Google's AI Threats Report Flags Key Risks

Threat actors are no longer just testing AI—they're embedding it deeply into cyberattacks, from automating reconnaissance to building malware. Google Threat Intelligence Group's new report, released today on February 18, 2026, maps this shift, urging defenders to adapt quickly. Enterprises face heightened risks as groups like APT31 scale operations with agentic tools.

Google's GTIG AI Threat Tracker report outlines five categories of adversarial AI misuse: model extraction attacks via distillation, AI-augmented operations, agentic AI for automation, AI-integrated malware, and underground jailbreak services. It draws from real-world observations of actors from China, North Korea, and Iran integrating tools like Gemini into intrusions.

Background: AI's Dual Role in Cyber Operations

AI adoption has surged across industries, but so has its weaponization. Google Threat Intelligence Group has tracked this for years, noting how threat actors moved from basic AI plugins in social engineering to dynamic, autonomous uses. The February 2026 Cloud CISO Perspectives newsletter features chief analyst John Hultquist detailing the latest findings in the GTIG AI Threat Tracker: Distillation, Experimentation, and (Continued) Integration of AI for Adversarial Use.

This isn't hype—it's documented evolution. Early misuse focused on simple tasks like generating phishing emails. Now, actors treat AI as a core operational layer, streamlining the intrusion lifecycle from reconnaissance to post-exploitation. Background context: Knowledge distillation, a standard machine-learning method, compresses large models by training smaller ones on their outputs. Threat actors flip this for theft.

Google positions this report as a regular update to build collective defenses. It complements broader efforts like threat intelligence disruptions and tools such as CodeMender, an experimental AI agent from DeepMind using Gemini to fix code vulnerabilities.

How Are Threat Actors Weaponizing AI?

Model Extraction Attacks

Adversaries query AI models via APIs to reverse-engineer their logic, a process called model extraction or distillation. This steals intellectual property, letting attackers build rival models cheaply and quickly. The report flags this as a business risk for model providers, recommending API monitoring for suspicious query patterns.

In practice, attackers send crafted inputs to infer training data or weights. Frontier labs see most attacks now, but public APIs invite broader targeting. Enterprises offering AI services must log query volumes, sequences, and anomalies—patterns like repeated similar prompts signal distillation attempts.

AI-Augmented Operations

Threat groups enhance traditional tactics with AI. North Korean and Iranian actors use Gemini not just for static phishing but to craft dynamic social engineering, handling complex victim interactions. Government-backed attackers query Gemini for coding, target research, vulnerability intel, and post-compromise scripts.

Case studies in the report show streamlined reconnaissance and rapport-building. This scales operations: one actor prompts for custom scripts instead of manual coding, cutting time and errors.

Agentic AI in the Wild

Agentic capabilities—AI that acts autonomously toward goals—alarm most. China-nexus APT31 uses them to automate reconnaissance, scaling beyond human limits. Other actors prompt Gemini with "expert cybersecurity persona" to audit code or develop malware tools.

Engineering here involves chaining prompts: an agent plans, executes, and iterates. Tradeoffs include reliability—hallucinations persist—but gains in speed outweigh for low-stakes recon. Defenders see this in logs: unusual API calls mimicking security experts.

AI-Integrated Malware

Malware families like HONESTCUE call Gemini APIs to generate second-stage payloads on-device. This evades static analysis; code assembles dynamically. The report documents this experimentation, where AI fetches and executes downloads.

Underground Jailbreak market

Services like Xanthorox sell "independent" models but proxy jailbroken commercial APIs or open-source model context protocol servers. This democratizes misuse, lowering barriers for less-skilled criminals.

Technical Deep Dive: Dissecting Distillation and Agentic Systems

Model distillation starts with a teacher model (e.g., a proprietary LLM). Attackers query it millions of times, approximating outputs to train a student model. Tradeoffs: High query costs versus stolen capability. Detection relies on rate limiting, watermarking outputs, or behavioral analytics—Google disrupts via account suspensions.

Agentic AI builds on this. Frameworks like those in Gemini allow multi-step reasoning: observe environment, plan actions, execute via tools (e.g., code gen), reflect. APT31's use automates target scanning; prompts might say, "Act as a recon agent: enumerate domains for company X."

Real tradeoffs for attackers: API rate limits force multi-account setups, detectable via clustering. Models resist via safety layers, but jailbreaks persist. For defenders, engineering means hardening APIs and behavioral monitoring. Google's Big Sleep, from DeepMind and Project Zero, hunts vulns proactively—launched last year.

AI malware introduces runtime dependencies: HONESTCUE needs internet for Gemini calls, creating a kill chain weakness. Reverse-engineering shows API keys hardcoded or exfiltrated, ripe for hunting.

Google's Response and Competitive market

Google disables threat actor projects and bolsters models against misuse. CodeMender auto-fixes critical vulns using Gemini reasoning. The Secure AI Framework (SAIF) provides standards for secure AI deployment.

Competitors like Microsoft (with Copilot defenses) and OpenAI emphasize similar safeguards—rate limits, content filters—but Google's vertical integration via Cloud and Android gives threat intel edge. Mandiant, under Google Cloud, tracks groups like UNC1069 using AI in crypto attacks, as noted in recent blogs.

No direct comparisons in numbers, but Google's market—Gemini, Vertex AI—exposes it to these threats firsthand, informing reports.

Implications: Risks Enterprises Can't Ignore

Developers building AI services face IP theft; monitor APIs for extraction. Businesses see scaled phishing—AI handles objections in real-time calls. End users? Malware that evolves payloads dynamically.

Most coverage misses API hygiene: log all queries, baseline normal use. Agentic risks amplify breaches; one automated actor scans thousands. In 2026, with sovereign clouds expanding (Google announced portfolio growth this month), data residency adds layers.

Risks overlooked: Jailbreak markets lower entry, blending state and crime. Quantum threats loom separately, per Google's recent call to action.

What Should Defenders Watch in 2026?

Expect distillation to hit mid-tier models as exposure grows. Agentic malware will mature, chaining multiple LLMs. Google's SAIF pushes standards—watch adoption.

Track GTIG updates; they disrupted operations via intel. New tools like single-tenant Cloud HSM aid key control amid AI crypto ops.

Frequently Asked Questions

What is model extraction in AI threats?

Model extraction uses distillation to steal a model's knowledge by querying its API extensively. Attackers train their own model on responses, bypassing development costs. Google advises API monitoring for patterns like high-volume similar queries.

How is APT31 using agentic AI?

China-nexus APT31 employs agentic capabilities to automate reconnaissance, scaling operations beyond manual limits. This involves AI agents planning and executing tasks autonomously.

What is HONESTCUE malware?

HONESTCUE integrates Gemini APIs to generate code for downloading second-stage malware. It represents early AI-malware experimentation, relying on external model calls.

What defenses does Google recommend?

Monitor APIs for distillation, disable suspicious accounts, and adopt frameworks like SAIF. Tools like CodeMender fix code vulns automatically.

Are AI threats limited to state actors?

No, underground services like Xanthorox enable criminals via jailbroken APIs, expanding the market.

Enterprises must integrate AI threat hunting into SOCs now. As 2026 unfolds, watch for AI in defense industrial base targeting—GTIG notes relentless state ops there. Upcoming: More agentic defenses, perhaps standardized via industry frameworks. The question remains: Can safety layers outpace adversarial creativity?