generating content related to cybersecurity

APT42 has a history of sophisticated social engineering attacks, often masquerading as journalists and event organizers to infiltrate networks. Their targets include Western and Middle Eastern NGOs, media organizations, academia, legal services, and activists. Additionally, Iranian APTs have been researching military and weapons systems, China’s defense industry strategies, and U.S. aerospace technologies.

China’s Cyber Espionage Tactics

Chinese APT groups are leveraging Gemini for reconnaissance, troubleshooting code, and penetrating victim networks. Their primary focus is on:

• Lateral movement (spreading within networks)
• Privilege escalation (gaining higher access rights)
• Data exfiltration (stealing sensitive information)
• Detection evasion (avoiding cybersecurity defenses)

These tactics reflect China’s continued emphasis on cyber espionage, targeting strategic industries, government institutions, and critical infrastructure worldwide.

Russia and North Korea’s AI-Driven Cyber Strategies

Russian APT groups were observed using Gemini to convert existing malware into different programming languagesand add encryption layers, making their attacks more difficult to detect.

Meanwhile, North Korean hackers used Gemini to research IT infrastructure and hosting providers. They also employed AI to draft fake job applications, supporting North Korea’s efforts to place covert IT workers in Western tech companies. Google reported that one North Korean group used Gemini to:

• Draft cover letters and proposals for job applications
• Research average salaries for specific tech roles
• Gather intelligence on overseas employee exchanges

This tactic aligns with North Korea’s longstanding strategy of infiltrating international companies, often using foreign earnings to fund state-sponsored programs, including weapons development.

Google’s research also highlights the emergence of underground AI models that lack ethical and safety constraints, making them ideal for cybercriminals. Some of these malicious tools include:

• WormGPT
• WolfGPT
• EscapeGPT
• FraudGPT
• GhostGPT

These rogue large language models (LLMs) are explicitly designed for cybercrime, such as:

• Generating phishing emails
• Crafting business email compromise (BEC) attacks
• Developing fraudulent websites

Additionally, APTs from over 20 countries have used Gemini for influence operations, researching current events and generating propaganda content in multiple languages to manipulate public perception.

Google has pledged to strengthen AI defenses, actively deploying countermeasures against prompt injection attacks(where hackers manipulate AI responses). The company is also advocating for stronger collaboration between governments and private industry to enhance national security.

“American industry and government need to work together to support our national and economic security,”Google emphasized, underlining the urgent need for a unified approach to combat AI-enabled cyber threats.

With nation-state hackers rapidly adapting AI for cyber warfare, the battle for cybersecurity is now entering a new phase—one where AI-driven defense mechanisms must evolve just as fast as AI-powered attacks.