Cybercriminals Exploit Google’s Gemini AI for Sophisticated Cyberattacks
In a recent development, cybercriminals have begun exploiting Google’s Gemini AI model to orchestrate complex cyberattacks, as detailed in the February 2026 AI Threat Tracker report by Google’s Threat Intelligence Group (GTIG). This report highlights the emergence of the HONESTCUE framework, first identified in September 2025, which utilizes Gemini’s API to dynamically generate C# code for multi-stage malware, effectively evading traditional detection mechanisms.
Understanding the HONESTCUE Framework
HONESTCUE operates as a downloader and launcher that interacts with Gemini’s API using predefined prompts to retrieve self-contained C# source code. This code facilitates stage-two functionalities, such as downloading additional payloads from content delivery networks (CDNs) like Discord, all while avoiding the creation of disk artifacts.
The malware employs the legitimate .NET CSharpCodeProvider to compile and execute the received code directly in memory, complicating static analysis and behavioral detection. Developers have iteratively refined samples, submitting them to VirusTotal via a single account, suggesting a small team in proof-of-concept testing.
The Multi-Layered Attack Process
The attack unfolds in several stages:
1. API Interaction: The malware sends a static prompt to Gemini, receiving compilable C# code in return.
2. Dynamic Compilation: The CSharpCodeProvider processes the response into an executable assembly.
3. Payload Delivery: The second stage fetches bytes from attacker-controlled URLs, often via Discord CDN, then launches them using Process.Start or reflection.
4. Fileless Persistence: No binaries are written to disk, undermining endpoint forensics.
This method mirrors prior just-in-time techniques like PROMPTFLUX but outsources code generation externally. GTIG notes that the prompts evade Gemini’s safeguards since they lack explicit malice, blending into legitimate developer queries.
Broader Implications and Threat Actor Involvement
Threat actors are integrating Gemini across various phases, from reconnaissance to tooling. GTIG has tracked misuse by groups from North Korea, Iran (APT42), China (APT31, UNC795, APT41), and Russia for phishing, vulnerability research, and command-and-control scripting. For instance, APT31 posed as a security researcher to probe remote code execution (RCE) and web application firewall (WAF) bypasses. While no advanced persistent threats (APTs) have achieved paradigm-shifting breakthroughs, productivity gains are accelerating operations.
HONESTCUE’s design avoids detection by traditional signature-based antivirus software and network filters by varying the code it generates with each execution. Evidence suggests that the actors behind this have only modest skills. Tests conducted with Discord bots and repeated uploads to VirusTotal indicate that they possess limited resources, especially when compared to the sophistication typically seen in APTs, according to GTIG.
Additionally, a broader trend includes Xanthorox, an underground custom AI that proxies jailbroken Gemini through Model Context Protocol (MCP) servers.
Evasion Tactics and Detection Challenges
The attack process involves several key evasion tactics:
– Stage 1: Gemini API query appears as legitimate traffic to googleapis.com.
– Stage 2: In-memory compilation results in no disk input/output operations.
– Stage 3: Payloads are fetched from trusted domains like Discord.
Google has responded by disabling accounts, hardening the model, and implementing real-time classifiers. Gemini now refuses policy-violating requests, informed by these incidents. Defenders are advised to monitor API anomalies, block unusual Gemini traffic, and inspect in-memory .NET loads. Behavioral rules for CSharpCodeProvider usage or Discord CDN fetches from malware indicators of compromise (IOCs) are recommended. GTIG shares IOCs in GTI Collections for threat hunters. As AI tooling proliferates, vigilance against such sophisticated exploitation methods becomes increasingly crucial.
