State-Sponsored Hackers from North Korea, Iran, China, and Russia Deploy AI to Accelerate Cyberattacks

State-sponsored hackers from North Korea, Iran, China, and Russia increasingly weaponize artificial intelligence to accelerate cyberattacks, using large language models for reconnaissance and phishing while new AI-powered malware emerges that exploits commercial APIs to generate malicious code.

• Google Threat Intelligence Group observes threat actors increasingly integrating AI to accelerate attack lifecycles, with state-sponsored groups from DPRK, Iran, China, and Russia using large language models for reconnaissance, phishing, and malware development
• Model extraction attacks or 'distillation attacks' are rising as a method of intellectual property theft, with over 100,000 prompts identified in one campaign attempting to replicate Gemini's reasoning capabilities across multiple languages
• New AI-integrated malware families like HONESTCUE are emerging that use Gemini's API to generate code for downloading second-stage malware, while underground services like Xanthorox claim to offer custom AI models but actually rely on jailbroken commercial APIs