Google Warning! North Korean and multiple country hacker organizations are using Gemini to launch attacks

Google Threat Intelligence Group (GTIG) released a recent report indicating that North Korean and multiple other countries’ hacker organizations are actively using Gemini to conduct automated reconnaissance, malware development, and other tasks, posing a serious threat to global data and national defense cybersecurity. GTIG head Steve Miller stated that enterprises need to take cybersecurity threats seriously, implement AI defense measures, and protect company resources and data security.

Hackers Use Gemini to Analyze Specific Targets with Open Source Intelligence

The Google report pointed out that North Korean hacker group UNC 2970 is utilizing Gemini for comprehensive open source intelligence (OSINT) to conduct precise analysis of high-value targets. The group has long operated under the name Operation Dream Job, disguising itself as corporate recruiters to target professionals in aerospace, defense, and energy industries. With AI assistance, attackers can more effectively search for technical job openings and salary structures at major cybersecurity and defense companies, enabling them to accurately identify targets.

GTIG states that UNC 2970 creates highly customized social engineering scripts to more precisely target initial vulnerabilities. In addition to North Korea, Chinese hacker groups Mustang Panda (Temp. HEX) and APT 31 have also been found using AI to edit personal profiles or automate vulnerability analysis.

New Malware Outsources Function Development via Gemini API

The report revealed a new type of malware called HONESTCUE that outsources function development through Gemini’s API. HONESTCUE is a downloader framework; its fileless secondary stage receives generated C# source code from the Gemini API, which it then compiles and executes directly in memory using the legitimate .NET CSharpCodeProvider framework, leaving no traces on disk.

Cyberattackers Send Over 100,000 Prompts to Copy AI Reasoning Capabilities

Google observed that attackers are sending大量 prompts to AI to replicate model reasoning and response capabilities. Google blocked these imitation models; during a large-scale attack, Gemini was targeted with over 100,000 prompts, which posed a series of questions aimed at copying AI reasoning abilities in non-English tasks.

Google AI Threats Lead Steve Miller pointed out that although attackers continually attempt to bypass security defenses through impersonation, Gemini has made ongoing progress in identifying deception tactics and strengthening automatic filters. Defense systems are constantly evolving to counter new forms of prompt attacks.

In response to the increasing AI threats, Google has launched an AI cybersecurity defense program, continuously upgrading to combat malicious attacks, improve detection accuracy, and automate response speed. Through machine learning, the defense system can more sharply identify abnormal API calls and malicious scripts. Steve Miller emphasized that enterprises should invest in AI infrastructure and build robust defense systems to ensure future cybersecurity security.

This article, “Google Warns! North Korean and Multiple Other Countries’ Hacker Groups Are Using Gemini for Attacks,” first appeared on Chain News ABMedia.