<div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Introduction</span></h3> <p><span style="vertical-align: baseline;">In the final quarter of 2025, Google Threat Intelligence Group (GTIG) observed threat actors increasingly integrating artificial intelligence (AI) to accelerate the attack lifecycle, achieving productivity gains in reconnaissance, social engineering, and malware development. This report serves as an update to our </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools"><span style="text-decoration: underline; vertical-align: baseline;">November 2025 findings</span></a><span style="vertical-align: baseline;"> regarding the advances in threat actor usage of AI tools.</span></p> <p><span style="vertical-align: baseline;">By identifying these early indicators and offensive proofs of concept, GTIG aims to arm defenders with the intelligence necessary to anticipate the next phase of AI-enabled threats, proactively thwart malicious activity, and continually strengthen both our classifiers and model.</span></p> <h3><span style="vertical-align: baseline;">Executive Summary</span></h3> <p><span style="vertical-align: baseline;">Google DeepMind and GTIG have identified an increase in model extraction attempts or "distillation attacks," a method of intellectual property theft that violates Google's terms of service. Throughout this report we've noted steps we've taken to thwart malicious activity, including Google detecting, disrupting, and mitigating model extraction activity. While we have not observed direct attacks on frontier models or generative AI products from advanced persistent threat (APT) actors, we observed and mitigated frequent model extraction attacks from private sector entities all over the world and researchers seeking to clone proprietary logic. </span></p> <p><span style="vertical-align: baseline;">For government-backed threat actors, large language models (LLMs)

Read Full Article at Mandiant Blog →