Google Threat Report Warns AI-Driven Cyber Operations Are Scaling Across Global Threat Landscape

Cyber threat actors are increasingly integrating artificial intelligence into real-world cyber operations, according to a new report from Google Threat Intelligence Group (GTIG), which warns the technology is now being used to accelerate everything from vulnerability research to phishing, malware development and disinformation campaigns.

The latest GTIG AI Threat Tracker report highlights growing activity from state-sponsored and criminal actors linked to China, North Korea and Russia, with researchers observing a shift from experimental AI use toward more mature and operationalised attack workflows.

GTIG said actors associated with the People’s Republic of China (PRC) and the Democratic People’s Republic of Korea (DPRK) are showing significant interest in using AI for vulnerability discovery and exploit development. Researchers observed the use of specialised vulnerability datasets and expert-style prompting techniques to improve exploit generation capabilities.

The report also details what researchers believe may be one of the first known cases of AI-assisted zero-day exploit development by cybercriminals. GTIG identified a vulnerability exploitation campaign involving a two-factor authentication bypass vulnerability likely discovered and weaponised using AI tools.

Beyond exploit development, GTIG warned that AI is increasingly being integrated into malware and operational infrastructure. The report identified activity linked to PRC-nexus group APT27 using Gemini to accelerate development of tools likely supporting operational relay box infrastructure designed to obscure attack origins.

Meanwhile, suspected Russia-linked threat actors targeting Ukrainian organisations were found using AI-generated decoy code inside malware families such as CANFAIL and LONGSTREAM to help evade detection and complicate forensic analysis.

One of the report’s more concerning findings relates to the emergence of autonomous AI-enabled malware. GTIG detailed how Android backdoor PROMPTSPY uses Gemini to analyse device interfaces, determine actions and autonomously interact with infected devices.

Researchers said PROMPTSPY demonstrates a broader shift toward AI-enabled attack orchestration, where malware can interpret system states and carry out actions without requiring continuous human oversight.

The report also highlights increased use of AI for reconnaissance and phishing operations. Threat actors were observed using large language models to generate detailed organisational hierarchies, map third-party relationships and identify likely phishing targets within enterprises.

GTIG additionally identified a growing trend toward “agentic workflows”, where autonomous frameworks are used to conduct reconnaissance and validate vulnerabilities at scale. Researchers linked some of this activity to suspected PRC-nexus operations targeting organisations in Asia.

The report also documents how AI-generated media is being incorporated into influence operations. GTIG identified suspected AI voice cloning activity associated with pro-Russia campaign “Operation Overload”, which used manipulated video content designed to imitate legitimate journalism.

Google said threat actors are also attempting to industrialise access to frontier AI models through automated registration pipelines, proxy infrastructure and account pooling services designed to bypass safety restrictions and account bans.

At the same time, AI systems themselves are increasingly becoming targets. GTIG identified malicious OpenClaw skill packages and broader supply chain attacks affecting AI-related platforms and repositories including LiteLLM and BerriAI.

Despite these developments, Google said AI is also strengthening defensive capabilities. The company highlighted projects such as Big Sleep, an AI-powered vulnerability discovery agent, and CodeMender, an experimental system designed to automatically patch software flaws.

© Scoop Media