Attackers abuse Gemini AI to develop ‘Thinking Robot’ malware and data processing agent for spying purposes

November 5, 2025

The integration of AI technologies like Gemini in malware development represents a significant evolution in cyber threats enabling attackers to automate complex data analysis and enhance evasion tactics. Specifically, groups like APT42 and APT28 are experimenting with AI to refine their operations creating tools that can generate malicious code dynamically and enhance their data-mining capabilities.

Recent findings from Google's Threat Intelligence Group reveal that adversaries including APT42 of Iran and APT28 from Russia are increasingly utilizing AI like Gemini to advance their cyber campaigns. Gemini which is expected to revolutionize various sectors is being exploited by nation-state actors to develop sophisticated malware notably a 'Thinking Robot' module that can self-modify for evasion purposes. This module is capable of performing complex tasks such as converting natural language requests into SQL queries facilitating unprecedented levels of data access and manipulation for intelligence purposes.

Furthermore the report illustrates how the 'PromptFlux' malware utilizes AI-driven code regeneration during its execution to create evasive functions on-the-fly. This tactic signals a shift towards utilizing large language models in real-time to deliver actionable commands to malware marking a concerning advancement in cyber threat capabilities. Although PromptFlux is reportedly not ready for deployment its existence indicates a trend towards malware that can adapt to its environment raising the stakes for cybersecurity defenses.

The increase in AI-powered attacks not only complicates the landscape for defenders but also poses broader implications for global cybersecurity. The ability of attackers to automate and optimize their strategies through AI could outpace traditional defense mechanisms which often rely on static detection techniques. There is an urgent need for the industry to adapt its approach to threat detection and response to address this evolving threat landscape.

In addition to malware development the report details instances of social engineering attempts on the Gemini platform further demonstrating the lengths to which attackers will go to exploit AI for malicious purposes. These developments are crucial signals for organizations and cybersecurity professionals to enhance their security posture and prepare for an era where AI plays a central role in cyber warfare and espionage.