Tech Insights 13 February 2026 8 min read

Google Threat Report: AI-Powered Malware Now Makes Live Gemini API Calls During Attacks

Google's Threat Intelligence Group has identified HONESTCUE, a fileless malware strain that calls the Gemini API in real time to generate attack payloads. Four nation-state groups from China, North Korea, Iran, and Russia are using AI to build tools that static antivirus software cannot detect. Here's what UK businesses need to do.

MM
Mark McNeece Founder, 365i
Cybersecurity operations centre monitor showing live malware alerts and AI API call logs during an active threat investigation
At a Glance 8 min read
  • Google's GTIG confirmed malware called HONESTCUE makes live API calls to Gemini, receives C# code, and executes it entirely in memory with no files on disk.
  • China's APT31, North Korea's UNC2970, and Iran's APT42 are all using AI tools for vulnerability analysis, script development, and phishing.
  • Traditional file-based security scanners (Wordfence, Sucuri) cannot detect AI-generated fileless malware that compiles fresh code each execution.
  • Model extraction attacks are rising, with threat actors issuing thousands of queries to replicate commercial AI models without paying for development.
  • Google's chief threat analyst warned that human-speed defence is no longer fast enough and security must respond at machine speed.

Google's Threat Intelligence Group published findings on 12 February 2026 confirming that malware is now making real-time API calls to Google's own Gemini AI during live attacks. A malware family called HONESTCUE sends prompts to Gemini, receives dynamically generated C# source code in response, compiles it in memory, and executes it. No files hit the disk. No signatures to match. The attack chain writes itself fresh every time it runs.

Separately, China's APT31 hacking group used Gemini with structured "cybersecurity expert persona" prompts to automate vulnerability analysis against US organisations. North Korea's UNC2970 and Iran's APT42 were also identified using AI tools across reconnaissance, script development, and phishing content generation.

For UK businesses, the takeaway isn't about geopolitics. It's about what happens when these techniques trickle down to commodity cybercrime, which they always do, and what that means for the security tools most small business websites actually use.

What HONESTCUE Actually Does (In Plain English)

Traditional malware downloads a malicious file. Your security scanner checks the file against a database of known threats. If it matches, it gets blocked. This has worked well enough for decades.

HONESTCUE doesn't do that. According to Google's GTIG report, it works in three stages:

  1. The downloader lands on the system. This part is small and relatively innocent-looking. It's a launcher, not the weapon.
  2. It calls Gemini's API with a prompt. The prompt requests specific C# code to carry out the next phase of the attack. Think of it as the malware asking an AI assistant to write a burglary toolkit on demand.
  3. It compiles and runs the code in memory. Using .NET's CSharpCodeProvider, the generated code executes without ever being saved as a file. When the process ends, the code vanishes.

This is what Google's researchers describe as "fileless execution." And it breaks a fundamental assumption most security tools rely on: that malicious code exists as a scannable file on disk.

Diagram showing the three-stage HONESTCUE attack chain: downloader, Gemini API call, and in-memory code execution
The HONESTCUE attack chain: a small downloader calls Gemini's API for fresh code, then compiles and executes it entirely in memory.

State-Sponsored Hackers Are Using AI to Scale

The GTIG report identifies activity from multiple state-backed groups. As The Register reported, China's APT31 (also known as Violet Typhoon) used Gemini to automate vulnerability analysis against specific targets. They didn't just ask generic questions. They prompted Gemini with an "expert cybersecurity persona" and used Hexstrike, an open-source red-teaming tool built on the Model Context Protocol, to analyse exploits including remote code execution, WAF bypass techniques, and SQL injection.

John Hultquist, Google's Threat Intelligence Group chief analyst, didn't mince words:

"The adversaries' adoption of this capability is so significant; it's the next shoe to drop."

John Hultquist, Chief Analyst, Google Threat Intelligence Group (The Register)

North Korea's UNC2970 and Iran's APT42 were also flagged. The pattern across all three: AI isn't replacing human hackers. It's making each one faster, more consistent, and able to target more organisations simultaneously.

World map highlighting China, North Korea, and Iran as the source countries for state-sponsored AI-powered cyberattacks identified by Google
Google identified state-backed hacking groups from China (APT31), North Korea (UNC2970), and Iran (APT42) integrating AI into their attack workflows.

Why Your Website's Security Scanner Probably Won't Catch This

Most UK small business websites run security through one of two approaches: a WordPress plugin (Wordfence, Sucuri, iThemes Security) or whatever their hosting provider bundles in. Both rely heavily on the same principle, matching files on your server against databases of known malicious code.

That principle worked when malware was static. An attacker wrote a backdoor script, uploaded it to thousands of sites, and security vendors added its signature to their databases within hours. Your scanner would find it next time it ran.

HONESTCUE inverts this. The malicious code is generated fresh by AI for each execution. It compiles in memory and leaves nothing on disk. There's no file to scan, no signature to match, and no hash to look up. Your security plugin checking against 661 known vulnerabilities is looking for yesterday's threats. This one doesn't exist until it runs.

That doesn't mean signature-based tools are useless. They catch the vast majority of attacks, which are still commodity exploits using known code. But a gap has opened between what's possible and what most SME security is designed to stop.

The Other Threat: Stealing AI Models Themselves

The GTIG report also documents a rise in "model extraction" attacks, sometimes called distillation. Threat actors issue thousands of structured queries to commercial AI models, mapping their behaviour and response patterns. The goal is to build a knockoff model that approximates the original's capabilities without paying for development.

As Hultquist told The Register: "Your model is really valuable IP, and if you can distil the logic behind it, there's very real potential that you can replicate that technology."

For businesses using AI tools in their operations (content generation, customer service chatbots, data analysis), this is a second front to watch. The AI tools you rely on could become less effective if their underlying models are systematically replicated by bad actors operating without the same safety guardrails.

Layered security diagram showing the difference between traditional file scanning and modern behavioural monitoring for AI-powered threats
Traditional file-based scanning catches known threats. Behavioural monitoring and application-layer firewalls are needed to detect AI-generated attacks that leave no files on disk.

What UK Businesses Should Do Right Now

You don't need a nation-state threat budget to improve your defences. The same principles that protect against actively exploited zero-days and admin takeover exploits apply here, with a few additions.

1. Add behavioural monitoring to your stack. Signature-based scanning alone isn't enough. Tools that monitor what processes are doing (making unexpected API calls, compiling code at runtime, opening outbound connections) catch threats that file scans miss. If your hosting provider offers application-level monitoring, enable it.

2. Use a Web Application Firewall (WAF) that updates in real time. A properly configured WAF blocks the initial delivery mechanism before HONESTCUE-style malware can even reach its API-calling stage. Server-level WAFs are more effective than plugin-based ones because they intercept requests before PHP processes them.

3. Keep everything updated. Still. The WP Go Maps vulnerability affecting 300,000 sites and the Modular DS flaw granting instant admin access both show how quickly known flaws get exploited. AI-assisted attackers will find and chain these vulnerabilities faster than human hackers ever could.

4. Enable two-factor authentication on everything. Even if an attacker gains credentials through AI-assisted phishing (and the GTIG report confirms this is happening), 2FA stops the login.

5. Review your backup strategy. The UK's National Cyber Security Centre put it plainly this week: "Strong resilience and recovery plans reduce both the chances of an attack succeeding and the impact if one does." Daily offsite backups with tested restoration procedures are no longer optional. They're your last line of defence when everything else fails.

6. Consider managed maintenance if you're running WordPress. When AI-powered reconnaissance can scan thousands of sites for unpatched plugin vulnerabilities in minutes, the window between disclosure and exploitation is shrinking. Professional maintenance services apply patches within hours, not days.

The AI Arms Race in Cybersecurity

What makes this report different from the annual "cyber threats are getting worse" warnings is the specificity. Google isn't speculating. They caught malware making live Gemini API calls. They identified the prompt patterns. They watched APT31 build structured attack plans using AI personas.

Hultquist's second quote from the report carries the real weight: "We are going to have to leverage the advantages of AI, and increasingly remove humans from the loop, so that we can respond at machine speed."

That's Google's own chief threat analyst saying human-speed defence is no longer fast enough. For UK businesses, this translates into a practical reality: your security posture needs automated, intelligent components. Manual monthly check-ups and annual security audits are artefacts of a slower era.

The same AI models powering Chrome's Gemini auto-browse agent and Google's AI Overviews are being turned against the infrastructure they're built to serve. That's not ironic. It's the predictable consequence of making powerful tools publicly accessible. And it means the gap between "we'll get to security eventually" and "we needed it yesterday" just closed.

What to Watch Next

Google said it disabled the accounts associated with the attacks documented in this report. But the techniques aren't proprietary to Gemini. Any commercial AI API, or a locally-hosted open-source model, can serve the same purpose. Expect to see similar fileless malware families targeting other AI platforms.

The NCSC is expected to issue updated guidance for UK businesses in the coming weeks. The CMA's Digital Markets Act consultation (closing 25 February) may also address AI-related security obligations. And WordPress 7.0, due later this year, will need to address whether its plugin ecosystem is architecturally equipped for threats that bypass file-based security entirely.

For now, the action is clear: don't wait for the commodity version of HONESTCUE to hit WordPress hosting environments. Upgrade your security stack from "scan and match" to "watch and respond." The attackers already have.

Frequently Asked Questions

What is HONESTCUE malware?

HONESTCUE is a malware family identified by Google's Threat Intelligence Group. It sends prompts to Google's Gemini AI API and receives C# source code in response. That code is compiled and executed in memory without being saved as a file, making it invisible to traditional file-based security scanners.

Does this affect small UK businesses or just large enterprises?

The GTIG report focused on state-sponsored groups targeting larger organisations. But the techniques always filter down. AI-powered reconnaissance already automates the process of scanning thousands of small business websites for unpatched plugins and weak configurations. The tools used by APT31 today will be in commodity attack kits within months.

Will my WordPress security plugin (Wordfence, Sucuri) catch AI-generated malware?

Wordfence and Sucuri are effective against known threats using signature matching. They won't catch malware that generates fresh code via AI on every execution, because there's no file on disk and no known signature. Add a WAF and behavioural monitoring alongside your existing plugin for defence in depth.

What does "fileless execution" mean?

Fileless malware runs entirely in memory. It never saves a malicious file to the server's hard drive. When the process ends, the code disappears. This makes it extremely difficult for traditional antivirus and malware scanners to detect, because they primarily look for malicious files on disk.

Which countries are behind these AI-powered attacks?

Google identified state-backed groups from China (APT31/Violet Typhoon), North Korea (UNC2970), and Iran (APT42). All three were observed integrating AI tools into different phases of their attack workflows, from reconnaissance and vulnerability analysis to phishing content generation.

What is a model extraction attack?

Model extraction (also called distillation) involves issuing thousands of structured queries to a commercial AI model to map its behaviour. The goal is to build a copycat model that replicates the original's capabilities without the development cost. Google's report shows this is now a deliberate, systematic activity by threat actors.

How do I protect my website from AI-powered attacks?

Layer your defences: keep all software updated, use a real-time WAF (server-level, not just a plugin), enable behavioural monitoring, enforce two-factor authentication, and maintain daily offsite backups with tested restoration. Managed hosting or a maintenance plan handles most of this automatically.

Has Google stopped these attacks?

Google says it disabled the accounts associated with the activity documented in this report. But the techniques are not unique to Gemini. Any AI API, or a locally-hosted open-source model, can serve the same purpose. Disabling specific accounts doesn't eliminate the attack method itself.

Is Your Website Ready for AI-Powered Threats?

When malware writes itself fresh using AI, you need security that watches behaviour, not just files. Check how visible (and how vulnerable) your business is to AI systems right now.

Check Your AI Visibility

Or explore managed maintenance plans

Sources

Tags:
Cybersecurity Website Security AI Cyberattacks Google GTIG Gemini Fileless Malware NCSC UK Business
Continue Reading

More Articles

Sean Hamilton: The Full Lockerfella Interview
Web Design 30 Apr 2026

Sean Hamilton: The Full Lockerfella Interview

The unedited post-launch conversation between Mark McNeece and Sean Hamilton about the Lockerfella build. Trust, area pages, AI Discovery Files, prices, and the locksmith version of mission control. The primary source behind the case study.

18 min read Read
He Asked for a Proper Locksmith Website. He Got Mission Control.
Web Design 30 Apr 2026

He Asked for a Proper Locksmith Website. He Got Mission Control.

Sean Hamilton wanted a website that "looked proper". He didn't ask for schema, AI Discovery Files, or 18 unique area pages. He didn't need to. Inside the Lockerfella build, the case study that turned a one-line brief into a 100/100/100/100 PageSpeed locksmith site cited in AI search within ten days of launch.

11 min read Read
Google's March 2026 Core Update Hits AI Content Hard. Here's Where the Line Is.
SEO 28 Mar 2026

Google's March 2026 Core Update Hits AI Content Hard. Here's Where the Line Is.

Google rolled out its first core update of 2026 yesterday, the third algorithm change in four days. More than half of monitored sites are seeing ranking shifts. The update targets scaled AI content but rewards AI-assisted pages built on original expertise. Here's the five-minute audit that tells you which side of the line your content is on.

9 min read Read