State-backed hackers are using Google’s Gemini AI model to support all stages of an attack, from reconnaissance to post-compromise actions.

Bad actors from China (APT31, Temp.HEX), Iran (APT42), North Korea (UNC2970), and Russia used Gemini for target profiling and open-source intelligence, generating phishing lures, translating text, coding, vulnerability testing, and troubleshooting.

Cybercriminals are also showing increased interest in AI tools and services that could help in illegal activities, such as social engineering ClickFix campaigns.

AI-enhanced malicious activity

The Google Threat Intelligence Group (GTIG) notes in a report today that APT adversaries use Gemini to support their campaigns “from reconnaissance and phishing lure creation to command and control  (C2) development and data exfiltration.”

Chinese threat actors employed an expert cybersecurity persona to request that Gemini automate vulnerability analysis and provide targeted testing plans in the context of a fabricated scenario.

“The PRC-based threat actor fabricated a scenario, in one case trialing Hexstrike MCP tooling, and directing the model to analyze Remote Code Execution (RCE), WAF bypass techniques, and SQL injection test results against specific US-based targets,” Google says.

Another China-based actor frequently employed Gemini to fix their code, carry out research, and provide advice on technical capabilities for intrusions.

The Iranian adversary APT42 leveraged Google’s LLM for social engineering campaigns, as a development platform to speed up the creation of tailored malicious tools (debugging, code generation, and researching exploitation techniques).

Additional threat actor abuse was observed for implementing new capabilities into existing malware families, including the CoinBait phishing kit and the HonestCue malware downloader and launcher.

GTIG notes that no major breakthroughs have occurred in that respect, though the tech giant expects malware operators to continue to integrate AI capabilities into their toolsets.

HonestCue is a proof-of-concept malware framework observed in late 2025 that uses the Gemini API to generate C# code for second-stage malware, then compiles and executes the payloads in memory.

CoinBait is a React SPA-wrapped phishing kit masquerading as a cryptocurrency exchange for credential harvesting. It contains artifacts indicating that its development was advanced using AI code generation tools.

One indicator of LLM use is logging messages in the malware source code that were prefixed with “Analytics:,” which could help defenders track data exfiltration processes.

Based on the malware samples, GTIG researchers believe that the malware was created using the Lovable AI platform, as the developer used the Lovable Supabase client and lovable.app.

Cybercriminals also used generative AI services in ClickFix campaigns, delivering the AMOS info-stealing malware for macOS. Users were lured to execute malicious commands through malicious ads listed in search results for queries on troubleshooting specific issues.

The report further notes that Gemini has faced AI model extraction and distillation attempts, with organizations leveraging authorized API access to methodically query the system and reproduce its decision-making processes to replicate its functionality.

Although the problem is not a direct threat to users of these models or their data, it constitutes a significant commercial, competitive, and intellectual property problem for the creators of these models.

Essentially, actors take information obtained from one model and transfer the information to another using a machine learning technique called “knowledge distillation,” which is used to train fresh models from more advanced ones.

“Model extraction and subsequent knowledge distillation enable an attacker to accelerate AI model development quickly and at a significantly lower cost,” GTIG researchers say.

Google flags these attacks as a threat because they constitute intellectual theft, they are scalable, and severely undermine the business model of AI-as-a-service, which has the potential to impact end users soon.

In a large-scale attack of this kind, Gemini AI was targeted by 100,000 prompts that posed a series of questions aimed at replicating the model’s reasoning across a range of tasks in non-English languages.

Google has disabled accounts and infrastructure tied to documented abuse, and has implemented targeted defenses in Gemini’s classifiers to make abuse harder.

The company assures that it “designs AI systems with robust security measures and strong safety guardrails” and regularly tests the models to improve their security and safety.

Modern IT infrastructure moves faster than manual workflows can handle.

In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.

Get the guide

When enterprises fine-tune LLMs for new tasks, they risk breaking everything the models already know. This forces companies to maintain separate models for every skill.

Researchers at MIT, the Improbable AI Lab and ETH Zurich have developed a new technique that enables large language models to learn new skills and knowledge without forgetting their past capabilities.

Their technique, called self-distillation fine-tuning (SDFT), allows models to learn directly from demonstrations and their own experiments by leveraging the inherent in-context learning abilities of modern LLMs. Experiments show that SDFT consistently outperforms traditional supervised fine-tuning (SFT) while addressing the limitations of reinforcement learning algorithms.

For enterprise applications, the method enables a single model to accumulate multiple skills over time without suffering from performance regression on earlier tasks. This offers a potential pathway for building AI agents that can adapt to dynamic business environments, gathering new proprietary knowledge and skills as needed without requiring expensive retraining cycles or losing their general reasoning abilities.

The challenge of continual learning

Once an LLM is trained and deployed, it remains static. It does not update its parameters to acquire new skills, internalize new knowledge, or improve from experience. To build truly adaptive AI, the industry needs to solve “continual learning,” allowing systems to accumulate knowledge much like humans do throughout their careers.

The most effective way for models to learn is through “on-policy learning.” In this approach, the model learns from data it generates itself allowing it to correct its own errors and reasoning processes. This stands in contrast to learning by simply mimicking static datasets. Without on-policy learning, models are prone to “catastrophic forgetting,” a phenomenon where learning a new task causes the model to lose its past knowledge and ability to perform previous tasks.

However, on-policy learning typically requires reinforcement learning (RL), which depends on an explicit reward function to score the model’s outputs. This works well for problems with clear outcomes, such as math and coding. But in many real-world enterprise scenarios (e.g., writing a legal brief or summarizing a meeting), defining a mathematical reward function is difficult or impossible.

RL methods also often fail when trying to teach a model entirely new information, such as a specific company protocol or a new product line. As Idan Shenfeld, a doctorate student at MIT and co-author of the paper, told VentureBeat, “No matter how many times the base model tries, it cannot generate correct answers for a topic it has zero knowledge about,” meaning it never gets a positive signal to learn from.

The standard alternative is supervised fine-tuning (SFT), where the model is trained on a fixed dataset of expert demonstrations. While SFT provides clear ground truth, it is inherently “off-policy.” Because the model is just mimicking data rather than learning from its own attempts, it often fails to generalize to out-of-distribution examples and suffers heavily from catastrophic forgetting. 

SDFT seeks to bridge this gap: enabling the benefits of on-policy learning using only prerecorded demonstrations, without needing a reward function.

How SDFT works

SDFT solves this problem by using “distillation,” a process where a student model learns to mimic a teacher. The researchers’ insight was to use the model’s own “in-context learning” (ICL) capabilities to create a feedback loop within a single model.

In-context learning is the phenomenon where you provide the LLM with a difficult task and one or more demonstrations of how similar problems are solved. Most advanced LLMs are designed to solve new problems with ICL examples, without any parameter updates.

During the training cycle, SDFT employs the model in two roles.

The teacher: A frozen version of the model is fed the query along with expert demonstrations. Using ICL, the teacher deduces the correct answer and the reasoning logic required to reach it.

The student: This version sees only the query, simulating a real-world deployment scenario where no answer key is available.

When the student generates an answer, the teacher, which has access to the expert demonstrations, provides feedback. The student then updates its parameters to align closer to the teacher’s distribution.

This process effectively creates an on-policy learning loop by combining elements of SFT and RL. The supervision comes not from a static dataset, but from the model’s own interaction and outputs. It allows the model to correct its own reasoning trajectories without requiring an external reward signal. This process works even for new knowledge that RL would miss.

SDFT in action

To validate the approach, the researchers tested SDFT using the open-weight Qwen 2.5 model on three complex enterprise-grade skills: science Q&A, software tool use, and medical reasoning.

The results showed that SDFT learned new tasks more effectively than standard methods. On the Science Q&A benchmark, the SDFT model achieved 70.2% accuracy, compared to 66.2% for the standard SFT approach.

More important for enterprise adoption is the impact on catastrophic forgetting. When the standard SFT model learned the science task, its ability to answer general questions (such as logic or humanities) collapsed. In contrast, the SDFT model improved on the science task while holding its “Previous Tasks” score steady at 64.5%. This stability suggests companies could specialize models for specific departments (e.g., HR or Legal) without degrading the model’s basic common sense or reasoning capabilities.

The team also simulated a knowledge injection scenario, creating a dataset of fictional “2025 Natural Disasters” to teach the model new facts. They tested the model on indirect reasoning questions, such as “Given the floods in 2025, which countries likely needed humanitarian aid?”

Standard SFT resulted in a model that memorized facts but struggled to use them in reasoning scenarios. The SDFT model, having internalized the logic during training, scored 98% on the same questions.

Finally, the researchers conducted a sequential learning experiment, training the model on science, tool use, and medical tasks one after another. While the standard model’s performance oscillated, losing previous skills as it learned new ones, the SDFT model successfully accumulated all three skills without regression.

This capability addresses a major pain point for enterprises currently managing “model zoos” of separate adapters for different tasks.

“We offer the ability to maintain only a single model for all the company’s needs,” Shenfeld said. This consolidation “can lead to a substantial reduction in inference costs” because organizations don’t need to host multiple models simultaneously.

SDFT limitations and availability

The code for SDFT is available on GitHub and ready to be integrated into existing model training workflows.

“The SDFT pipeline is more similar to the RL pipeline in that it requires online response generation during training,” Shenfeld said. They are working with Hugging Face to integrate SDFT into the latter’s Transformer Reinforcement Learning (TRL) library, he added, noting that a pull request is already open for developers who want to test the integration.

For teams considering SDFT, the practical tradeoffs come down to model size and compute. The technique requires models with strong enough in-context learning to act as their own teachers — currently around 4 billion parameters with newer architectures like Qwen 3, though Shenfeld expects 1 billion-parameter models to work soon. It demands roughly 2.5 times the compute of standard fine-tuning, but is best suited for organizations that need a single model to accumulate multiple skills over time, particularly in domains where defining a reward function for reinforcement learning is difficult or impossible.

While effective, the method does come with computational tradeoffs. SDFT is approximately four times slower and requires 2.5 times more computational power (FLOPs) than standard fine-tuning because the model must actively generate its own answers (“rollouts”) during training to compare against the teacher. However, the researchers note that because the model retains knowledge better, organizations may avoid the costly multi-stage retraining processes often required to repair models that suffer from catastrophic forgetting.

The technique also relies on the underlying model being large enough to benefit from in-context learning. The paper notes that smaller models (e.g., 3 billion parameters) initially struggled because they lacked the “intelligence” to act as their own teachers.

However, Shenfeld said that the rapid improvement of small models is changing this dynamic. “The Qwen 2.5 3B models were too weak, but in some experiments we currently do, we found that the Qwen 3 4B model is strong enough,” he said. “I see a future where even 1B models have good enough ICL capabilities to support SDFT.”

Ultimately, the goal is to move beyond static snapshots toward systems that improve through use.

“Lifelong learning, together with the ability to extract learning signal from unstructured user interactions… will bring models that just keep and keep improving with time,” Shenfeld said.

“Think about the fact that already the majority of compute around the world goes into inference instead of training. We have to find ways to harness this compute to improve our models.”

Last May, law enforcement authorities around the world scored a key win when they hobbled the infrastructure of Lumma, an infostealer that infected nearly 395,000 Windows computers over just a two-month span leading up to the international operation. Researchers said Wednesday that Lumma is once again “back at scale” in hard-to-detect attacks that pilfer credentials and sensitive files.

Lumma, also known as Lumma Stealer, first appeared in Russian-speaking cybercrime forums in 2022. Its cloud-based malware-as-a-service model provided a sprawling infrastructure of domains for hosting lure sites offering free cracked software, games, and pirated movies, as well as command-and-control channels and everything else a threat actor needed to run their infostealing enterprise. Within a year, Lumma was selling for as much as $2,500 for premium versions. By the spring of 2024, the FBI counted more than 21,000 listings on crime forums. Last year, Microsoft said Lumma had become the “go-to tool” for multiple crime groups, including Scattered Spider, one of the most prolific groups.

Takedowns are hard

The FBI and an international coalition of its counterparts took action early last year. In May, they said they seized 2,300 domains, command-and-control infrastructure, and crime marketplaces that had enabled the infostealer to thrive. Recently, however, the malware has made a comeback, allowing it to infect a significant number of machines again.

“LummaStealer is back at scale, despite a major 2025 law-enforcement takedown that disrupted thousands of its command-and-control domains,” researchers from security firm Bitdefender wrote. “The operation has rapidly rebuilt its infrastructure and continues to spread worldwide.”

As with Lumma before, the recent surge leans heavily on “ClickFix,” a form of social engineering lure that’s proving to be vexingly effective in causing end users to infect their own machines. Typically, these types of bait come in the form of fake CAPTCHAs that—rather requiring users to click a box or identify objects or letters in a jumbled image—instruct them to copy text and paste it into an interface, a process that takes just seconds. The text comes in the form of malicious commands provided by the fake CAPTCHA. The interface is the Windows terminal. Targets who comply then install loader malware, which in turn installs Lumma.

[Teddy Warner]’s GPenT (Generative Pen-trained Transformer) project is a wall-mounted polargraph that makes plotter art, but there’s a whole lot more going on than one might think. This project was partly born from [Teddy]’s ideas about how to use aspects of machine learning in ways that were really never intended. What resulted is a wall-mounted pen plotter that offers a load of different ‘generators’ — ways to create line art — that range from procedural patterns, to image uploads, to the titular machine learning shenanigans.

Want to see the capabilities for yourself? There’s a publicly accessible version of the plotter interface that lets one play with the different generators. The public instance is not connected to a physical plotter, but one can still generate and preview plots, and download the resulting SVG file or G-code.

Most of the generators do not involve machine learning, but the unusual generative angle is well-represented by two of them: dcode and GPenT.

dcode is a diffusion model that, instead of converting a text prompt into an image, has been trained to convert text directly into G-code. It’s very much a square peg in a round hole. Visually it’s perhaps not the most exciting, but as a concept it’s fascinating.

The titular GPenT works like this: give it a scrap of text inspiration (a seed, if you will), and that becomes a combination of other generators and parameters, machine-selected and stacked with one another to produce a final composition. The results are unique, to say the least.

Once the generators make something, the framed and wall-mounted plotter turns it into physical lines on paper. Watch the system’s first plot happen in the video, embedded below under the page break.

This is a monster of a project representing a custom CNC pen plotter, a frame to hold it, and the whole software pipeline both for the CNC machine as well as generating what it plots. Of course, the journey involved a few false starts and dead ends, but they’re all pretty interesting. The plotter’s GitHub repository combined with [Teddy]’s write up has all the details one may need.

It’s also one of those years-in-the-making projects that ultimately got finished and, we think, doing so led to a bit of a sigh of relief on [Teddy]’s part. Most of us have unfinished projects, and if you have one that’s being a bit of a drag, we’d like to remind you that you don’t necessarily have to finish-finish a project to get it off your plate. We have some solid advice on how to (productively) let go.

Chinese AI startup Zhupai aka z.ai is back this week with an eye-popping new frontier large language model: GLM-5.

The latest in z.ai’s ongoing and continually impressive GLM series, it retains an open source MIT License — perfect for enterprise deployment – and, in one of several notable achievements, achieves a record-low hallucination rate on the independent Artificial Analysis Intelligence Index v4.0.

With a score of -1 on the AA-Omniscience Index—representing a massive 35-point improvement over its predecessor—GLM-5 now leads the entire AI industry, including U.S. competitors like Google, OpenAI and Anthropic, in knowledge reliability by knowing when to abstain rather than fabricate information.

Beyond its reasoning prowess, GLM-5 is built for high-utility knowledge work. It features native “Agent Mode” capabilities that allow it to turn raw prompts or source materials directly into professional office documents, including ready-to-use .docx, .pdf, and .xlsx files.

Whether generating detailed financial reports, high school sponsorship proposals, or complex spreadsheets, GLM-5 delivers results in real-world formats that integrate directly into enterprise workflows.

It is also disruptively priced at roughly $0.80 per million input tokens and $2.56 per million output tokens, approximately 6x cheaper than proprietary competitors like Claude Opus 4.6, making state-of-the-art agentic engineering more cost-effective than ever before. Here’s what else enterprise decision makers should know about the model and its training.

Technology: scaling for agentic efficiency

At the heart of GLM-5 is a massive leap in raw parameters. The model scales from the 355B parameters of GLM-4.5 to a staggering 744B parameters, with 40B active per token in its Mixture-of-Experts (MoE) architecture. This growth is supported by an increase in pre-training data to 28.5T tokens.

To address training inefficiencies at this magnitude, Zai developed “slime,” a novel asynchronous reinforcement learning (RL) infrastructure.

Traditional RL often suffers from “long-tail” bottlenecks; Slime breaks this lockstep by allowing trajectories to be generated independently, enabling the fine-grained iterations necessary for complex agentic behavior.

By integrating system-level optimizations like Active Partial Rollouts (APRIL), slime addresses the generation bottlenecks that typically consume over 90% of RL training time, significantly accelerating the iteration cycle for complex agentic tasks.

The framework’s design is centered on a tripartite modular system: a high-performance training module powered by Megatron-LM, a rollout module utilizing SGLang and custom routers for high-throughput data generation, and a centralized Data Buffer that manages prompt initialization and rollout storage.

By enabling adaptive verifiable environments and multi-turn compilation feedback loops, slime provides the robust, high-throughput foundation required to transition AI from simple chat interactions toward rigorous, long-horizon systems engineering.

To keep deployment manageable, GLM-5 integrates DeepSeek Sparse Attention (DSA), preserving a 200K context capacity while drastically reducing costs.

End-to-end knowledge work

Zai is framing GLM-5 as an “office” tool for the AGI era. While previous models focused on snippets, GLM-5 is built to deliver ready-to-use documents.

It can autonomously transform prompts into formatted .docx, .pdf, and .xlsx files—ranging from financial reports to sponsorship proposals.

In practice, this means the model can decompose high-level goals into actionable subtasks and perform “Agentic Engineering,” where humans define quality gates while the AI handles execution.

High performance

GLM-5’s benchmarks make it the new most powerful open source model in the world, according to Artificial Analysis, surpassing Chinese rival Moonshot’s new Kimi K2.5 released just two weeks ago, showing that Chinese AI companies are nearly caught up with far better resourced proprietary Western rivals.

According to z.ai’s own materials shared today, GLM-5 ranks near state-of-the-art on several key benchmarks:

SWE-bench Verified: GLM-5 achieved a score of 77.8, outperforming Gemini 3 Pro (76.2) and approaching Claude Opus 4.6 (80.9).

Vending Bench 2: In a simulation of running a business, GLM-5 ranked #1 among open-source models with a final balance of $4,432.12.

Beyond performance, GLM-5 is aggressively undercutting the market. Live on OpenRouter as of February 11, 2026, it is priced at approximately $0.80–$1.00 per million input tokens and $2.56–$3.20 per million output tokens. It falls in the mid-range compared to other leading LLMs, but based on its top-tier bechmarking performance, it’s what one might call a “steal.”

This is roughly 6x cheaper on input and nearly 10x cheaper on output than Claude Opus 4.6 ($5/$25). This release confirms rumors that Zhipu AI was behind “Pony Alpha,” a stealth model that previously crushed coding benchmarks on OpenRouter.

However, despite the high benchmarks and low cost, not all early users are enthusiastic about the model, noting its high performance doesn’t tell the whole story.

Lukas Petersson, co-founder of the safety-focused autonomous AI protocol startup Andon Labs, remarked on X: “After hours of reading GLM-5 traces: an incredibly effective model, but far less situationally aware. Achieves goals via aggressive tactics but doesn’t reason about its situation or leverage experience. This is scary. This is how you get a paperclip maximizer.”

The “paperclip maximizer” refers to a hypothetical situation described by Oxford philosopher Nick Bostrom back in 2003, in which an AI or other autonomous creation accidentally leads to an apocalyptic scenario or human extinction by following a seemingly benign instruction — like maximizing the number of paperclips produced — to an extreme degree, redirecting all resources necessary for human (or other life) or otherwise making life impossible through its commitment to fulfilling the seemingly benign objective.

Should your enterprise adopt GLM-5?

Enterprises seeking to escape vendor lock-in will find GLM-5’s MIT License and open-weights availability a significant strategic advantage. Unlike closed-source competitors that keep intelligence behind proprietary walls, GLM-5 allows organizations to host their own frontier-level intelligence.

Adoption is not without friction. The sheer scale of GLM-5—744B parameters—requires a massive hardware floor that may be out of reach for smaller firms without significant cloud or on-premise GPU clusters.

Security leaders must weigh the geopolitical implications of a flagship model from a China-based lab, especially in regulated industries where data residency and provenance are strictly audited.

Furthermore, the shift toward more autonomous AI agents introduces new governance risks. As models move from “chat” to “work,” they begin to operate across apps and files autonomously. Without the robust agent-specific permissions and human-in-the-loop quality gates established by enterprise data leaders, the risk of autonomous error increases exponentially.

Ultimately, GLM-5 is a “buy” for organizations that have outgrown simple copilots and are ready to build a truly autonomous office.

It is for engineers who need to refactor a legacy backend or requires a “self-healing” pipeline that doesn’t sleep.

While Western labs continue to optimize for “Thinking” and reasoning depth, Zai is optimizing for execution and scale.

Enterprises that adopt GLM-5 today are not just buying a cheaper model; they are betting on a future where the most valuable AI is the one that can finish the project without being asked twice.