Find notable cyber news and cases, enriched with sources, timelines, and signals.

Google study on AI misuse in APT and malware workflows

Technical Analysis
First reported
Last updated
Happening score
H score 27
2 unique sources, 2 articles

Summary

Hide ▲

Google Threat Intelligence Group reported an unknown threat actor using PROMPTFLUX, an experimental VB Script malware, to query the Gemini API for just-in-time self-modification and obfuscation/evasion. Google said the sample uses a hard-coded API key, targets Gemini 1.5 Flash or later, and attempts persistence via the Windows Startup folder while also copying itself to removable drives and mapped network shares. The malware appears to be under development/testing and is not yet known to reliably compromise victims. Google also tied the report to broader Gemini abuse across China-, Iran-, and North Korea-linked activity for phishing, reconnaissance, C2 development, data exfiltration, and malware tooling.

Related Happenings

IPhone AI chatbot traffic leak of API keys, replayable tokens, and open relays

Technical Analysis
H score27 First: 30.06.2026 16:49 Last: 30.06.2026 16:49 Sources 1

About this happening: **LLMKeyLens** testing found **444 iPhone AI chatbot apps** leaking **paid AI access**, exposing **API keys**, **replayable tokens**, and **open relays** that let others bill mode...

Google Cloud Vertex AI SDK Python predictable bucket squatting security flaw

Vulnerability
H score1 First: 16.06.2026 22:05 Last: 16.06.2026 22:05 Sources 1

About this happening: **Google Cloud Vertex AI SDK for Python** had a **predictable temporary bucket** flaw that let an attacker hijack model uploads and reach **code execution** inside Google's servin...

Google AI Threat Defense launch adds autonomous AI-attack detection and remediation for enterprises

Security Tool/Service
H score20 First: 28.05.2026 12:55 Last: 28.05.2026 12:55 Sources 1

About this happening: Google Cloud launched **Google AI Threat Defense**, an **always-on autonomous** security platform aimed at stopping **AI-powered cyberattacks** across enterprise environments. The...

Shai-Hulud worm clone activity on NPM

Malware Activity
H score69 First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Google GTIG analysis of adversary AI use for exploit development and attack orchestration

Technical Analysis
H score33 First: 11.05.2026 16:00 Last: 11.05.2026 16:00 Sources 1

About this happening: **Google Threat Intelligence Group** published findings showing **adversaries using AI** for **exploit development** and **attack orchestration**, signaling that model-assisted tr...

Timeline

  1. 12.02.2026 14:45 3 articles · 4mo ago

    Google publishes study on AI misuse by government-backed and criminal actors

    Technical Analysis Update

    Google Threat Intelligence Group and Google DeepMind published findings on February 12, 2026 showing that government-backed cyber threat actors and financially motivated groups used AI across the attack lifecycle during the last quarter of 2025. The study described APT42 using generative AI to search for official email addresses and build reconnaissance on potential business partners, UNC2970 using Gemini to synthesize OSINT and profile high-value targets, TEMP.Hex using Gemini and other AI tools to compile target and separatist-organization intelligence, and APT31 using "expert cybersecurity personas" to automate vulnerability analysis and testing plans against US-based targets. Google also reported a rise in model extraction attempts, an underground jailbreak ecosystem, the Xanthorox toolkit advertising malware and phishing generation while relying on third-party and commercial AI products including Gemini, abuse of Gemini and OpenAI's ChatGPT public sharing features for ClickFix-style social engineering, and a September 2025 Honestcue case in which Gemini's API was used to dynamically generate and execute malicious C# code in memory.

    Show sources