"Google on Thursday said it observed the North Korea-linked threat actor known as UNC2970 using its generative artificial intelligence (AI) model Gemini to conduct reconnaissance on its targets, as various hacking groups continue to weaponize the tool for accelerating various phases of the cyber attack life cycle, enabling information operations, and even conducting model extraction attacks.

"The group used Gemini to synthesize OSINT and profile high-value targets to support campaign planning and reconnaissance," Google Threat Intelligence Group (GTIG) said in a report shared with The Hacker News. "This actor's target profiling included searching for information on major cybersecurity and defense companies and mapping specific technical job roles and salary information."

The tech giant's threat intelligence team characterized this activity as a blurring of boundaries between what constitutes routine professional research and malicious reconnaissance, allowing the state-backed actor to craft tailored phishing personas and identify soft targets for initial compromise.

UNC2970 is the moniker assigned to a North Korean hacking group that overlaps with a cluster that's tracked as Lazarus Group, Diamond Sleet, and Hidden Cobra. It's best known for orchestrating a long-running campaign codenamed Operation Dream Job to target aerospace, defense, and energy sectors with malware under the guise of approaching victims under the pretext of job openings.

GTIG said UNC2970 has "consistently" focused on defense targeting and impersonating corporate recruiters in their campaigns, with the target profiling including searches for "information on major cybersecurity and defense companies and mapping specific technical job roles and salary information.""

https://thehackernews.com/2026/02/google-reports-state-backed-hackers.html

#CyberSecurity #Gemini #AI #GenerativeAI #Google #NorthKorea #OSINT #StateHacking