Inside the AI Arsenal: How State-Backed Hackers Weaponize Google Gemini

It’s no longer the stuff of sci-fi: artificial intelligence is now a tool of choice for the world’s most dangerous hackers. In a chilling new report, Google's Threat Intelligence Group blows the lid off how state-backed cybercriminals are exploiting Gemini, Google’s flagship AI platform, to amplify their operations. As the cyber arms race accelerates, Gemini is becoming less a digital assistant and more a weapon of cyber war.

Google’s latest threat intelligence report paints a disturbing picture: AI is no longer just a productivity booster for businesses, but a powerful enabler for cybercriminals-especially those with government backing. Analysts found that, in the last quarter of 2025, hacking groups supported by states like North Korea, Iran, China, and Russia have been systematically integrating Gemini into their attack workflows.

So how are these threat actors using Gemini? The AI is deployed across multiple stages of the attack lifecycle. For instance, hackers automate routine processes, conduct advanced reconnaissance, and even experiment with malware development using Gemini’s capabilities. In one case, a North Korean-affiliated group used Gemini to synthesize open-source intelligence on cybersecurity roles and salary structures within defense companies-information that could be weaponized for targeted phishing and infiltration.

Another North Korean group turned to Gemini multiple times a week for technical support, leveraging the AI to troubleshoot malware coding problems and generate new malicious code. Meanwhile, an Iranian APT (Advanced Persistent Threat) group used Gemini to bolster its reconnaissance techniques, increasing both the speed and sophistication of its intelligence-gathering efforts.

Perhaps most worrying, groups from China, Russia, Iran, and North Korea have used Gemini to create fake articles, fabricate digital identities, and produce other resources for information warfare. The scale and scope of these operations suggest an evolving playbook, where AI is not just a tool but a force multiplier for state-level cyber mischief.

Yet, the report draws a crucial line: while Gemini is amplifying certain aspects of these attacks, there is no evidence-yet-of fully AI-automated attack campaigns. Human expertise and intervention remain essential, especially in the operational execution of complex hacks. This contrasts with some previous incidents, such as a Chinese government-backed campaign that leveraged another AI platform, Anthropic, for more extensive automation.

As AI matures, the gap between cyber defense and offense is narrowing. For now, the human element keeps attacks from becoming fully autonomous. But the writing is on the wall: Gemini and its AI peers are quickly becoming double-edged swords in the global cyber conflict, and the next leap may put fully automated threats just within reach. The question is not if, but when.

WIKICROOK

• Gemini: Gemini is Google’s AI suite powering search, productivity, and cybersecurity features, offering intelligent automation and threat detection across platforms.
• State: A 'state' in cybersecurity refers to a government backing or conducting cyber attacks to gather intelligence or disrupt adversaries for political or strategic gain.
• Reconnaissance: Reconnaissance is the early stage of a cyberattack where attackers gather information about a target to identify weaknesses and plan their approach.
• Malware: Il malware è un software dannoso progettato per infiltrarsi, danneggiare o rubare dati da dispositivi informatici senza il consenso dell’utente.
• Social engineering: Social engineering is the use of deception by hackers to trick people into revealing confidential information or providing unauthorized system access.