AI-Enabled Attack Patterns: What SaaS Companies Need to Know from Google's Q4 2025 Threat Report

Key Takeaways

• Distillation attacks use 100,000+ prompts to extract AI model capabilities, a form of IP theft relevant to any SaaS company building AI features
• HonestCue, a proof-of-concept malware framework, uses the Gemini API to generate attack code in real-time, evading static detection
• Nation-state actors from DPRK, China, Iran, and Russia are operationalizing AI across the full attack lifecycle
• AI-augmented phishing enables attackers to craft convincing messages in multiple languages with faster victim profiling
• Compliance frameworks like SOC 2 and ISO 27001 provide structured defenses against these emerging threats

In February 2026, Google's Threat Intelligence Group (GTIG) released their Q4 2025 AI Threat Tracker report, documenting how adversaries are weaponizing artificial intelligence. The report identifies three distinct patterns: distillation attacks targeting AI intellectual property, experimental AI-powered malware, and the continued integration of AI tools by nation-state actors.

For CTOs and CISOs at B2B SaaS companies, this report matters. Whether you're building AI features into your product or simply defending against AI-augmented attacks, the threat landscape has shifted. Here's what you need to know.

Pattern 1: Distillation Attacks (Model Extraction)

Distillation attacks, also called model extraction, involve systematically querying a commercial AI model to replicate its capabilities. The goal is intellectual property theft that bypasses the significant investment required to develop advanced AI models from scratch.

GTIG documented a campaign targeting Gemini's reasoning abilities using over 100,000 prompts designed to coerce the model into outputting its full reasoning processes. The attackers weren't looking for a single answer. They were building a dataset to train their own model, effectively stealing years of R&D at API query costs.

A separate proof-of-concept by security firm Praetorian demonstrated that behavioral cloning can achieve 80.1% accuracy using just 1,000 queries trained over 20 epochs. The barrier to model theft through API interactions is lower than many companies realize.

Why This Matters for SaaS Companies

If your product includes AI features, especially proprietary models or fine-tuned capabilities, distillation attacks represent a direct threat to your competitive advantage. Competitors or threat actors can query your API, extract your model's behavior, and replicate it without your knowledge.

The indicators to watch for include:

• Unusual patterns of API queries that appear designed to explore model boundaries
• High-volume requests from single sources probing edge cases
• Systematic queries across non-English languages (a pattern GTIG observed targeting Gemini)

Rate limiting alone won't stop sophisticated extraction attempts. You need behavioral analysis that identifies extraction patterns, not just volume anomalies.

Pattern 2: AI-Powered Malware (HonestCue Framework)

GTIG's report documents HonestCue, a proof-of-concept malware framework first observed in September 2025. This represents a significant evolution in malware design: using AI to generate attack code dynamically, making traditional signature-based detection ineffective.

Here's how HonestCue works:

1. The initial dropper calls the Gemini API with a prompt requesting C# source code for "stage two" functionality
2. Gemini returns generated code tailored to the specific attack objective
3. The malware uses .NET's CSharpCodeProvider to compile the code directly in memory
4. The payload executes without ever touching the disk, leaving no artifacts for forensic analysis

This "fileless" approach undermines both network-based detection (the traffic looks like legitimate API calls) and static analysis (the malicious code doesn't exist until runtime). Each execution can generate slightly different code, defeating signature matching.

What This Means for Detection

The GTIG report notes that while HonestCue is still experimental and hasn't achieved breakthrough capabilities, it represents the direction of future threats. AI enables a multi-layered obfuscation approach that traditional security tools aren't designed to handle.

For SaaS companies, this has two implications:

1. Endpoint protection must evolve beyond signature-based detection to behavioral analysis that identifies malicious patterns regardless of code variation
2. API traffic monitoring should flag unexpected calls to generative AI services, especially from processes that shouldn't need AI capabilities

Pattern 3: Nation-State AI Integration

The most extensive section of GTIG's report covers how state-sponsored actors are operationalizing AI across the attack lifecycle. This isn't theoretical. GTIG observed direct links between threat actor misuse of Gemini and activity in the wild during Q4 2025.

DPRK (North Korea)

UNC2970 uses Gemini to synthesize open-source intelligence and profile targets. Their focus: mapping technical job roles and salary information at defense firms to enable phishing operations under false recruiter personas. This is intelligence preparation for social engineering at scale.

China

Multiple Chinese APT groups are leveraging AI differently:

• APT31 (Judgement Panda) automates vulnerability analysis and generates targeted testing plans by impersonating security researchers
• APT41 extracts technical documentation and debugs exploit code using AI assistance
• Temp.HEX (Mustang Panda) compiles dossiers on individuals, particularly in Pakistan, and gathers data on separatist organizations
• UNC795 troubleshoots code and develops web shells and PHP server scanners

Iran

APT42 demonstrates perhaps the most diverse AI usage: crafting social engineering personas, developing Python-based map scrapers, creating SIM management systems in Rust, and researching WinRAR exploit proofs-of-concept. This group uses AI as a productivity multiplier across reconnaissance, development, and operations.

The Productivity Multiplier Effect

The key insight from GTIG's report isn't that AI enables fundamentally new attack types. Rather, it's that AI accelerates existing techniques and lowers barriers. An adversary who previously needed language expertise to craft convincing spearphishing in French, Japanese, or Arabic can now operate in any language. Research that took days now takes hours.

Steve Miller from GTIG emphasized that defenders must "make similar investments in AI, and build towards AI-enabled defensive capabilities that can operate at machine speed."

AI-Augmented Phishing: The Immediate Threat

For most SaaS companies, the most immediate concern from this report is AI-augmented phishing. Nation-state groups are already using AI to:

• Generate contextually appropriate phishing messages in multiple languages
• Profile targets faster using synthesized open-source intelligence
• Craft more convincing pretexts based on specific organizational roles and relationships

Traditional security awareness training assumed attackers would make mistakes: grammatical errors, contextual inconsistencies, generic approaches. AI eliminates these tells. Your team needs to be trained to recognize phishing based on behavioral indicators (unexpected requests, urgency tactics, unusual channels) rather than quality indicators that AI now matches.

Practical Defense Strategies for SaaS Companies

Understanding these threats is step one. Here's how to defend against them:

1. Protect Your AI Assets from Extraction

If you're building AI features:

• Implement query pattern detection that identifies extraction attempts, not just rate limiting
• Monitor for systematic probing across your model's capabilities
• Consider watermarking techniques that can identify model outputs even in distilled copies
• Log and analyze API usage patterns for anomalous behavior

2. Update Your Detection Stack for AI-Generated Attacks

• Deploy behavioral-based endpoint detection that identifies malicious patterns regardless of code signatures
• Monitor for unexpected AI API calls from processes that shouldn't need generative capabilities
• Implement memory-based detection for fileless malware techniques
• Ensure your SOC team understands AI-enabled attack patterns

3. Modernize Phishing Defenses

• Update security awareness training to focus on behavioral indicators rather than quality tells
• Implement verified communication channels for sensitive requests (financial transfers, credential changes)
• Deploy AI-powered email security that can compete with AI-generated attacks
• Establish out-of-band verification procedures for any unusual requests

4. Leverage Compliance Frameworks Strategically

This is where SOC 2 and ISO 27001 frameworks provide structure. These aren't just checkbox exercises. They encode security practices that directly counter the threats in this report:

• Access controls (SOC 2 CC6.1, ISO 27001 A.9) limit blast radius when AI-augmented phishing succeeds
• Security monitoring (SOC 2 CC7.2, ISO 27001 A.12.4) detects anomalous patterns including extraction attempts
• Incident response (SOC 2 CC7.3, ISO 27001 A.16) ensures you can react at the speed AI-enabled attackers operate
• Vendor management (SOC 2 CC3.2, ISO 27001 A.15) extends these protections to your supply chain

The difference between organizations that handle these emerging threats and those that don't often comes down to whether they have systematically implemented these controls or left security as an afterthought.

5. Build AI-Enabled Defenses

GTIG's recommendation is clear: defenders need to match attacker investments in AI. This means:

• AI-powered threat detection that can identify patterns across large datasets
• Automated response capabilities that operate at machine speed
• Behavioral baselines that flag deviations indicating compromise
• Continuous monitoring rather than periodic assessments

The Bottom Line

Google's Q4 2025 report documents a shift that's already happening. AI hasn't created fundamentally new attack types, but it has accelerated existing techniques and lowered barriers. Adversaries are more productive. Attacks are harder to detect. Traditional security assumptions no longer hold.

For SaaS companies, this means:

1. If you're building AI features, protect them from extraction attacks
2. If you're defending against attacks, update your detection capabilities for AI-generated threats
3. Either way, modernize phishing defenses and implement structured security frameworks

The organizations that respond proactively to these shifts will be better positioned than those who wait for the threats to become undeniable. The GTIG report provides the evidence. The question is what you do with it.

Bastion helps SaaS companies build security practices that address emerging threats. Our managed compliance services for SOC 2 and ISO 27001 ensure your security controls keep pace with the evolving threat landscape. Get started with Bastion →