Google’s report reveals that over 10 Iranian cyber groups have leveraged Gemini for a range of hostile activities, including phishing campaigns, reconnaissance of defense organizations, vulnerability research, and social engineering tactics.
Among these groups, APT42, a well-documented Iranian cyber-espionage unit, was the most active, contributing to 30% of Iran’s AI-driven cyber threats. The group primarily used Gemini for crafting phishing emails, conducting reconnaissance on defense experts, and generating cybersecurity-themed content.
Iranian advanced persistent threat (APT) actors also exploited Gemini to research ways to extract sensitive data from Android devices, including SMS messages, account credentials, and social media contacts. The AI tool was further used for developing and debugging malware, modifying assembly code, and researching publicly known vulnerabilities.
Iran’s Cyber Army: A Force of Disinformation for a Cursed Causehttps://t.co/S3LusEN4HB
— NCRI-FAC (@iran_policy) April 26, 2023
Beyond cyber-attacks, Iranian state-affiliated actors have used Gemini to manipulate information and conduct influence operations online. Iran-based information operations (IO) groups accounted for 75% of all AI-assisted disinformation activity, leveraging Gemini for content creation, translation, localization, and propaganda dissemination.
According to GTIG, Iranian IO actors engaged in “generating articles, rewriting text with specific political tones, and optimizing content for maximum reach.” Some groups also sought SEO-optimized content to manipulate search rankings, while others asked Gemini to craft headline-grabbing video descriptions and hashtags promoting pro-regime narratives.
Google’s findings also indicate that Iranian APT actors used Gemini to gather intelligence on military targets and warfare technologies.
#Iran News in Brief
At a Basij military exercise today, the Basij Force Chief Gholamreza Soleimani stated the regime is employing a 500,000-man strong #cyber army to dominate the #internet. https://t.co/3ACJCzTx4M pic.twitter.com/WRvk3QTzAO— NCRI-FAC (@iran_policy) August 2, 2022
APT42, for example, sought AI-assisted explanations on U.S. aerospace defense systems, researched Israeli missile defense mechanisms, and investigated anti-drone technologies. Additionally, other Iranian groups explored satellite jamming techniques and electronic warfare methods.
According to the report, Iranian actors exhibited the broadest and most aggressive use of AI for both cyber attacks and influence operations, indicating Tehran’s increasing reliance on AI to expand its cyber warfare capabilities and online disinformation campaigns.
Google emphasized that Gemini’s safety mechanisms prevented the generation of outright malicious content, such as fully functional malware or phishing toolkits. However, Iranian threat actors attempted to bypass security filters using publicly available jailbreak prompts.
A Test of Endurance: #Cyber Assaults and the #IranianResistance’s Marathon Toward Changehttps://t.co/tRunZsOtcl
— NCRI-FAC (@iran_policy) December 22, 2024
Despite these efforts, Google maintains that its AI models remain resistant to direct exploitation, with built-in safeguards restricting Gemini’s ability to produce harmful outputs.
The report highlights the regime’s growing reliance on AI for cyber warfare and information control, which presents a serious challenge for global cybersecurity. With Iranian APT actors leading in the weaponization of AI, the potential for AI-assisted cyber threats, espionage, and state-sponsored disinformation is rising.
Google’s findings also suggest that the Iranian regime is increasingly integrating AI into its cyber and intelligence apparatus, making it imperative for governments, tech companies, and security agencies to enhance AI security frameworks and counter emerging AI-driven threats.