Feb 13, 2026 · 5 min read
State Backed Hackers Are Using Google's Own AI to Write Phishing Emails
Google's Threat Intelligence Group reveals that over 40 government hacking groups are using Gemini to profile targets, craft phishing lures, and generate malware code.
AI Powered Espionage
The phishing email that lands in your inbox may have been written by AI, and not by a scammer in a hurry. Google's Threat Intelligence Group (GTIG) has disclosed that more than 40 state sponsored hacking groups from Iran, North Korea, China, and Russia are actively using Gemini AI to craft phishing campaigns, develop malware, and profile high value targets at unprecedented speed.
According to Google, the integration of AI throughout the attack lifecycle has enabled threat actors to "move from initial reconnaissance to active targeting at a faster pace and broader scale," significantly reducing the manual labor traditionally required for each stage of a cyberattack.
How Each Country Uses Gemini
Iran (APT42): The Iranian group APT42, also tracked as Charming Kitten, has been using Gemini to search for official email addresses, build credible personas for phishing pretexts, and translate phishing emails into natural sounding language. The group provides Gemini with target biographies and asks it to craft scenarios that would get specific individuals to engage. APT42 also uses the AI to accelerate malware development and test exploitation techniques.
North Korea (UNC2970): North Korean hackers use Gemini to profile defense and cybersecurity companies, map technical job roles, and gather salary data. This intelligence feeds into their long running Operation Dream Job campaign, where attackers approach victims under the pretext of job openings at aerospace, defense, and energy companies, delivering malware through fake recruitment materials.
China: Multiple Chinese APT groups use Gemini multiple times weekly for code troubleshooting, bug research, and automating vulnerability analysis. Google disabled assets used by one Chinese group targeting Pakistani entities, though the attackers reportedly continued with similar campaigns.
HONESTCUE: AI Generated Malware
Google also discovered HONESTCUE, a malware framework that sends prompts directly through Gemini's API to receive C# source code on demand. The malware uses AI to generate second stage payloads that download and execute additional malicious software, with AI driven obfuscation to evade traditional network detection and static analysis tools.
This represents a shift in how malware operates. Instead of shipping pre-written code that antivirus tools can fingerprint, HONESTCUE generates fresh code each time it runs. Each variant is slightly different, making signature based detection far less effective.
Why AI Phishing Is Different
Traditional phishing campaigns relied on templates with obvious tells: broken grammar, generic greetings, and implausible scenarios. AI changes the equation. When a state backed hacker feeds your LinkedIn profile, your job title, and your company's recent press releases into Gemini, the resulting phishing email reads like a message from a real colleague or recruiter.
The AI can generate phishing lures in any language without the grammatical errors that used to be a red flag. It can create fake personas complete with believable backstories. It can tailor messages to specific industries, companies, and even individual targets. The era of spotting phishing by looking for typos is over.
The Scale of the Problem
Research from 2025 found that 82% of phishing emails already contained AI generated content. That number is climbing. When state sponsored groups with virtually unlimited resources adopt the same tools, the quality and volume of phishing attacks increase simultaneously.
These groups are not targeting random individuals. They profile journalists, diplomats, defense contractors, and political dissidents. The combination of AI reconnaissance and AI generated phishing lures means that the most targeted individuals face attacks that are increasingly indistinguishable from legitimate communications.
What You Can Do
AI generated phishing makes every email a potential attack vector. The defenses that matter most are the ones that do not rely on spotting mistakes in the message itself. Use hardware security keys for authentication instead of SMS codes. Verify unexpected requests through a different communication channel. Treat every unexpected attachment and link with suspicion, regardless of how legitimate the sender appears.
Blocking tracking pixels in your email also reduces the information available to attackers. When a spy pixel confirms that you opened a message, clicked a link, or forwarded it to someone else, it gives the attacker valuable feedback for refining their next attempt.