Google Reports State-Backed Hackers Using Gemini AI for Recon and Attack Support

• Google Reports State-Backed Hackers Using Gemini AI for Recon and Attack Support Google on Thursday said it observed the North Korea-linked threat actor known asUNC2970using its generative artificial intelligence (AI) model Gemini to conduct reconnaissance on its targets, as various hacking groupscontinueto weaponize the tool for accelerating various phases of the cyber attack life cycle, enabling information operations, and even conducting model extraction attacks. • “The group used Gemini to synthesize OSINT and profile high-value targets to support campaign planning and reconnaissance,” Google Threat Intelligence Group (GTIG)saidin a report shared with The Hacker News. • “This actor’s target profiling included searching for information on major cybersecurity and defense companies and mapping specific technical job roles and salary information.” The tech giant’s threat intelligence team characterized this activity as a blurring of boundaries between what constitutes routine professional research and malicious reconnaissance, allowing the state-backed actor to craft tailored phishing personas and identify soft targets for initial compromise. • UNC2970is the moniker assigned to a North Korean hacking group that overlaps with a cluster that’s tracked as Lazarus Group, Diamond Sleet, and Hidden Cobra. • It’s best known for orchestrating a long-running campaign codenamedOperation Dream Jobto target aerospace, defense, and energy sectors with malware under the guise of approaching victims under the pretext of job openings. • GTIG said UNC2970 has “consistently” focused on defense targeting and impersonating corporate recruiters in their campaigns, with the target profilingincludingsearches for “information on major cybersecurity and defense companies and mapping specific technical job roles and salary information.” UNC2970 is far from the only threat actor to have misused Gemini to augment their capabilities and move from initial reconnaissance to active targeting at a faster cli

Article Summaries:

• Google on Thursday said it observed the North Korea-linked threat actor known as UNC2970 using its generative artificial intelligence (AI) model Gemini to conduct reconnaissance on its targets, as various hacking groups continue to weaponize the tool for accelerating various phases of the cyber attack life cycle, enabling information operations, and even conducting model extraction attacks. “The group used Gemini to synthesize OSINT and profile high-value targets to support campaign planning and reconnaissance,” Google Threat Intelligence Group (GTIG) said in a report shared with The Hacker Ne

Sources:

• https://thehackernews.com/2026/02/google-reports-state-backed-hackers.html