Imagine building a cutting-edge tool to help developers code faster, only to watch a state-sponsored hacking group use it to plan a digital break-in. This isn’t a hypothetical scenario; it’s exactly what Google confirmed this week. On February 12, 2026, Google’s Threat Intelligence Group (GTIG) revealed that China-backed hackers, known as APT31, have been actively using Google’s own Gemini AI to plan and execute cyberattacks against US organizations.
This isn’t just a case of a hacker asking a chatbot for a phishing email template. The report details a significant shift toward what experts call “agentic” threats—where attackers use AI not just to write text, but to autonomously interact with security tools. It’s a complex development that blurs the line between routine security testing and malicious reconnaissance.
How did APT31 actually use Gemini?
According to the research findings, APT31 didn’t just casually chat with Gemini. They employed a “highly structured approach” involving specific expert personas designed to bypass safety filters and generate comprehensive testing plans. The group, also known as Zirconium or Violet Typhoon, has a history of targeting critical infrastructure, and this latest move shows they are evolving their toolkit.
The most alarming detail is their use of a tool called “Hexstrike.” This is an open-source red-teaming tool built on the Model Context Protocol (MCP). If you aren’t familiar with MCP, think of it as a bridge that allows a Large Language Model (LLM) like Gemini to talk directly to other software.
By using Hexstrike, APT31 was able to connect Gemini to actionable security tools, automating the analysis of vulnerabilities like Remote Code Execution (RCE) and SQL injection. Instead of manually typing commands, the AI could help orchestrate the attack flow against specific US targets. Google noted that this activity “explicitly blurs the line” between a security audit and a targeted attack.
Is China the only actor doing this?
While the APT31 revelation is grabbing headlines due to the sophistication of the tool usage, they aren’t the only ones exploiting generative AI. In fact, they aren’t even the heaviest users.
The report highlights that Iran’s APT42 is actually the most prolific user of Gemini for malicious purposes, accounting for approximately 30% of all observed Iranian malicious use. However, APT42’s tactics differ significantly from their Chinese counterparts. The Iranian group primarily utilizes the AI for social engineering and crafting convincing phishing campaigns rather than the technical infrastructure attacks seen with APT31.
Google has since disabled the accounts linked to these campaigns, but the cat-and-mouse game is clearly intensifying. The report also warned of a rise in “distillation attacks,” where hackers attempt to steal the intellectual property of the AI model itself, essentially trying to clone the brain of the AI to run it offline without restrictions.
Does this mean AI gives hackers new super-powers?
This is the big question everyone is asking: Has AI enabled hackers to do things they couldn’t do before? According to Google and Chief Analyst John Hultquist, AI provides productivity gains but has not yet enabled novel capabilities.
The report states that while AI significantly boosts attacker productivity, it has not yet enabled “novel capabilities.” In other words, the AI isn’t inventing new, unpatchable exploits on its own yet. It is simply allowing existing groups to scale their operations and automate the tedious parts of reconnaissance.
John Hultquist noted that groups like APT31 will continue to build “agentic approaches for cyber offensive scale.” This suggests the immediate threat isn’t a super-intelligent AI hacker, but rather human hackers who can now work ten times faster thanks to AI assistants.
What This Really Means
This incident marks a critical pivot from theoretical AI risks to operational reality. The use of MCP-based tools like Hexstrike signals that attackers are moving faster than defenders in adopting “agentic” workflows, turning open-source innovation into a dual-use weapon against the very infrastructure it was meant to protect. While Google downplays the “novelty” of these attacks, the real danger isn’t new exploits—it’s the automation of the “boring” parts of hacking, which lowers the barrier to entry and allows state actors to probe US defenses at a volume that human analysts simply cannot match.
