Threat Actors Now Delegate Cyber Operations To Gemini CLI

For years, the cybersecurity industry has debated whether artificial intelligence would fundamentally change offensive cyber operations or simply make existing attackers more productive. Early evidence suggested the latter. Large language models accelerated research, generated scripts, translated phishing emails, and simplified malware development, but human operators still directed every significant stage of an attack.

Threat Actors Now Delegate Cyber Operations To Gemini CLI

Recent research from Trend Micro, however, suggests that this assumption is rapidly becoming outdated. Instead of merely assisting attackers, AI agents are beginning to execute meaningful portions of cyber operations with minimal supervision. The distinction is subtle but significant. The emerging threat is no longer AI-enhanced malware; it is AI-directed operations.

The latest investigation into Google's Gemini CLI demonstrates that cybercriminals are increasingly treating agentic AI as an operational teammate capable of planning, deploying, troubleshooting, and managing malicious infrastructure. The implications extend well beyond a single botnet or threat actor. They signal the beginning of a new phase of cybercrime, in which attackers delegate increasingly complex tasks to autonomous systems.

Gemini CLI is an open-source command-line interface that lets developers interact naturally with Google's AI models. Like many modern agentic AI tools, it can write code, troubleshoot applications, automate workflows, and interact with cloud infrastructure.

Trend Micro researchers discovered that a Russian-speaking threat actor known as "bandcampro" repurposed these capabilities to support a live command-and-control (C2) infrastructure. Rather than manually configuring servers or writing deployment scripts, the operator instructed Gemini CLI in natural language, while the AI handled much of the technical implementation.

Analysis of more than 200 recorded Gemini CLI sessions revealed an attacker who increasingly relied on AI throughout the attack lifecycle. The AI prepared deployment packages, configured infrastructure, generated code, diagnosed configuration problems, and even recommended improvements when operational issues emerged. The operator acted primarily as a supervisor rather than a hands-on engineer.

Perhaps the most striking example involved a complete migration of the attacker's command-and-control environment.
Following a simple instruction to study the migration guide, Gemini CLI processed the documentation, generated the necessary code, deployed a virtual private server, configured Cloudflare tunnels, and launched the replacement C2 infrastructure.

When infected systems initially failed to reconnect, the AI analyzed the problem, identified conflicting traffic between the old and new servers, and suggested corrective action. Once the original infrastructure was shut down, the compromised machines successfully connected to the new environment.

According to Trend Micro, the entire migration required approximately six minutes. For defenders accustomed to attackers spending hours or days rebuilding infrastructure after disruption, this level of automation means less time to detect, contain, and respond. The importance of this research lies less in the sophistication of the malware and more in the changing relationship between humans and AI.

Trend Micro noted that the malware itself remained relatively unsophisticated. It relied on straightforward PowerShell agents, simple persistence mechanisms, and an in-memory Python HTTP server without advanced evasion or obfuscation techniques. The innovation was not technical complexity but operational efficiency.

Instead of investing expertise in infrastructure management, debugging, and repetitive administration, the threat actor outsourced these activities to an AI system. This represents an evolution from automation toward delegation.

Traditional automation executes predefined scripts. Agentic AI interprets objectives, determines implementation steps, adapts to unexpected problems, and continues working until objectives are achieved. The human specifies the destination while the AI determines much of the route.

Lowering the Barrier Without Lowering the Threat

Cybersecurity discussions often focus on whether AI enables less skilled attackers. This incident suggests a more nuanced reality. Rather than creating entirely new attack techniques, AI dramatically reduces the amount of technical knowledge required to execute established ones. Infrastructure deployment, scripting, troubleshooting, documentation review, and operational maintenance have historically consumed significant time for attackers. Agentic AI compresses these activities into conversational prompts.

The result is not necessarily more sophisticated malware. Instead, organizations may face larger numbers of attackers operating more efficiently, forcing defenders to monitor more activity and respond faster.

An individual who previously struggled with server configuration or scripting can increasingly rely on AI to bridge those knowledge gaps. Experienced operators similarly gain productivity advantages by eliminating routine engineering work.

In both cases, defenders face faster and more persistent adversaries, increasing the strain on detection, containment, and recovery.

Historically, attackers progressed through multiple operational phases:

  • Research and planning
  • Infrastructure deployment
  • Malware customization
  • Troubleshooting
  • Command-and-control management
  • Campaign maintenance

Each stage required specialist knowledge and significant manual effort. Agentic AI is beginning to compress these phases into a continuous workflow where planning, execution, debugging, and optimization occur almost simultaneously.

Trend Micro observed that the threat actor continued to manage the botnet through natural-language conversations with Gemini CLI, requesting information about online systems, generating infection links, listing files on compromised hosts, and administering the environment in a conversational manner.

The interaction increasingly resembled a manager directing a technical employee rather than a hacker writing commands.
This evolution changes assumptions about attacker speed.

Infrastructure that once required hours to deploy may now appear in minutes. Configuration mistakes that previously interrupted campaigns may now be automatically corrected. Knowledge once acquired through years of experience becomes available through conversational AI, leaving defenders less time to react.

Importantly, the research does not suggest that Gemini willingly enabled unrestricted malicious behavior. Trend Micro documented instances where Gemini refused requests, including one attempt to create a self-propagating "agent-bomb." These refusals demonstrate that safety mechanisms continue to function in certain scenarios.

However, the broader findings also illustrate an important limitation.
Modern AI systems excel at legitimate administrative activities, including infrastructure deployment, scripting, debugging, systems administration, documentation analysis, and workflow automation. These same capabilities naturally overlap with activities performed during cyber intrusions.

As a result, attackers increasingly exploit legitimate functionality rather than attempting to bypass every safeguard directly. The takeaway is broader than prompt safety: when legitimate enterprise AI capabilities are placed in the hands of determined adversaries, they can unintentionally accelerate malicious workflows.

Share:

facebook
X (Twitter)
linkedin
copy link
Karolis Liucveikis

Karolis Liucveikis

Experienced software engineer, passionate about behavioral analysis of malicious apps

Author and general operator of PCrisk's News and Removal Guides section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over 8 years working in this branch. He attended Kaunas University of Technology and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications.

▼ Show Discussion

PCrisk security portal is brought by a company RCS LT.

Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

Donate