A surge in AI-powered attack tactics forced Google to swat down massive model scraping attempts while tracking state-backed hackers leveling up phishing and malware with machine speed.
GTIG flags AI driven threat spike
GTIG flags AI driven threat spike
- Google Threat Intelligence Group tracked heavier AI use in late 2025.
- Analysts saw attackers speeding up recon and malware builds.
- The team reported gains in phishing precision and workflow automation.
- Updated findings expanded on earlier November 2025 research.
- Google Threat Intelligence Group caught rising distillation attacks.
- Actors poked APIs to clone proprietary model logic.
- Google blocked over 100000 coercive Gemini prompts in real time.
- Safeguards tightened to shield intellectual property from copycats.
- Google Threat Intelligence Group linked LLM use to APT groups.
- Iran’s APT42 leaned on Gemini for target research.
- North Korea’s UNC2970 applied AI for defense-focused phishing.
- China’s APT31 and UNC795 used models for code auditing.
- Google Threat Intelligence Group spotted AI-coded malware strains.
- HONESTCUE generated follow-up payloads through Gemini APIs.
- COINBAIT phishing kit embedded AI built web traps.
- Underground service Xanthorox marketed weaponized AI access.
- Google Threat Intelligence Group disabled abusive accounts worldwide.
- Teams boosted classifiers to flag suspicious model queries.
- Big Sleep and CodeMender showcased automated vulnerability fixes.
- Shared IOCs help registered users hunt emerging threats.
