Threat actors abusing Gemini across the attack lifecycle
Threat Actor Meta
Summary
Hide ▲
Show ▼
Multiple threat actors are now abusing Gemini for exploit research, phishing, malware development, code assistance, crypto theft, and deepfake lures, showing a broader AI-enabled tradecraft shift across the attack lifecycle. The pattern matters because it demonstrates that a single model is being repurposed by different groups for end-to-end offensive operations, not just isolated prompts or single-step assistance.
Related Happenings
Google AI Threat Defense launch adds autonomous AI-attack detection and remediation for enterprises
Security Tool/Service
First: 28.05.2026 12:55
Last: 28.05.2026 12:55
Sources 1
About this happening:
Google Cloud launched **Google AI Threat Defense**, an **always-on autonomous** security platform aimed at stopping **AI-powered cyberattacks** across enterprise environments. The...
Google AI Threat Defense launch adds autonomous AI-attack detection and remediation for enterprises
Security Tool/ServiceAbout this happening: Google Cloud launched **Google AI Threat Defense**, an **always-on autonomous** security platform aimed at stopping **AI-powered cyberattacks** across enterprise environments. The...
Cisco findings on multi-turn guardrail bypass in major LLMs
Technical Analysis
First: 27.05.2026 16:00
Last: 27.05.2026 16:00
Sources 1
About this happening:
Cisco researchers found that **multi-turn prompting** can bypass safety guardrails in **major LLMs**, increasing the risk that enterprise AI deployments overestimate their protect...
Cisco findings on multi-turn guardrail bypass in major LLMs
Technical AnalysisAbout this happening: Cisco researchers found that **multi-turn prompting** can bypass safety guardrails in **major LLMs**, increasing the risk that enterprise AI deployments overestimate their protect...
Lucifer DaaS’s evolution into a commission-based drainer service platform
Threat Actor Meta
First: 21.05.2026 17:00
Last: 21.05.2026 17:00
Sources 1
About this happening:
**Lucifer DaaS** has evolved into a **structured underground drainer platform**, shifting wallet theft from isolated phishing pages to a commission-based service model that scales...
Lucifer DaaS’s evolution into a commission-based drainer service platform
Threat Actor MetaAbout this happening: **Lucifer DaaS** has evolved into a **structured underground drainer platform**, shifting wallet theft from isolated phishing pages to a commission-based service model that scales...
Google GTIG analysis of adversary AI use for exploit development and attack orchestration
Technical Analysis
First: 11.05.2026 16:00
Last: 11.05.2026 16:00
Sources 1
About this happening:
**Google Threat Intelligence Group** published findings showing **adversaries using AI** for **exploit development** and **attack orchestration**, signaling that model-assisted tr...
Google GTIG analysis of adversary AI use for exploit development and attack orchestration
Technical AnalysisAbout this happening: **Google Threat Intelligence Group** published findings showing **adversaries using AI** for **exploit development** and **attack orchestration**, signaling that model-assisted tr...
North Korea-linked Lazarus Group's ongoing open-source poisoning model
Threat Actor Meta
First: 12.02.2026 18:55
Last: 12.02.2026 18:55
Sources 1
About this happening:
**North Korea-linked threat actors** are continuing to **poison open-source ecosystems** with malicious packages, signaling an ongoing supply-chain operating model aimed at **data...
North Korea-linked Lazarus Group's ongoing open-source poisoning model
Threat Actor MetaAbout this happening: **North Korea-linked threat actors** are continuing to **poison open-source ecosystems** with malicious packages, signaling an ongoing supply-chain operating model aimed at **data...
Timeline
-
05.11.2025 16:59 2 articles · 6mo ago
Multiple actors abuse Gemini across the attack lifecycle
Campaign Scope UpdateGoogle Threat Intelligence Group documented multiple threat actors abusing Gemini across the attack lifecycle, including a China-nexus actor posing as a CTF participant to obtain exploit details and build phishing and exfiltration tools, MuddyCoast (UNC3313) using Gemini for malware development and debugging, APT42 using it for phishing, translation, and a "Data Processing Agent" for personal-data mining, APT41 using it for OSSTUN code assistance and obfuscation, and North Korean groups Masan (UNC1069) and Pukchong (UNC4899) using it for crypto theft, multilingual phishing, deepfake lures, and code targeting edge devices and browsers.
Show sources
- Google warns of new AI-powered malware families deployed in the wild — www.bleepingcomputer.com — 05.11.2025 16:59
- Google warns of new AI-powered malware families deployed in the wild — www.bleepingcomputer.com — 05.11.2025 16:59