Google says hackers abuse Gemini AI to empower their attacks - Related to -, abuse, ai, empower, using

Google says hackers abuse Gemini AI to empower their attacks

Multiple state-sponsored groups are experimenting with the AI-powered Gemini assistant from Google to increase productivity and to conduct research on potential infrastructure for attacks or for reconnaissance on targets.

Google's Threat Intelligence Group (GTIG) detected government-linked advanced persistent threat (APT) groups using Gemini primarily for productivity gains rather than to develop or conduct novel AI-enabled cyberattacks that can bypass traditional defenses.

Threat actors have been trying to leverage AI tools for their attack purposes to various degrees of success as these utilities can at least shorten the preparation period.

Google has identified Gemini activity associated with APT groups from more than 20 countries but the most prominent ones were from Iran and China.

Among the most common cases were assistance with coding tasks for developing tools and scripts, research on publicly disclosed vulnerabilities, checking on technologies (explanations, translation), finding details on target organizations, and searching for methods to evade detection, escalate privileges, or run internal reconnaissance in a compromised network.

Google says APTs from Iran, China, North Korea, and Russia, have all experimented with Gemini, exploring the tool's potential in helping them discover security gaps, evade detection, and plan their post-compromise activities. These are summarized as follows:

Iranian threat actors were the heaviest people of Gemini, leveraging it for a wide range of activities, including reconnaissance on defense organizations and international experts, research into publicly known vulnerabilities, development of phishing campaigns, and content creation for influence operations. They also used Gemini for translation and technical explanations related to cybersecurity and military technologies, including unmanned aerial vehicles (UAVs) and missile defense systems.

threat actors were the heaviest people of Gemini, leveraging it for a wide range of activities, including reconnaissance on defense organizations and international experts, research into publicly known vulnerabilities, development of phishing campaigns, and content creation for influence operations. They also used Gemini for translation and technical explanations related to cybersecurity and military technologies, including unmanned aerial vehicles (UAVs) and missile defense systems. China -backed threat actors primarily utilized Gemini for reconnaissance on [website] military and government organizations, vulnerability research, scripting for lateral movement and privilege escalation, and post-compromise activities such as evading detection and maintaining persistence in networks. They also explored ways to access Microsoft Exchange using password hashes and reverse-engineer security tools like Carbon Black EDR.

-backed threat actors primarily utilized Gemini for reconnaissance on [website] military and government organizations, vulnerability research, scripting for lateral movement and privilege escalation, and post-compromise activities such as evading detection and maintaining persistence in networks. They also explored ways to access Microsoft Exchange using password hashes and reverse-engineer security tools like Carbon Black EDR. North Korean APTs used Gemini to support multiple phases of the attack lifecycle, including researching free hosting providers, conducting reconnaissance on target organizations, and assisting with malware development and evasion techniques. A significant portion of their activity focused on North Korea's clandestine IT worker scheme, using Gemini to draft job applications, cover letters, and proposals to secure employment at Western companies under false identities.

APTs used Gemini to support multiple phases of the attack lifecycle, including researching free hosting providers, conducting reconnaissance on target organizations, and assisting with malware development and evasion techniques. A significant portion of their activity focused on North Korea's clandestine IT worker scheme, using Gemini to draft job applications, cover letters, and proposals to secure employment at Western companies under false identities. Russian threat actors had minimal engagement with Gemini, most usage being focused on scripting assistance, translation, and payload crafting. Their activity included rewriting publicly available malware into different programming languages, adding encryption functionality to malicious code, and understanding how specific pieces of public malware function. The limited use may indicate that Russian actors prefer AI models developed within Russia or are avoiding Western AI platforms for operational security reasons.

Google also mentions having observed cases where the threat actors attempted to use public jailbreaks against Gemini or rephrasing their prompts to bypass the platform's security measures. These attempts were reportedly unsuccessful.

OpenAI, the creator of the popular AI chatbot ChatGPT, made a similar disclosure in October 2024, so Google's latest findings comes as a confirmation of the large-scale misuse of generative AI tools by threat actors of all levels.

While jailbreaks and security bypasses are a concern in mainstream AI products, the AI market is gradually filling with AI models that lack the proper protections to prevent abuse. Unfortunately, some of them with restrictions that are trivial to bypass are also enjoying increased popularity.

Cybersecurity intelligence firm KELA has in the recent past 's Qwen [website], which are vulnerable to prompt injection attacks that could streamline malicious use.

Unit 42 researchers also demonstrated effective jailbreaking techniques against DeepSeek R1 and V3, showing that the models are easy to abuse for nefarious purposes.

The FBI and authorities in The Netherlands this week seized dozens of servers and domains for a hugely popular spam and malware dissemination service ......

The [website] Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) have issued alerts about the presence of h......

​Mizuno USA, a subsidiary of Mizuno Corporation, one of the world's largest sporting goods manufacturers, confirmed in data breach notification letter......

SOC Analysts - Reimagining Their Role Using AI

The job of a SOC analyst has never been easy. Faced with an overwhelming flood of daily alerts, analysts (and sometimes IT teams who are doubling as SecOps) must try and triage thousands of security alerts—often false positives—just to identify a handful of real threats. This relentless, 24/7 work leads to alert fatigue, desensitization, and increased risk of missing critical security incidents. Studies show that 70% of SOC analysts experience severe stress, and 65% consider leaving their jobs within a year. This makes retention a major challenge for security teams, especially in light of the existing shortage of skilled security analysts.

On the operational side, analysts spend more time on repetitive, manual tasks like investigating alerts, and resolving and documenting incidents than they do on proactive security measures. Security teams struggle with configuring and maintaining SOAR playbooks as the cyber landscape rapidly changes. To top this all off, tool overload and siloed data force analysts to navigate disconnected security platforms, creating not only inconvenience, but more critically, missed correlations between events that might have helped identify true positives.

The above is compounded by the fact that threat actors are leveraging AI to power their cybercrime. By processing vast amounts of data rapidly, AI enables them to launch more effective, adaptive, and difficult-to-detect attacks at scale. AI tools generate highly convincing phishing emails, deepfake content, and social engineering scripts, making deception much easier even for inexperienced attackers. They can also use AI to write sophisticated malware, reverse engineer security mechanisms and automate vulnerability discovery by analyzing large codebases for exploitable flaws. Additionally, AI-driven chatbots impersonate real clients, conduct large-scale fraud, and for newbies, provide step-by-step cybercrime guidance.

, attackers have reduced the average breakout time for successful intrusions from 79 minutes to 62 minutes, with the fastest known breakout time being just two minutes and seven seconds. Even with the best detection tooling and dozens of analysts available (a dream scenario) the sheer volume and velocity of today's cyberattacks still requires SOC teams to move faster than ever and somehow manually review and triage the insane amount of alerts being generated. This has been literally a mission impossible. But not anymore.

The Modern SOC Strikes Back - A Perfect Blend of AI and Human-in-the-Loop.

If you are a SOC analyst or a CISO, you know I was not exaggerating on how dire the situation is. But the tide is turning. New AI tooling for SOCs will enable human teams to process any type and any volume of security alerts, allowing them to focus on handling real threats in record time. Here's a glimpse of what some early adopters are experiencing.

Many vendors are now offering automated triage of security alerts which significantly reduces the number of alerts that human analysts have to investigate. While multiple vendors offer automated triage for specific use cases such as phishing, endpoint, network and cloud (with the triage playbook created by human security professionals) the ideal scenario is for an AI-powered SOC analyst that can interpret any type of security alert from any sensor or defense system. This way, all security events, from the most common to the most obscure, can be fully triaged. Transparency plays a big role here as well, with the actual logic of the AI triage (down to each and every step taken) being readily available for a human analyst to review if desired.

Full Control Over Response to Real Threats.

While an AI-powered SOC platform generates an accurate response appropriate to the specific threat (providing similar value to a SOAR without all the configuration and maintenance headache), it's essential to have a human-in-the-loop to review the suggested remediation and the ability to accept, modify or immediately execute it.

Leveraging generative AI allows SOC teams to research emerging threats, the latest attack methods and the best practices for combatting them. Tools like ChatGPT are incredible for rapidly ramping up on practically any topic, security included and will definitely make it easier for analysts to access and easily learn about relevant solutions in a timely manner.

Data Querying, Log Interpretation and Anomaly Detection.

SOC analysts no longer need to struggle with querying syntax. Instead, they can use natural language to find the data they need and when it comes to understanding the significance of a particular log or dataset, AI solutions can provide instant clarification. When analyzing an aggregate data set of thousands of logs, built-in anomaly detection aids in identifying unusual patterns that might warrant further investigation.

More Data for Data-Hungry AI. Without an Insane Bill.

AI tools are data-hungry because they rely on vast amounts of information to learn patterns, make predictions, and improve their accuracy over time. However, traditional data storage can be very cost-prohibitive. Upcoming technologies have made it possible to rapidly query logs and other data from ultra-affordable cold storage such as AWS S3. This means that these AI-powered SOC platforms can rapidly access, process and interpret the vast amounts of data for them to automatically triage alerts. Likewise, for humans. As a CISO or VP Security you can now fully control your data without any vendor lock-in, while giving your analysts rapid querying capabilities and unlimited retention for compliance purposes.

In the last century, social interactions were far slower—if you wanted to connect with someone, you had to call their landline and hope they answered, send a letter and wait days for a response, or meet in person. Fast forward to 2025, and instant messaging, social media, and AI-driven communication have made interactions immediate and seamless. The same transformation is happening in security operations. Traditional SOCs rely on manual triage, lengthy investigations, and complex SOAR configurations, slowing down response times. But with AI-powered SOC solutions, analysts no longer have to sift through endless alerts or manually craft remediation steps. AI automates triage, validates real threats, and hints at precise remediation, drastically reducing workload and response times. AI is reshaping SOC operations—enabling faster, smarter, and more effective security at scale.

In summary, SOC analysts struggle with alert volumes, manual triage, and escalating cyber threats, leading to burnout and inefficiencies. Meanwhile, threat actors are leveraging AI to automate attacks, making rapid response more critical than ever. The good news is that the modern SOC is evolving with AI-powered triage, automated remediation, and natural language-driven data querying, allowing analysts to focus on real threats instead of tedious processes. With AI the SOC is becoming faster, smarter, and more scalable.

Interested in learning more? Download this guide to learn more how to make the SOC more efficient, or take an interactive product tour to learn more about AI SOC analysts.

​Mizuno USA, a subsidiary of Mizuno Corporation, one of the world's largest sporting goods manufacturers, confirmed in data breach notification letter......

​The New York Blood Center (NYBC), one of the world's largest independent blood collection and distribution organizations, says a Sunday ransomware at......

BeyondTrust has revealed it completed an investigation into a recent cybersecurity incident that targeted some of the organization's Remote Support SaaS in......

Watch Out For These 8 Cloud Security Shifts in 2025

As cloud security evolves in 2025 and beyond, organizations must adapt to both new and evolving realities, including the increasing reliance on cloud infrastructure for AI-driven workflows and the vast quantities of data being migrated to the cloud.

But there are other developments that could impact your organizations and drive the need for an even more robust security strategy. Let's take a look….

#1: Increased Threat Landscape Encourages Market Consolidation.

Cyberattacks targeting cloud environments are becoming more sophisticated, emphasizing the need for security solutions that go beyond detection. Organizations will need proactive defense mechanisms to prevent risks from reaching production. Because of this need, the market will favor vendors offering comprehensive, end-to-end security platforms that streamline risk mitigation and enhance operational efficiency.

#2: Cloud Security Unifies with SOC Priorities.

Security operations centers (SOC) and cloud security functions are converging. In 2025, SOC teams will take a more active role in cloud security, integrating cloud-specific threat detection and response into their [website] colaboration will improve coordination, enabling a unified security approach that enhances threat protection and operational resilience.

#3: Data Security Gains Priority in Cloud-Native Application Protection Platforms (CNAPPs).

With nearly 30% of cloud data containing sensitive information, data security has become a critical component of cloud protection strategies. As generative AI adoption grows, CNAPP solutions will increasingly incorporate built-in data security elements. Vendors that integrate strong data protection measures will gain a competitive advantage, helping organizations prevent unauthorized access and data breaches.

#4: Application Security Budgets Shift to Unified Platforms.

A growing number of organizations are reallocating application security budgets from fragmented tools to unified platforms. Research indicates that 64% of security decision-makers anticipate budget increases for application security. Moving away from disparate security solutions will provide businesses with comprehensive visibility, improving their ability to detect and prevent cyber threats.

#5: Increased Focus on Protecting Intellectual Property in AI-Generated Code.

As AI-generated code becomes more widespread, organizations face increased risks related to proprietary intellectual property (IP). AI models trained on vast datasets may inadvertently introduce copyrighted or sensitive content. To mitigate these risks, businesses must implement rigorous data auditing, quality assurance processes, and compliance frameworks to ensure the responsible use of AI.

#6: Stricter Compliance Frameworks for AI Data Handling.

Regulatory bodies worldwide are tightening governance over AI data security. As AI models process larger volumes of sensitive information, new security measures will be required to address emerging vulnerabilities. Organizations will need to invest in advanced compliance strategies, staff training, and enhanced security protocols to meet evolving regulatory requirements and maintain operational trust.

#7: Drive for Innovation Will Compromise Security.

Some developers may bypass restrictive AI security policies in pursuit of innovation, inadvertently exposing organizations to new vulnerabilities. Striking a balance between security and innovation will be crucial. Companies must develop security frameworks that support rapid development while maintaining compliance and minimizing risks.

#8: AI-Powered Malware Emerges as a Threat.

Advancements in large language models (LLMs) introduce new risks, including AI-driven malware capable of automating phishing attacks, evading detection, and enhancing social engineering tactics. Traditional cybersecurity measures may prove inadequate against these evolving threats. Organizations will need to invest in adaptive security defenses that leverage AI to counteract these emerging risks.

The theme for cloud security in 2025 is all about being proactive—understanding the changes that are happening so you can be prepared. Take your first step into the future of security innovation at Symphony 2025 — the ultimate cybersecurity transformation event. Get insights on how to stay ahead of adversaries, a sneak peek into the future of AI-driven SecOps and see what real-time cloud security is all about. Claim your VIP pass today.

​Food delivery firm GrubHub disclosed a data breach impacting the personal information of an undi...

Five Eyes cybersecurity agencies in the UK, Australia, Canada, New Zealand, and the [website] have issued...

Microsoft today unleashed updates to plug a whopping 161 security vulnerabilities in Windows and rel...