Google Reveals Surge in AI-Powered Attacks Targeting Gemini, Signs of Weaponized AI

In a landmark disclosure, Google’s Threat Intelligence Group (GTIG) has released its latest AI Threat Tracker report, revealing a dramatic escalation in sophisticated cyberattacks specifically engineered to exploit its Gemini large language model. According to the report, adversaries are no longer merely testing AI vulnerabilities—they are actively weaponizing them in real-world operations. The findings underscore a critical inflection point in cybersecurity: AI systems themselves are now primary targets and tools in digital conflict.

One of the most alarming trends documented is the rise of extractive inference attacks against Gemini. These attacks attempt to reverse-engineer the model’s internal reasoning by submitting carefully crafted prompts to extract proprietary training data, system prompts, or confidential outputs. GTIG observed a 300% increase in such attempts during the final quarter of 2025 compared to the previous quarter, suggesting a coordinated shift in adversarial tactics. These efforts are often automated and scaled using bot networks designed to bypass rate limits and detection systems.

Equally concerning is the emergence of state-sponsored AI attacks. GTIG identified multiple campaigns with infrastructure and linguistic signatures consistent with nation-state actors, particularly from regions with advanced AI research capabilities. These actors are not merely probing for weaknesses—they are integrating AI models into espionage and disinformation operations. One campaign, traced to a sophisticated actor linked to a foreign intelligence service, used Gemini to generate highly convincing phishing emails tailored to government officials, with success rates exceeding 40% in controlled tests.

Perhaps most insidious is the rise of AI-integrated malware. Unlike traditional malware that relies on static code, these new variants embed lightweight AI components to dynamically adapt their behavior based on environmental feedback. For example, one sample observed by GTIG could analyze user behavior on a target system and modify its payload to evade detection by endpoint security tools. This represents a paradigm shift: malware is no longer just code—it’s an adaptive, learning entity capable of evolving mid-infection.

Google’s report also highlights the growing use of model distillation as an adversarial technique. Attackers are training smaller, stealthier models to mimic Gemini’s responses, effectively creating clones that can be deployed on compromised devices without triggering cloud-based monitoring. These distilled models can then be used to generate synthetic content, bypass content moderation systems, or serve as backdoors for persistent access.

While Google emphasizes that its defenses remain robust—pointing to ongoing improvements in adversarial training, input sanitization, and real-time anomaly detection—the scale and sophistication of these threats demand a global response. "We are witnessing the militarization of AI," said a senior GTIG analyst, speaking anonymously. "The tools are no longer theoretical. They’re in the wild, and they’re being used by increasingly capable adversaries."

Industry experts warn that the private sector must collaborate more closely with governments to establish norms and defensive standards. "This isn’t just Google’s problem," said Dr. Elena Ruiz, a cybersecurity researcher at Stanford’s Center for AI Safety. "If we don’t develop shared protocols for AI model security, we risk a future where every major AI system becomes a target—and every attack on an AI system has cascading effects across finance, healthcare, and critical infrastructure."

Google has not disclosed specific details about the actors involved but has committed to sharing anonymized threat indicators with trusted partners through its AI Security Initiative. The company also announced plans to release open-source tools to help developers harden their AI systems against extraction and poisoning attacks.

As AI becomes embedded in every layer of digital infrastructure, the line between cyberattack and AI sabotage is vanishing. The GTIG report serves as a wake-up call: the next generation of cyber conflict will not be fought with firewalls alone—it will be fought with and against artificial intelligence itself.