Google has confirmed that state-backed threat actors are operationally using Gemini across the intrusion lifecycle — not experimentally, but strategically.
In this episode of Security Squawk, we break down how AI is being integrated into reconnaissance, phishing refinement, vulnerability research, and even dynamic malware generation.
According to Google’s Threat Intelligence Group, multiple clusters — including DPRK-linked actors — are using Gemini to synthesize OSINT, map organizational structures, refine recruiter impersonation campaigns, and research exploit paths. In one case, malware known as HONESTCUE leveraged Gemini’s API to dynamically generate C# code for stage-two payload behavior, compile it in memory using legitimate .NET tooling, and execute filelessly.
This isn’t a zero-day story.
It’s a friction story.
At the same time, two individuals in Connecticut were charged for allegedly using thousands of stolen identities to exploit FanDuel’s onboarding and promotional systems. No exotic exploit. No advanced intrusion chain. Just automated workflow abuse at scale.
The pattern is clear: AI is compressing attacker timelines, and identity-driven fraud is industrializing predictable processes.
We examine:
How AI-enhanced phishing eliminates traditional grammar-based red flags
Why trusted SaaS domains (Gemini share links, Discord CDNs, Cloudflare fronting, Supabase backends) are weakening reputation-based defenses
What model distillation attempts (100,000+ structured prompts) signal about API abuse and intellectual property risk
How fileless malware compiled with legitimate developer tooling challenges signature-based detection
Why onboarding workflows and recruiting processes are now primary attack surfaces
For CEOs, this is about erosion of trust anchors and shifting insurability expectations.
For IT Directors and SOC leaders, this means reevaluating fileless execution visibility, API anomaly detection, and the reliability of reputation filtering models.
For MSPs and risk managers, breaches will increasingly originate from workflow exploitation rather than perimeter misconfiguration.
AI didn’t invent new attack types.
It removed friction from existing ones.
And when friction disappears, scale compounds.
If your recruiting, onboarding, verification, or AI product interfaces can be scripted — they can be weaponized.
This episode is about operational clarity in a rapidly compressing threat landscape.
Keywords: Google Gemini, HONESTCUE malware, AI phishing, state-backed threat actors, DPRK cyber operations, model distillation attacks, API abuse detection, fileless malware, .NET in-memory compilation, identity fraud, FanDuel fraud case, workflow exploitation, SaaS infrastructure abuse, Cloudflare phishing, Discord CDN payloads, Supabase backend abuse.
Support the show https://buymeacoffee.com/securitysquawk
Информация по комментариям в разработке