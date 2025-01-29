The Google Threat Intelligence Group (GTIG) has published new information revealing how threat actors, among them nation state-backed advanced persistent threat (APT) operations working on behalf of the governments of China, Iran, North Korea and Russia, attempted to abuse its Gemini artificial intelligence (AI) tool.

Google said that government actors from at least 20 countries had used Gemini, with the highest volume of use originating from China and Iran-based groups.

These actors attempted to use Gemini to support multiple phases of their attack chains, from procuring infrastructure and so-called bulletproof hosting services, reconnoitering targets, researching vulnerabilities, development payloads, and assisting with malicious scripting and post-compromise evasion techniques.

The Iranians, who appear to be the heaviest “users” of Gemini, tend to use it for research on defence organisations, vulnerabilities and creating content for phishing campaigns, often cyber security themes. Their targets are perennially linked to Iran’s Middle Eastern neighbours and US and Israeli interests in the region.

Chinese APTs, on the other hand, favour the tool for recon, scripting and development, code troubleshooting, and researching topics such as lateral movement, privilege escalation, and data exfiltration and intellectual property (IP) theft.

China’s targets are generally the US military, government IT providers and the intelligence community.

North Korean and Russian groups are more limited in their use of Gemini, with the North Koreans tending to stick to topics of interest to the regime, including the theft of cryptocurrency assets, and in support of an ongoing campaign in which Pyongyang has been placing clandestine ‘fake’ IT contractors at target organisations.