The GTFire Scheme: How Cybercriminals are Weaponizing Google’s Trusted Services for Global Phishing
Ddos 
How legitimate Google Translate and Firebase domains are used to mask and host malicious webpages | Image: Group-IB
Modern cybercriminals are evolving, increasingly hiding their malicious activities within the very legitimate cloud services that businesses trust every day. A stark example of this evolution is a newly uncovered, massive credential harvesting operation tracked as “GTFire.”
According to a recent threat intelligence report by Group-IB, the GTFire campaign represents a masterclass in abusing trusted infrastructure. By hijacking the pristine reputations of Google Firebase and Google Translate, attackers are successfully slipping past enterprise security filters to harvest credentials from victims across the globe.
To bypass modern email and web security gateways, the GTFire operators have engineered a clever two-step evasion chain.
First, the attackers host their brand-impersonating phishing pages on Google Firebase (web.app), a widely used and highly trusted application development platform. Next, they use Google Translate as an intermediary layer. By wrapping the Firebase URL in a Google Translate link, the malicious URL is disguised. To an automated security scanner—and to the untrained human eye—the link appears completely benign and carries the trusted weight of Google’s reputation.
The deception doesn’t stop once the user clicks. After a victim submits their username and password, the GTFire script automatically redirects them to the actual, legitimate website of the targeted organization. This seamless handoff drastically reduces suspicion and delays incident response times, leaving victims completely unaware that they have been compromised.
The report explicitly states, “This campaign is notable not only for its technical sophistication, but also for its scale”.
Investigations into the attackers’ exposed command-and-control (C2) infrastructure revealed thousands of stolen credentials. These compromised accounts belong to more than a thousand organizations, spanning hundreds of industries across more than a hundred countries.
This massive footprint is achieved through rigorous automation. Relying on tools like the LiteSpeed Web Server and “All-in-1” PHP scripts, the threat actors can instantly replicate and deploy new fake login pages across a continuously rotating network of domains. As Group-IB notes, this setup “enables GTFire to instantly replicate and deploy new credential harvesting pages… all while maintaining minimal resource investment”.
Analysis of the C2 servers shows that the harvested credentials are not just dumped into a massive text file; they are meticulously organized and categorized by date, language, and the targeted service or brand.
This backend organization points to a highly professional cybercriminal outfit. According to the report, “This level of organization suggests a mature operational workflow and potential downstream use of the stolen data for account takeover, resale, or secondary fraud campaigns”.
The GTFire phishing scheme is a wake-up call for the cybersecurity industry. As threat actors continue to weaponize platforms like Firebase and Translate, the traditional strategy of simply blocking “known bad” domains is no longer sufficient. When the attack originates from a trusted Google server, perimeter defenses are effectively blind.
The researchers conclude “The campaign’s longevity and scale highlight the urgent need for defenders to rethink trust models and improve detection strategies around legitimate service abuse”. In an era where hackers use our most trusted tools against us, continuous vigilance and advanced behavioral analysis are our only true lines of defense.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
