China's APT31 Used Gemini AI and Hexstrike to Automate Vulnerability Analysis Against US Targets

China's APT31 used Google's Gemini AI chatbot combined with the Hexstrike red-teaming framework to automate vulnerability analysis and plan cyberattacks against specific US-based targets, according to Google's latest AI Threat Tracker report.

APT31 — also tracked as Violet Typhoon, Zirconium, and Judgment Panda — is a Beijing-backed threat group sanctioned by the US in March 2024 after criminal charges were filed against seven members for compromising computer networks, email accounts, and cloud storage belonging to high-value targets.

Structured AI-Enabled Reconnaissance

The activity, which occurred in late 2025, showed APT31 adopting a highly structured approach to AI-assisted offensive operations. The group prompted Gemini with an expert cybersecurity persona to automate vulnerability analysis and generate targeted testing plans.

In one case, APT31 integrated Hexstrike — an open-source red-teaming tool built on the Model Context Protocol (MCP) — with Gemini to analyze exploits including remote code execution, WAF bypass techniques, and SQL injection against specific US organizations.

Hexstrike enables AI models to execute over 150 security tools with capabilities spanning network scanning, vulnerability assessment, reconnaissance, and penetration testing. While designed for ethical hackers and bug bounty hunters, threat actors began abusing the platform shortly after its mid-August release.

"This activity explicitly blurs the line between a routine security assessment query and a targeted malicious reconnaissance operation," Google's report stated. Google has since disabled accounts linked to the campaign.

Agentic AI in Offensive Operations

Google TAG chief analyst John Hultquist identified two primary concerns around AI-enabled offensive operations. The first is the ability to automate entire intrusion chains with minimal human intervention — echoing Anthropic's earlier report on Chinese cyberspies using Claude Code to automate attacks against high-profile companies and government organizations.

The second is automating vulnerability exploitation development, which widens the patch gap — the time between a vulnerability becoming known and organizations deploying fixes.

"These are two ways where adversaries can get major advantages and move through the intrusion cycle with minimal human interference," Hultquist said. "That allows them to move faster than defenders and hit a lot of targets."

AI Model Theft on the Rise

The report also documented a surge in "distillation attacks" — model extraction attempts designed to steal the underlying reasoning and chain-of-thought processes from AI products. Both GTIG and Google DeepMind identified actors globally attempting to extract intellectual property from Google's AI models.

"Your model is really valuable IP, and if you can distill the logic behind it, there's very real potential that you can replicate that technology — which is not inexpensive," Hultquist noted. Google attributed model stealing and capability extraction attempts to both threat actors and private sector companies globally.

Recommendation

Organizations should assume that AI-accelerated exploitation will compress the patch gap significantly. Prioritize rapid patching workflows and consider AI-assisted defensive tooling to respond at machine speed. Monitor for Hexstrike and similar MCP-based red-teaming tools being used against your infrastructure. The trend toward semi-autonomous offensive AI operations means defenders can no longer rely on human-speed response cycles alone.