Imagine a scenario in which the attacker does not write malicious code themselves. Instead, their malware sends a query to a commercial AI model, receives ready-made C# code in response, compiles it in memory, and executes it — without writing anything to disk. No executable file appears in the file system. No static signature scanner has anything to analyze. The code is generated at the moment of execution, tailored to the attack context.
This is not a scenario from a conference about the future of cybersecurity. This is a description of the HONESTCUE malware family, identified by the Google Threat Intelligence Group (GTIG) in September 2025. On February 12, 2026, GTIG published its third quarterly report on the use of artificial intelligence by threat groups — “Distillation, Experimentation, and (Continued) Integration of AI for Adversarial Use.” The report confirms a fundamental shift — AI has ceased to be an experimental tool in attackers’ arsenals. It has become an element of the daily operational infrastructure of groups linked to four nations: China, Iran, North Korea, and Russia.
What is the GTIG AI Threat Tracker report and why should every CISO care?
The GTIG AI Threat Tracker is a periodic publication by the Google Threat Intelligence Group — the team responsible for tracking state-sponsored and cybercriminal threats within the Google ecosystem, including attempts to abuse the Gemini model. The third report, published on February 12, 2026, covers activity from the fourth quarter of 2025 and continues the earlier “Adversarial Misuse of Generative AI” report from 2025.
The report focuses on three themes that gave it its title. Distillation — attacks aimed at extracting knowledge and capabilities from commercial AI models through systematic querying. Experimentation — testing the limits of AI models by threat groups, including attempts to bypass safeguards. Integration — incorporating AI into operational attack chains, from reconnaissance to malware development.
The report’s key statement is: GTIG has not yet observed APT groups or information operations achieving breakthrough capabilities that would fundamentally change the threat landscape. At the same time, the report documents that AI is becoming an embedded element of the daily workflow of cyber espionage groups — analogous to how business organizations have integrated ChatGPT and Copilot into their processes. Attackers are doing exactly the same thing, just on the other side of the barricade.
For CISOs and security teams, the GTIG report provides concrete indicators of how the threat profile is changing. This is not about futuristic scenarios — it is about documented operations by state-sponsored groups that today use AI to profile targets, generate phishing, debug exploits, and create malware with dynamically generated code.
📚 Read the complete guide: AI Security: AI w cyberbezpieczeństwie - zagrożenia, obrona, przyszłość
How do nation-state groups use artificial intelligence in offensive operations?
The GTIG report documents activity by groups linked to four nations — China, Iran, North Korea, and Russia — and identifies patterns of AI use at every stage of the attack chain. Each of these nations has a distinct usage profile, but the common denominator is treating AI as a tool for increasing operational productivity.
Reconnaissance and target profiling — groups use Gemini to collect open-source intelligence (OSINT), profile individuals in decision-making positions, map organizational structures of companies, and identify email addresses. North Korean UNC2970 (linked to the Lazarus Group) searched for information about companies in the defense and cybersecurity sectors, mapped specific technical roles, and collected salary data — to build credible personas for recruitment phishing.
Social engineering and phishing — Iranian APT42 (also known as Charming Kitten, Mint Sandstorm) uses AI to create social engineering personas. As GTIG describes: the group provides the model with a target’s biography and asks it to create a persona or scenario that would get that person to engage. AI also generates phishing message content in multiple languages and helps in understanding local phrases and cultural references.
Tool and malware development — Chinese APT41 uses Gemini to debug exploit code, translate scripts between programming languages, and troubleshoot offensive tools. Another Chinese group, UNC795, developed web shells and PHP server scanners with AI assistance.
Vulnerability analysis — Chinese APT31 (Judgement Panda) employed a systematic approach, providing Gemini with a cybersecurity expert persona to automate vulnerability analysis and generate testing plans. The group integrated AI with Hexstrike — a red team tool built on the Model Context Protocol (MCP) that orchestrates over 150 security tools, including network scanners and penetration testing tools.
Information operations — groups from China, Iran, Russia, and Saudi Arabia use AI to generate propaganda, political satire, and disinformation content. This dimension is less technical but strategically equally significant.
Flashcard: AI in the attack chain — who and how — Iran (APT42): social engineering personas, phishing translation, data scraping — China (APT31, APT41, UNC795): vulnerability analysis, exploit debugging, web shells, agentic AI — North Korea (UNC2970): target profiling, recruitment phishing, OSINT — Russia: information operations, AI-generated propaganda
What are AI model distillation attacks and why do they threaten intellectual property?
AI model distillation (model distillation, model extraction) is a technique in which an attacker attempts to reproduce or approximate the capabilities of a commercial AI model without direct access to its weights, architecture, or training data. The mechanism involves systematically querying the model with a large number of carefully constructed queries, analyzing the responses, and using these query-response pairs as training data for a substitute model.
The GTIG report indicates that distillation attacks against the Gemini model have reached significant scale. Google and DeepMind identified extraction campaigns involving over 100,000 prompts directed at Gemini to extract knowledge about its behavior, response patterns, and internal logic. As security researcher Farida Shafik put it: “Behavior is the model. Every query-response pair is a training example for a replica.”
The scale of the threat is real. Researchers from Praetorian conducted a proof-of-concept extraction attack that achieved 80.1% accuracy in replicating model capabilities with just 1,000 API queries across 20 training epochs. This means that with a relatively small computational investment, an attacker can create a functional replica of a commercial model — without bearing the costs of development, training infrastructure, and data collection.
For AI organizations, distillation is a threat to intellectual property — investments on the order of billions of dollars in model training can be approximated for a fraction of that amount. For organizations using AI, distillation has a different dimension — an attacker who possesses a model replica can test safeguard bypass techniques on it without the risk of detection by the provider. They can identify model weaknesses offline and then exploit them in a single, precise attack on the production model.
Google blocked the identified extraction campaigns, but the very fact of their scale demonstrates that distillation has become an organized activity — not an isolated experiment. GTIG emphasizes that this trend will intensify because the economics of distillation favor the attacker — the cost of querying a model is many times lower than the cost of training one from scratch.
It is worth noting that distillation does not apply exclusively to Google models. Any organization making an AI model available via API — whether internally or commercially — is a potential target. This also applies to companies deploying fine-tuned models for clients. A replica of such a model in the hands of a competitor or attacker means loss of technological advantage, and in the case of models processing sensitive data — potential reconstruction of information on which the model was trained.
How does Iranian APT42 use AI for social engineering?
APT42 (also known as GreenCharlie, Charming Kitten, Mint Sandstorm) is one of the most active Iranian threat groups, specializing in social engineering operations targeting diplomats, journalists, academics, and cybersecurity specialists. The GTIG report documents that APT42 has incorporated AI as a permanent element of its pretext-building and attack persona process.
APT42’s methodology is based on long-term trust building. The group does not send mass phishing — it conducts precise operations in which it builds a relationship with the target over weeks or months before moving to the compromise phase. AI accelerates every stage of this process.
In the reconnaissance phase, APT42 uses Gemini to search for official email addresses of specific institutions and individuals, collect information about the target’s potential business partners (to build a credible pretext for contact), and map the target’s professional relationships. In the persona-building phase, the group provides the AI model with the target’s biography and asks it to generate an optimal persona or scenario that would get that person to engage in correspondence. AI assists in creating phishing messages in multiple languages — including understanding local idioms and cultural references, which is crucial when targeting individuals in countries whose language APT42 operators do not speak fluently.
APT42 also uses AI for technical purposes. The GTIG report documents that the group developed a Google Maps scraper written in Python with Gemini’s assistance, a SIM card management system in Rust (likely for managing operational infrastructure), and conducted research on a proof-of-concept exploit for the WinRAR vulnerability CVE-2025-8088.
APT42’s historical targets include Israeli journalists, cybersecurity specialists, and computer science professors. AI enables the group to scale operations that previously required significant manual effort — creating credible personas, writing personalized messages in foreign languages, and maintaining multiple parallel conversations with targets.
The consequence for European organizations is direct. APT42 has historically targeted individuals involved in nuclear negotiations, Middle Eastern policy, and technology sectors. AI radically reduces the cost of expanding operations to new regions and languages. An organization whose employees communicate with foreign partners — and there are increasingly more of these in Poland, particularly in the defense, energy, and technology sectors — should include the scenario of spearphishing based on AI-generated personas in its threat model.
How are Chinese APT groups building autonomous offensive tools with AI?
Chinese APT groups — according to the GTIG report — stand out with the most diverse and advanced approach to integrating AI into offensive operations. The report documents activity by at least four distinct groups: APT31, APT41, UNC795, and Temp.HEX (Mustang Panda).
APT31 (Judgement Panda, Violet Typhoon, Zirconium) employed an approach that GTIG describes as “highly structured” — the group prompted Gemini with a cybersecurity expert persona to automate vulnerability analysis and generate targeted testing plans. Importantly, APT31 integrated AI with Hexstrike — a red team tool built on the Model Context Protocol (MCP) that orchestrates over 150 security tools, including network scanners, reconnaissance tools, and penetration testing tools. This is an agentic approach — AI does not just answer questions but coordinates the execution of multiple tools in sequence. The targets were organizations in the United States. Tested vectors included remote code execution (RCE), Web Application Firewall (WAF) bypass techniques, and SQL injection.
APT41 uses Gemini as a daily productivity tool — debugging exploit code, extracting explanations from open-source tool documentation, translating scripts between programming languages, and troubleshooting technical issues. GTIG noted that APT41 operators used Gemini for code troubleshooting “multiple days per week” — suggesting that AI has become a permanent element of their toolkit, not a one-time experiment.
UNC795 developed web shells and PHP server scanners with AI assistance — tools used to maintain persistence after compromising a web server. Temp.HEX (Mustang Panda) used Gemini to compile dossiers on specific individuals, including targets in Pakistan, and to gather operational and structural data on separatist organizations across various countries.
John Hultquist, GTIG’s chief analyst, assessed: “China-based actors in particular will continue to build agentic approaches for cyber offensive scale.” This is a key statement — it suggests that Chinese groups are not limiting themselves to using AI as a supporting tool, but are moving toward semi-autonomous offensive systems in which AI coordinates multi-stage operations with minimal operator intervention.
Google disabled accounts linked to the APT31 campaign but noted that the group continued targeting similar victims in Pakistan — suggesting a rapid ability to rebuild operational infrastructure.
Why is North Korea the most active state-level Gemini user?
The GTIG report indicates that North Korean APT groups proved to be the most active Gemini users among all tracked state-sponsored actors. This observation is consistent with earlier reports and stems from the DPRK’s specific operational profile — the only nation for which cyber operations constitute a direct source of regime funding.
UNC2970 — a group linked to the Lazarus Group (also known as Diamond Sleet, Hidden Cobra) — used Gemini to synthesize open-source intelligence and profile high-value targets. The group searched for information about major companies in the cybersecurity and defense sectors, mapped specific technical roles at those companies, and collected salary data. The goal was to create credible corporate recruiter personas — a technique in which DPRK operators specialize.
Other North Korean clusters used Gemini for cryptocurrency-related research — consistent with the documented DPRK strategy in which cryptocurrency theft funds the nuclear and missile programs. The UNC4899 group (linked to AppleJeus) used AI for tool development and SQL data extraction.
North Korea’s AI usage profile is unique for yet another reason — the DPRK conducts a large-scale IT labor market infiltration operation in which thousands of North Korean IT workers work remotely for Western companies under false identities. AI is their tool for passing job interviews, generating code, solving technical tasks, and maintaining credibility as “ordinary” developers. Hultquist indicates that North Korea and Iran were the earliest adopters of AI for social engineering purposes, which is consistent with their operational profile — both groups traditionally rely on social engineering more than on advanced technical exploits.
For organizations recruiting remote IT specialists — which has become the norm in the Polish technology sector — the GTIG report is a warning. Candidate identity verification, analysis of the consistency of their professional history, and post-employment behavior monitoring should be part of the HR process, not only security procedures. The FBI has been regularly warning about North Korean IT sector infiltration since 2024, and AI makes this infiltration more effective and harder to detect.
What is HONESTCUE and how does malware use AI model APIs in real time?
HONESTCUE is a malware family identified by GTIG in September 2025 that represents a qualitatively new threat model — malicious software that communicates with a commercial AI model’s API during execution to dynamically generate second-stage attack code.
HONESTCUE’s mechanism is based on a downloader/launcher architecture. The first stage — a relatively simple component — sends specially constructed prompts to the Gemini API. In response, it receives C# source code that constitutes the second-stage functionality. Then, using .NET CSharpCodeProvider, it compiles the received code in memory and executes it — without writing an executable file to disk (fileless execution).
This approach has fundamental consequences for detection. Traditional antivirus scanners rely on signatures — hashes of known malicious files or byte patterns. If malicious code is dynamically generated by an AI model at the moment of execution, each run may produce different code performing the same function. Static analysis of the first-stage component reveals only the prompt and API call — not the payload itself. Network analysis sees HTTPS traffic to the legitimate Gemini API — which in many environments is not anomalous.
GTIG has not yet linked HONESTCUE to any known threat cluster. Based on iterative changes in samples and a single VirusTotal submitter, researchers assess that a single actor or small group is behind the malware. However, this does not diminish the significance of the technique — if this model proves effective, it will be adopted by larger groups.
Alongside HONESTCUE, the GTIG report identifies COINBAIT — a phishing kit built with the Lovable AI platform (a web application building tool), masquerading as a cryptocurrency exchange. COINBAIT is linked to the financially motivated UNC5356 cluster and is used for credential theft. This is an example of a different pattern — AI not as a runtime malware component, but as a tool for rapidly building phishing infrastructure.
Flashcard: HONESTCUE — next-generation malware — Sends prompts to the Gemini API during execution — Receives C# code as a response and compiles it in memory (fileless) — Each execution may generate different code — impedes signature-based detection — Network traffic looks like a legitimate API call — impedes network-based detection — Not yet linked to a specific threat cluster
How does AI change the economics of cyberattacks?
The GTIG report makes a key statement: AI functions as a “reinforcing factor within existing attack chains,” not as a new threat category. This distinction is important — AI does not create fundamentally new attack techniques, but dramatically lowers the entry threshold and increases the scalability of traditional techniques.
In the reconnaissance dimension, AI compresses weeks of analytical work into hours. APT42 can generate a target profile in a minute that previously required manually searching dozens of sources. GTIG notes that Chinese groups use AI “to move from initial reconnaissance to active targeting at a faster pace and broader scale.”
In the social engineering dimension, AI eliminates the language barrier. An Iranian group can now generate credible phishing messages in Hebrew, English, French, or German — with idioms and cultural references that previously required a native speaker. For organizations, this means that traditional phishing indicators — language errors, unnatural syntax — lose their diagnostic value.
In the tool development dimension, AI acts as a permanent programming assistant. APT41 uses Gemini for code debugging multiple days per week. UNC795 builds web shells with AI assistance. APT31 integrates AI with an orchestration framework for 150+ security tools. These are not one-time experiments — this is a permanent operational practice.
In the malware dimension, HONESTCUE demonstrates that AI can become a runtime component — part of the malware execution chain itself, not just a tool for its creation. If this model becomes widespread, it will fundamentally change the economics of detection — defenders will need to analyze not static files, but dynamic interactions with APIs.
Steve Miller, AI threat lead at GTIG, noted: “Gemini is getting better at recognizing persona-based tricks and responding safely.” This confirms that AI providers are actively strengthening safeguards. However, the arms race continues — and the economics favor the attacker, who needs to find one vulnerability, while the defender must close them all.
There is one more dimension worth noting. AI lowers the competency threshold needed to conduct an advanced attack. A group that previously lacked the ability to write exploits can now use AI as a programming assistant. A group without native speakers of the target’s language can generate perfect phishing. A group without OSINT analysts can automate target profiling. This is the democratization of offensive capabilities — and this is the greatest long-term threat emerging from the GTIG report.
What defensive mechanisms are effective against AI-augmented attacks?
Defense against AI-augmented threats requires adapting existing security practices to the new threat profile. The GTIG report does not explicitly formulate defensive recommendations, but operational conclusions allow defining concrete controls.
Strengthen behavioral detection over signature-based detection. HONESTCUE demonstrates that malware with dynamically generated code bypasses signature-based detection. Organizations must invest in EDR/XDR with behavioral detection — monitoring event sequences (process calling API → in-memory compilation → new code execution) instead of comparing file hashes.
Monitor traffic to AI model APIs. If the organization does not use Gemini, Claude, or GPT APIs in the production environment, traffic to these endpoints from workstations should generate an alert. If it does — monitoring should detect anomalies in volume, content, and query source. Firewall policy should define allowed AI endpoints and block the rest.
Advanced anti-phishing training incorporating AI-generated content. Traditional training teaches recognition of language errors and unnatural syntax in phishing. AI eliminates these indicators. New training programs should focus on verifying sender identity through non-email channels, questioning unusual requests regardless of message linguistic quality, and building a “verify before trust” culture.
Identity and authentication protection. The GTIG report indicates that APT groups use AI to build credible personas. Organizations should strengthen identity verification — phishing-resistant multi-factor authentication (FIDO2/WebAuthn), verification of new contacts through a second communication channel, and authorization procedures for unusual requests.
Active Directory and infrastructure monitoring. Chinese groups use AI to debug exploits and build web shells. Controls such as monitoring file system changes on web servers (web shell detection), server configuration hardening, regular vulnerability scanning, and network segmentation limit the effectiveness of even refined tools.
AI intellectual property protection. Organizations developing or deploying AI models should implement rate limiting, query anomaly monitoring (distillation pattern detection), response watermarking, and risk analysis-based API access policies.
What does a maturity model for defense against AI-augmented threats look like?
AI-augmented threats do not require a revolution in security approach — they require an evolution of existing controls accounting for the new attacker profile. The table below presents a maturity model adapted to the conclusions of the GTIG report.
| Maturity level | Area | Control | Implementation time | Addressed threat |
|---|---|---|---|---|
| 1 — Basic | Endpoint | EDR/XDR with behavioral detection (not signature-only) | 2–4 weeks | HONESTCUE, fileless malware |
| 1 — Basic | Network | Firewall policy: allow-list for AI API endpoints | 1–3 days | Malware calling AI APIs |
| 1 — Basic | User | Training: verify sender identity through a second channel | 1–2 weeks | APT42 spearphishing |
| 2 — Extended | Identity | Phishing-resistant MFA (FIDO2/WebAuthn) for privileged accounts | 1–3 months | Credential theft, AI personas |
| 2 — Extended | SOC | Correlation rules: process → API call → in-memory compilation → execution | 2–4 weeks | HONESTCUE, runtime AI malware |
| 2 — Extended | Network | Anomaly monitoring in traffic to AI APIs (volume, patterns, source) | 2–4 weeks | Model distillation, malware-as-a-service |
| 3 — Advanced | Web | Web Application Firewall + server file integrity monitoring | 1–3 months | Web shells APT41/UNC795 |
| 3 — Advanced | Threat Intel | APT group profiling incorporating their AI usage profile | Ongoing | APT31 Hexstrike, APT42 personas |
| 3 — Advanced | Red Team | Red team exercises using AI (adversary emulation) | Quarterly | Control validation |
| 4 — Mature | AI Security | Rate limiting, distillation detection, watermarking for own AI models | 3–6 months | Model extraction attacks |
| 4 — Mature | SOC | Automated threat hunting with AI-assisted event correlation | 6–12 months | Full spectrum of AI threats |
How does nFlo support organizations in defending against AI-augmented threats?
The evolution of threats documented by GTIG requires adapting security strategy — from signature-based detection toward behavioral analysis, from static rules toward dynamic monitoring. nFlo supports clients in this transformation at several levels.
In the area of social engineering testing, nFlo designs scenarios reflecting real-world APT group techniques — including scenarios with AI-generated phishing, credible recruiter personas, and multi-stage trust building. We verify whether the organization’s employees are able to recognize next-generation spearphishing — free of language errors, personalized, and contextually accurate.
Security architecture analysis conducted by nFlo accounts for the new vectors described in the GTIG report. We verify firewall policy configuration for traffic to AI model APIs, EDR effectiveness in detecting fileless malware, web server integrity monitoring (web shell detection), and identity verification procedures in business processes vulnerable to social engineering.
As part of penetration testing, nFlo uses tools and methodologies similar to those documented by GTIG — including tool orchestration, vulnerability analysis automation, and web application security testing. This gives the organization a realistic assessment of its resilience against AI-augmented threats.
nFlo also supports clients in building next-generation security awareness programs — going beyond traditional anti-phishing training. Programs incorporate AI-generated content scenarios, deepfakes, and multi-stage social engineering attacks that build trust before the compromise phase — exactly as the GTIG report describes in the context of APT42.
Frequently asked questions
Have APT groups achieved breakthrough capabilities through AI?
No — the GTIG report unequivocally states that APT groups or information operations have not yet been observed achieving breakthrough capabilities that would fundamentally change the threat landscape. AI acts as a productivity amplifier — it accelerates existing techniques but does not create fundamentally new ones. However, this does not mean the threat is low — increased attacker productivity translates into more attacks, faster operations, and more difficult detection.
Can HONESTCUE attack my organization?
HONESTCUE has not been linked to a specific threat cluster and appears to be the work of a single actor or small group. However, the technique it represents — malware calling AI model APIs in real time — may be adopted by other groups. Organizations should implement monitoring of traffic to AI model APIs and behavioral detection of fileless execution.
Does blocking access to the Gemini/ChatGPT API protect against these threats?
Partially. Blocking traffic to known AI endpoints prevents HONESTCUE-type malware from communicating with the API. However, attackers can use self-hosted open-source models (LLaMA, Mistral) or route traffic through proxies. Blocking AI APIs is an important defense layer, but not the only one.
How can AI-generated phishing be recognized?
AI-generated phishing does not contain classic indicators — language errors, unnatural syntax, obvious inconsistencies. The most effective defense is verifying the sender’s identity through a non-email channel (phone, personal contact), questioning unusual requests regardless of message quality, and using phishing-resistant MFA (FIDO2).
What is Hexstrike and why is it significant?
Hexstrike is a red team tool built on the Model Context Protocol (MCP) that orchestrates over 150 security tools — network scanners, reconnaissance tools, and penetration testing tools. APT31 integrated Hexstrike with Gemini, creating a semi-autonomous offensive system. This is important because it shows the direction of evolution — from AI as a supporting tool to AI as a coordinator of multi-stage operations.
Does the GTIG report apply only to Gemini or to all AI models?
The GTIG report focuses on abuses of the Gemini model because Google has direct visibility into its platforms. However, the described techniques — distillation, AI-assisted phishing, dynamic code generation — apply to all commercial AI models. OpenAI, Anthropic, and other companies publish their own abuse reports. The problem is industry-wide, not specific to a single provider.
How often does Google publish GTIG AI Threat Tracker reports?
Reports are published quarterly. The February 2026 report is the third in the series — following the first “Adversarial Misuse of Generative AI” report from 2025 and the second from mid-2025. Each subsequent report documents the growing integration of AI into threat group operations.
