A new phishing campaign leveraging Google services has affected more than 100 countries

Previously we highlighted that phishing attacks in 2025 increasingly leveraged unconventional Google services. Its relevance in 2026 was confirmed -> (https://www.group-ib.com/blog/gtfire-phishing-scheme/) by Group‑IB through the GTFire campaign — attackers exploited the following services:

🔥 Firebase Hosting — a free web‑hosting platform used to mass‑deploy phishing pages on random .web.app subdomains. The hosted pages dynamically load content specific to the targeted organization, allowing attackers to use the same template to impersonate multiple brands by simply changing the URL paths to visual assets.

🌐 Google Translate — a translation service used to obfuscate phishing links. Threat actors abuse the webpage translation feature, making the phishing URL appear as .translate.goog. When clicked, the request first passes through Google's infrastructure acting as a proxy, then redirects the victim to a phishing page hosted on Firebase.

In both cases, legitimate domains associated with Google services are used, reducing the likelihood that secure email gateways or URL‑filtering systems will block messages containing such links. But the attackers didn't stop there — their C2 infrastructure relies on publicly available tools and legitimate software, lowering development costs and complicating attribution for researchers.

🚨 Overall, the campaign has spread to at least 115 countries and 1,142 organizations: the actual number of victims may differ due to C2 infrastructure characteristics that hinder attribution.

The use of legitimate services and components by threat actors not only reduces detection likelihood but also cuts infrastructure development costs, allowing them to allocate more resources to scaling attacks. This highlights the need to adapt detection mechanisms to abuse scenarios involving legitimate services and to raise employee awareness: a trusted domain does not always guarantee a safe resource.

#dbugs_analytics