A comprehensive investigation has revealed that over 57 state-sponsored threat actors from China, Iran, North Korea, and Russia are actively utilizing Google’s AI technology, particularly Gemini, to enhance their cyber operations.

According to Google’s Threat Intelligence Group (GTIG), these Advanced Persistent Threat (APT) groups are primarily using AI for:
– Research and reconnaissance
– Code troubleshooting
– Content creation and localization
– Payload development
– Vulnerability research
– Post-compromise activities

Iranian APT groups, specifically APT42 (also known as Charming Kitten), emerged as the most prolific users, accounting for 30% of Gemini usage among Iranian actors. Their activities focus on:
– Phishing campaign development
– Target reconnaissance
– Cybersecurity-themed content generation

Chinese APT groups concentrated on:
– Network infiltration techniques
– Code troubleshooting
– Advanced persistence methods

Russian actors primarily used Gemini for malware modification and encryption, while North Korean groups focused on:
– Infrastructure research
– Job hunting and cover letter creation
– Clandestine IT worker placement

GTIG also identified underground markets offering malicious LLM variants, including WormGPT, WolfGPT, and FraudGPT, designed specifically for:
– Phishing email generation
– Business email compromise attacks
– Fraudulent website creation

Google has implemented defensive measures against prompt injection attacks and emphasizes the importance of public-private collaboration to counter these emerging threats.