As synthetic intelligence has become a staple in modern organizations, the field has transformed how they analyze data, make automated decisions, and defend their digital perimeters, moving from experimental labs to the operational bloodstream. However, with the incorporation of these systems deeper into company infrastructure, the technology itself is becoming both a strategic asset and a desirable target for companies.
Adversaries seeking leverage are now studying, imitating, and in some cases quietly manipulating the same models used to draft code, triage alerts, and streamline workflows. As Fast Company points out, this dual reality is redefining cyber risk, putting AI at the heart of both defense strategy and offensive innovation.
Insights from Google Cloud's AI Threat Tracker indicate that this shift is accelerating rapidly.
There has been a significant increase in model extraction attempts, or "distillation" attempts, which are attempts by attackers to systematically query proprietary artificial intelligence systems to estimate their underlying capabilities, without ever breaching a network in its traditional sense, according to the report.
Google Threat Intelligence observes that state-aligned and financially motivated actors affiliated with China, Iran, North Korea, and Russia are integrating artificial intelligence tools into nearly every stage of the intrusion lifecycle.
A growing number of these campaigns include automated reconnaissance, vulnerability mapping, and highly tailored social engineering, which can be carried out with minimal direct human intervention and are increasingly modular, scalable, and effective.
In accordance with these findings, a newly released assessment by Google Threat Intelligence Group indicates a more operational phase of the threat landscape has begun.
This analysis warns that adversaries are no longer considering artificial intelligence a peripheral experiment, but are instead embedding it directly into live attack workflows.
In particular, the targeting and misuse of Gemini models is highlighted, reflecting a broader trend in which commercially available generative systems are systematically evaluated, stressed, and sometimes incorporated into malicious toolchains.
Researchers documented instances in which active malware strains initiated direct calls to Gemini during runtime through the application programming interface. In the absence of hard-coding all functional components within the malware binary, operators dynamically requested task-specific source code as the intrusion progressed from the model.
As part of the HONESTCUE malware family, structured prompts were issued to obtain C# code snippets that were subsequently executed within its attack chain. By externalizing portions of its logic, the malware was able to reduce its static footprint and complicate detection strategies that utilize signature matching or behavioral heuristics.
Further, the report describes sustained efforts to perform model extraction attacks, also known as distillation attacks. These operations involved the generation of large volumes of carefully sequenced queries that mapped response patterns and approximated internal decision boundaries by threat actors.
A key objective of adversaries is to replicate certain aspects of proprietary model performance through iterative analysis, so that they can train substitute systems without being required to bear the entire cost and workload associated with the development of a large-scale model.
A Google representative has reported that multiple campaigns characterized by abnormal prompt velocity and structured probing activities intended to harvest Gemini's underlying capabilities have been identified and disrupted. This underscores the importance of safeguards which address not only data exfiltration, but also model intelligence protection as well.
According to CrowdStrike, parallel intelligence strengthens our assessment that artificial intelligence integration is materially slowing down the tempo of modern intrusions. According to the investigators, adversaries are generating single-line commands for reconnaissance, credential harvesting, and data staging on compromised hosts by executing large language models in real time on compromised hosts. This effectively shifts tactical decision-making to on-demand AI systems.
Metrics indicate that the firm's operational acceleration in 2025 has resulted in an average “breakout time” of eCrime, or the interval between initial access and lateral movement towards high-value assets, dropping to 29 minutes, with the fastest observed transition occurring within 27 seconds.
It was documented that the LAMEHUG malware utilized an external LLM via Hugging Face API to generate dynamic commands for enumerating hardware profiles, processes, services, network configurations and Active Directory domain data based upon minimal embedded prompts. Through outsourcing reconnaissance logic to a model, operators reduced the need for pre-compiled modules, enabling rapid adaptation without modifying the underlying binary.
A single threat actor can pivot interactively by issuing contextualized instructions that are responsive to the environment in real time as a consequence of this architectural choice. There has been a continued focus on the technology sector, emphasizing its concentration of privileged access paths and its systemic significance throughout the supply chain.
In addition, CrowdStrike noted that artificial intelligence is extending across multiple phases of the intrusion lifecycle. The number of incidents involving fake CAPTCHA lures grew by 563 percent in 2025 when compared with 2024, indicating the use of generative systems in social engineering.
Some moderately resourced groups, such as Punk Spider, have been observed utilizing Gemini and DeepSeek to develop scripts designed to extract credentials from backup archives, terminate defensive services, and erase forensic evidence.
Scripting that makes use of artificial intelligence (AI) narrows the capability gap between mid-tier criminal operators and highly-trained red teams, enabling coordinated attack chains which combine identity abuse, backup compromise, and domain escalation within a single attack chain.
Separately, adversaries distributed malicious npm packages that instructed malicious AI command-line tools to generate commands for exfiltrating authentication material and cryptoassets.
The incident responders reported the discovery of over 90 environments executing this adversary-developed AI workflow, indicating a trend toward threat actors delegating core post-exploitation functions to intelligent agents within enterprise networks.
Model-driven approaches are also being implemented by state-aligned groups.
The Russian-linked collective FANCY BEAR deployed LAMEHUG against Ukrainian government entities, embedding prompts that instructed the model to copy Office documents and PDF documents, gather domain intelligence, and stage system data into text files for exfiltration by embedding prompts into the model.
Underground forums reflect this operational shift. ChatGPT references outnumbered any other model by a significant margin by 2025, a development attributed less to technical preference than to the platform's widespread recognition and accessibility.
This campaign illustrates how quickly reconnaissance, targeting, and staging can be automated once a model has been incorporated within an intrusion toolchain, despite the fact that LLM-enabled malware has not yet been proven more effective than traditional tools.
It appears that AI will serve as a force multiplier, reducing operating friction and compressing timelines as well as reshaping expectations surrounding attacker speed and adaptability in the near future.
Furthermore, Google announced that it worked with industry partners to dismantle an infrastructure associated with a suspected China-nexus espionage actor trackable as UNC2814 to emphasize the convergence of cloud platforms and covert command infrastructure.
Approximately 53 organizations within 42 countries have been compromised as a result of the group's penetration, according to findings published by Google Threat Intelligence Group and Mandiant, with additional suspected intrusions in 20 other countries suspected. It is reported that the actor has maintained access to international government entities and global telecommunications providers across Africa, Asia, and the Americas for an extended period of time since at least 2017.
The investigators observed that the group utilized API calls to legitimate software as a service applications as a command-and-control strategy, intentionally intermixing malicious traffic with routine cloud communication. This operation is supported by the use of a C-based backdoor referred to as GRIDTIDE, which exploits the Google Sheets API for covert communication.
The malware implements a polling mechanism by embedding command logic within spreadsheet cells, thereby retrieving attacker instructions and returning execution status codes from cell A1. A pair of adjacent cells facilitate bidirectional data transmission, including command output and file exfiltration staging. A second cell stores the compromised host's system metadata.
This design facilitates remote data transfer and data tasking while concealing C2 exchanges in otherwise benign API activity.
Although GRIDTIDE was identified in multiple environments, researchers were unable to definitively determine if every intrusion was based on the same payload. The initial access vectors are currently being investigated; however, UNC2814 has historically exploited vulnerable web servers and edge devices to gain access.
As part of the post-compromise activity, service accounts were used to move laterally via SSH, living-off-the-land binaries were extensively used for reconnaissance and privilege escalation, as well as persistence through an embedded systemd service, deployed at /etc/systemd/system/xapt.service, which activated a new malware instance from /usr/sbin/xapt once activated.
The campaign also included the deployment of SoftEther VPN Bridge to create outbound encrypted tunnels to external infrastructure, which has previously been associated with multiple China-linked threat clusters.
Based on forensic analysis, GRIDTIDE appears to have been selectively deployed on endpoints containing personally identifiable information in order to obtain intelligence on specific individuals or entities.
Google reported that no confirmed evidence of data exfiltration occurred during the observed activity window.
The remediation measures included terminating attacker-controlled Google Cloud projects, disabling UNC2814 infrastructure, robbing access to compromised accounts, and blocking the misuse of Google Sheets API endpoints utilized for C2 operations as part of Google's remediation measures.
An official notification was sent to affected organizations and direct incident response support was provided to confirmed victims following the launch of this campaign, described as one among the most extensive and strategic campaigns that the company has encountered in recent years.
All together, these disclosures indicate that artificial intelligence will become embedded in enterprise workflows with the same rigor as privileged infrastructure.
As AI models, APIs, and service accounts become more integrated into enterprise workflows, they will need to be governed with the same level of rigorousness as privileged infrastructure. Security leaders should ensure that these assets are treated with strict access controls, anomaly detection, and continuous logging as high-value assets.
Increasing the effectiveness of threat hunting programs must include monitoring for abnormal prompt velocity, unusual API polling patterns, and model-driven command execution. As part of this effort, organizations should evaluate identity hygiene, restrict outbound connectivity from sensitive workloads, and harden edge systems that serve as the initial point of entry for hackers.
An adversary who attempts to blend malicious traffic with legitimate SaaS communications can be contained with cloud-native telemetry, behavioral analytics, and zero-trust segmentation. The development of defensive strategies must therefore proceed parallel to the operationalization of artificial intelligence across reconnaissance, lateral movement, and persistence, with a particular focus on the security of models, the integrity of supply chains, and the coordination of rapid response activities.
A clear lesson has emerged: Artificial intelligence is no longer peripheral to cyber security risk, but has become integral to both the threat model and the defense architecture designed to counteract it.
