Google study on AI misuse in APT and malware workflows
Technical Analysis
Summary
Hide ▲
Show ▼
Google Threat Intelligence Group reported an unknown threat actor using PROMPTFLUX, an experimental VB Script malware, to query the Gemini API for just-in-time self-modification and obfuscation/evasion. Google said the sample uses a hard-coded API key, targets Gemini 1.5 Flash or later, and attempts persistence via the Windows Startup folder while also copying itself to removable drives and mapped network shares. The malware appears to be under development/testing and is not yet known to reliably compromise victims. Google also tied the report to broader Gemini abuse across China-, Iran-, and North Korea-linked activity for phishing, reconnaissance, C2 development, data exfiltration, and malware tooling.
Related Happenings
Shai-Hulud worm clone activity on NPM
Malware Activity
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityAbout this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Google GTIG analysis of adversary AI use for exploit development and attack orchestration
Technical Analysis
First: 11.05.2026 16:00
Last: 11.05.2026 16:00
Sources 1
About this happening:
**Google Threat Intelligence Group** published findings showing **adversaries using AI** for **exploit development** and **attack orchestration**, signaling that model-assisted tr...
Google GTIG analysis of adversary AI use for exploit development and attack orchestration
Technical AnalysisAbout this happening: **Google Threat Intelligence Group** published findings showing **adversaries using AI** for **exploit development** and **attack orchestration**, signaling that model-assisted tr...
Prominent cybercrime threat actors AI-assisted zero-day exploitation campaign
Campaign
First: 11.05.2026 16:00
Last: 11.05.2026 16:00
Sources 1
About this happening:
An **AI-assisted zero-day exploitation campaign** was planned by **prominent cybercrime threat actors**, but the effort was **disrupted before deployment** and did not reach its i...
Prominent cybercrime threat actors AI-assisted zero-day exploitation campaign
CampaignAbout this happening: An **AI-assisted zero-day exploitation campaign** was planned by **prominent cybercrime threat actors**, but the effort was **disrupted before deployment** and did not reach its i...
EtherRAT malicious MSI loader with Ethereum-based C2
Malware Activity
First: 30.04.2026 14:30
Last: 30.04.2026 14:30
Sources 1
About this happening:
The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
EtherRAT malicious MSI loader with Ethereum-based C2
Malware ActivityAbout this happening: The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
Dragon Boss Solutions LLC adware malicious update
Malware Activity
First: 16.04.2026 22:07
Last: 16.04.2026 22:07
Sources 1
About this happening:
A **March 22, 2025** malicious update turned **Dragon Boss Solutions LLC** adware into an **AV-disabling** payload, exposing nearly **24,000 systems** to follow-on abuse. The upda...
Dragon Boss Solutions LLC adware malicious update
Malware ActivityAbout this happening: A **March 22, 2025** malicious update turned **Dragon Boss Solutions LLC** adware into an **AV-disabling** payload, exposing nearly **24,000 systems** to follow-on abuse. The upda...
Timeline
-
12.02.2026 14:45 3 articles · 3mo ago
Google publishes study on AI misuse by government-backed and criminal actors
Technical Analysis UpdateGoogle Threat Intelligence Group and Google DeepMind published findings on February 12, 2026 showing that government-backed cyber threat actors and financially motivated groups used AI across the attack lifecycle during the last quarter of 2025. The study described APT42 using generative AI to search for official email addresses and build reconnaissance on potential business partners, UNC2970 using Gemini to synthesize OSINT and profile high-value targets, TEMP.Hex using Gemini and other AI tools to compile target and separatist-organization intelligence, and APT31 using "expert cybersecurity personas" to automate vulnerability analysis and testing plans against US-based targets. Google also reported a rise in model extraction attempts, an underground jailbreak ecosystem, the Xanthorox toolkit advertising malware and phishing generation while relying on third-party and commercial AI products including Gemini, abuse of Gemini and OpenAI's ChatGPT public sharing features for ClickFix-style social engineering, and a September 2025 Honestcue case in which Gemini's API was used to dynamically generate and execute malicious C# code in memory.
Show sources
- Nation-State Hackers Embrace Gemini AI for Malicious Campaigns, Google Finds — www.infosecurity-magazine.com — 12.02.2026 14:45
- Nation-State Hackers Embrace Gemini AI for Malicious Campaigns, Google Finds — www.infosecurity-magazine.com — 12.02.2026 14:45
- Google Uncovers PROMPTFLUX Malware That Uses Gemini AI to Rewrite Its Code Hourly — thehackernews.com — 05.11.2025 17:33