Artificial intelligence (AI) has become a priority target for cybercriminals, who seek to clone proprietary models while also using AI to refine and execute more sophisticated attacks. This dual aspect has driven the growth of a black market for AI-based services, according to the ‘AI Threat Tracker’ report by Google Threat Intelligence Group (GTIG). Over the past year, there has been an increase in so-called distillation attacks, which involve extracting generative AI models to analyze their functioning and replicate them. The main interest of attackers lies in understanding the internal reasoning of the models and their decision-making processes, with Gemini being one of the most coveted targets. The GTIG report emphasizes that malicious actors use AI in all phases of their operations, from programming and script creation to gathering information on potential victims, analyzing vulnerabilities, and executing actions after compromising a system. Among the highlighted cases is APT42, a group linked to Iran, which used generative AI models to identify official emails and analyze potential business partners, thus facilitating the creation of credible pretexts for their campaigns. Meanwhile, UNC2970, associated with North Korea, used Gemini to synthesize intelligence from open sources (OSINT) and profile strategic targets. AI has also been experimentally employed to enhance malware capabilities. An example is HONESTCUE, which used the Gemini API to outsource functionality generation, aiming to evade traditional detection and analysis systems. Additionally, the COINBAIT phishing kit, designed to impersonate cryptocurrency exchange services and steal credentials, was developed using AI-assisted code generation tools. The report also identifies the existence of a black market for AI services aimed at illicit activities, with forums in English and Russian where AI-powered tools and services are traded. However, cybercriminals still face challenges in creating custom models, often resorting to existing and mature solutions. An illustrative case is the Xanthorox kit, marketed as a personalized AI for the autonomous creation of malware and phishing campaigns. However, GTIG's analysis reveals that, rather than being an exclusive development, it is based on the integration of commercial and third-party products. Source: europapress.es