Threat actors abusing Gemini across the attack lifecycle
Threat Actor Meta
Summary
Hide ▲
Show ▼
Multiple threat actors are now abusing Gemini for exploit research, phishing, malware development, code assistance, crypto theft, and deepfake lures, showing a broader AI-enabled tradecraft shift across the attack lifecycle. The pattern matters because it demonstrates that a single model is being repurposed by different groups for end-to-end offensive operations, not just isolated prompts or single-step assistance.
Related Happenings
Cisco findings on multi-turn guardrail bypass in major LLMs
Technical Analysis
First: 27.05.2026 16:00
Last: 27.05.2026 16:00
Sources 1
About this happening:
Cisco researchers found that **multi-turn prompting** can bypass safety guardrails in **major LLMs**, increasing the risk that enterprise AI deployments overestimate their protect...
Cisco findings on multi-turn guardrail bypass in major LLMs
Technical AnalysisAbout this happening: Cisco researchers found that **multi-turn prompting** can bypass safety guardrails in **major LLMs**, increasing the risk that enterprise AI deployments overestimate their protect...
Lucifer DaaS’s evolution into a commission-based drainer service platform
Threat Actor Meta
First: 21.05.2026 17:00
Last: 21.05.2026 17:00
Sources 1
About this happening:
**Lucifer DaaS** has evolved into a **structured underground drainer platform**, shifting wallet theft from isolated phishing pages to a commission-based service model that scales...
Lucifer DaaS’s evolution into a commission-based drainer service platform
Threat Actor MetaAbout this happening: **Lucifer DaaS** has evolved into a **structured underground drainer platform**, shifting wallet theft from isolated phishing pages to a commission-based service model that scales...
Google GTIG analysis of adversary AI use for exploit development and attack orchestration
Technical Analysis
First: 11.05.2026 16:00
Last: 11.05.2026 16:00
Sources 1
About this happening:
**Google Threat Intelligence Group** published findings showing **adversaries using AI** for **exploit development** and **attack orchestration**, signaling that model-assisted tr...
Google GTIG analysis of adversary AI use for exploit development and attack orchestration
Technical AnalysisAbout this happening: **Google Threat Intelligence Group** published findings showing **adversaries using AI** for **exploit development** and **attack orchestration**, signaling that model-assisted tr...
North Korea-linked Lazarus Group's ongoing open-source poisoning model
Threat Actor Meta
First: 12.02.2026 18:55
Last: 12.02.2026 18:55
Sources 1
About this happening:
**North Korea-linked threat actors** are continuing to **poison open-source ecosystems** with malicious packages, signaling an ongoing supply-chain operating model aimed at **data...
North Korea-linked Lazarus Group's ongoing open-source poisoning model
Threat Actor MetaAbout this happening: **North Korea-linked threat actors** are continuing to **poison open-source ecosystems** with malicious packages, signaling an ongoing supply-chain operating model aimed at **data...
React/Next.js applications React2Shell RCE flaw (CVE-2025-55182)
Vulnerability
First: 09.02.2026 10:37
Last: 09.02.2026 10:37
Sources 1
About this happening:
**React2Shell (CVE-2025-55182)** is being **heavily exploited** in **React Server Components (RSC)**, with Huntress observing attackers deliver **cryptocurrency miners** and new m...
React/Next.js applications React2Shell RCE flaw (CVE-2025-55182)
VulnerabilityAbout this happening: **React2Shell (CVE-2025-55182)** is being **heavily exploited** in **React Server Components (RSC)**, with Huntress observing attackers deliver **cryptocurrency miners** and new m...
Latest development: 09.03.2026 23:45
Google reports that newly disclosed third-party flaws are increasingly being exploited for initial access to cloud environments, with React2Shell (CVE-2025-55182) and CVE-2025-24893 highlighted as frequent RCE examples. The report says attackers are weaponizing new flaws within days, with cryptominers observed within 48 hours of vulnerability disclosure.
Timeline
-
05.11.2025 16:59 2 articles · 6mo ago
Multiple actors abuse Gemini across the attack lifecycle
Campaign Scope UpdateGoogle Threat Intelligence Group documented multiple threat actors abusing Gemini across the attack lifecycle, including a China-nexus actor posing as a CTF participant to obtain exploit details and build phishing and exfiltration tools, MuddyCoast (UNC3313) using Gemini for malware development and debugging, APT42 using it for phishing, translation, and a "Data Processing Agent" for personal-data mining, APT41 using it for OSSTUN code assistance and obfuscation, and North Korean groups Masan (UNC1069) and Pukchong (UNC4899) using it for crypto theft, multilingual phishing, deepfake lures, and code targeting edge devices and browsers.
Show sources
- Google warns of new AI-powered malware families deployed in the wild — www.bleepingcomputer.com — 05.11.2025 16:59
- Google warns of new AI-powered malware families deployed in the wild — www.bleepingcomputer.com — 05.11.2025 16:59