{
	"id": "86a96cb5-e501-472f-a43d-42951867017e",
	"created_at": "2026-04-06T00:06:08.930163Z",
	"updated_at": "2026-04-10T03:27:03.205857Z",
	"deleted_at": null,
	"sha1_hash": "692ac931fa972f59bb225907c236b9eace38ac2b",
	"title": "GTFire Phishing Scheme: Avoiding Detection Using Google Services | Group-IB Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 140127,
	"plain_text": "Vlada Govorova\r\nCERT-GIB Head, Latam\r\nHans Figueroa\r\nSenior CERT Tier 2 Analyst, Latam\r\nGTFire Phishing Scheme:\r\nAvoiding Detection Using\r\nGoogle Services\r\nHow GTFire abuses Google Firebase and Google Translate to scale global phishing campaigns\r\nFebruary 26, 2026 · min to read · Scam \u0026 Phishing\r\n← Blog\r\nhttps://www.group-ib.com/blog/gtfire-phishing-scheme/\r\nPage 1 of 23\n\nBrand Abuse Credential Harvesting Google Firebase Phishing Scam Campaigns\r\nThreat Intelligence\r\nIntroduction\r\nOver the past several years, phishing campaigns have evolved beyond simple spoofed emails and\r\nlow-effort fake login pages. Modern threat actors increasingly rely on legitimate cloud services,\r\ntrusted domains, and well-known technology platforms to blend malicious activity into normal\r\ninternet traffic. One such campaign, tracked as GTFire, demonstrates how attackers can\r\nsystematically abuse Google-owned infrastructure to distribute phishing pages, evade security\r\ncontrols, and harvest credentials from thousands of victims worldwide.\r\nThe GTFire scheme relies heavily on Google Firebase (web.app) for hosting phishing pages and\r\nGoogle Translate as an intermediary layer that disguises malicious URLs to be capable of bypassing\r\nemail and web security filters. By chaining these services together, the attackers create phishing\r\nlinks that appear benign, leverage Google’s reputation, and dynamically redirect victims to\r\nbrand‑impersonating login pages. Once credentials are submitted and harvested, victims are often\r\nredirected back to the legitimate website of the targeted organization, reducing suspicion and\r\ndelaying incident response.\r\nThis campaign is notable not only for its technical sophistication, but also for its scale. Analysis of\r\nexposed command-and-control (C2) infrastructure reveals thousands of stolen credentials\r\nhttps://www.group-ib.com/blog/gtfire-phishing-scheme/\r\nPage 2 of 23\n\nassociated with more than a thousand organizations, spanning over a hundred countries and\r\nhundreds of industries. The attackers demonstrate strong operational discipline; reusing phishing\r\ntemplates across brands, enforcing multi‑step credential collection, and maintaining centralized\r\nservers that store harvested data in an organized manner.\r\nFrom a defensive perspective, GTFire highlights several uncomfortable truths. Trusted services can\r\nbe weaponized with minimal effort, traditional URL-based detection is insufficient, and brand abuse\r\nremains one of the most effective social engineering vectors.\r\nThis blog aims to document the GTFire phishing scheme in detail, outline its modus operandi, map\r\nvictimology, and provide actionable recommendations for defenders, CERT teams, and law\r\nenforcement.\r\nKey Discoveries\r\nhttps://www.group-ib.com/blog/gtfire-phishing-scheme/\r\nPage 3 of 23\n\nWho May Find This Blog Interesting\r\nGroup-IB Threat Intelligence Portal: GTFire\r\nGroup-IB customers can access our Threat Intelligence portal for more information about the\r\nGTFire threat actor and phishing scheme.\r\nGTFire abuses Google Firebase (web.app) to host phishing pages at scale.\r\nGoogle Translate is used as a phishing shield to evade detection and filtering.\r\nOver 120 unique phishing domains and more than 1,000 organizations are observed to be\r\nimpacted.\r\nRedirection from fake login pages back to legitimate brand sites often leave victims none the\r\nwiser that their credentials have already been stolen.\r\nVictims span 100+ countries and over 200 industries globally.\r\nCybersecurity analysts and corporate security teams\r\nMalware analysts\r\nThreat intelligence specialists\r\nCyber investigators\r\nComputer Emergency Response Teams (CERT)\r\nLaw enforcement investigators\r\nCyber police forces\r\nhttps://www.group-ib.com/blog/gtfire-phishing-scheme/\r\nPage 4 of 23\n\nhttps://www.group-ib.com/blog/gtfire-phishing-scheme/\r\nPage 5 of 23\n\nVictimology\r\nCountry (Top 5) Industries Targeted Total Victims\r\nMexico Manufacturing, Education, Government 385\r\nUnited States Multiple 101\r\nSpain Multiple 67\r\nIndia Multiple 54\r\nArgentina Multiple 50\r\nhttps://www.group-ib.com/blog/gtfire-phishing-scheme/\r\nPage 6 of 23\n\nFigure 1. GTFire phishing scheme global victimology.\r\nInfrastructure and Techniques\r\nAbuse of Google Firebase Hosting (web.app)\r\nGTFire relies on Google Firebase’s free and fast hosting infrastructure to deploy phishing pages at\r\nscale. The threat actor registers large volumes of randomly generated *.web.app subdomains,\r\nallowing rapid rotation of infrastructure and minimizing operational costs. Because Firebase\r\ndomains are widely trusted and frequently used by legitimate developers, these phishing pages\r\noften bypass reputation-based security controls.\r\nFirebase-hosted pages dynamically load brand-specific login templates, displaying logos and visual\r\nelements of the targeted organization. The same phishing framework is reused across multiple\r\nbrands, with only minor changes to URL paths and visual assets, enabling efficient scaling across\r\nregions and industries.\r\nDomain Generation Patterns\r\nhttps://www.group-ib.com/blog/gtfire-phishing-scheme/\r\nPage 7 of 23\n\nDespite these characteristics, Firebase domains observed by Group-IB researchers in this campaign\r\nfollow predictable, high-volume naming patterns, including:\r\nThese patterns enable defenders to build proactive hunting rules rather than relying on static\r\ndomain lists.\r\nGoogle Translate as a Phishing Shield\r\nA defining feature of the GTFire campaign is the systematic abuse of Google Translate’s website\r\ntranslation functionality. Phishing links are distributed to victims in the form of translate.goog URLs,\r\nwhich act as an intermediary redirect layer between the victim and the malicious Firebase-hosted\r\nphishing page.\r\nGoogle Translate – Website Translation Mode\r\nThese links use Google Translate’s website translation feature. Google loads the original website\r\nthrough a translation proxy and dynamically replaces the visible text with the translated version,\r\nwhile preserving the original site structure and navigation. The original website itself is not modified;\r\nonly the content rendered in the victim’s browser is translated.\r\nThe first screenshot below demonstrates Google Translate’s Websites feature, where a full website\r\nURL (in this case, group-ib.com) is submitted for automatic translation into another language\r\n(Spanish).\r\nRandomized alphabetic strings of 6-10 characters\r\nAlphanumeric combinations designed to evade simple blocklists\r\nhttps://www.group-ib.com/blog/gtfire-phishing-scheme/\r\nPage 8 of 23\n\nFigure 2. Google Translate “Websites” mode for translating an entire website.\r\nThe second screenshot shows the result, which is the same website rendered through Google\r\nTranslate’s translation proxy (translate.goog domain), with dynamically translated content displayed\r\nin the browser.\r\nhttps://www.group-ib.com/blog/gtfire-phishing-scheme/\r\nPage 9 of 23\n\nFigure 3. Group-IB website displayed via Google Translate proxy, showing the translated version of\r\nthe original site in the browser.\r\nThis technique provides several advantages to the attacker:\r\nIn many cases, the underlying Firebase phishing domain becomes visible only after the Google\r\nTranslate redirect chain is fully resolved, significantly complicating automated detection and\r\nanalysis.\r\nObfuscation of the final phishing destination.\r\nIncreased trust due to the use of Google-owned domains.\r\nReduced likelihood of blocking by email and web gateway security controls.\r\nhttps://www.group-ib.com/blog/gtfire-phishing-scheme/\r\nPage 10 of 23\n\nFigure 4. GTFire infrastructure overview.\r\nThe GTFire campaign leverages a multi-step redirect chain to obscure the final phishing destination\r\nand delay exposure of the underlying malicious infrastructure.\r\nVictims are initially presented with a Google Translate URL (translate.goog), which acts as the first\r\nredirection layer. This URL forwards the request through Google-owned translation infrastructure\r\nbefore resolving to the final Firebase-hosted phishing page.\r\nDuring this process, the request passes through multiple intermediate URLs, including:\r\nOnly after the full redirect chain is resolved does the browser load the final phishing page hosted on\r\na .web.app domain.\r\nExample Redirect Flow\r\nInternationalized Domain Name (IDN) representations encoded in Punycode\r\nGoogle Translate proxy subdomains\r\nDynamically generated path segments\r\nhttps://www.group-ib.com/blog/gtfire-phishing-scheme/\r\nPage 11 of 23\n\nFigure 5. How legitimate Google Translate and Firebase domains are used to mask and host\r\nmalicious webpages.\r\nGoogle Translate URL\r\nhttps://gxvv3mrr1-xn--wtsyr9q6-xn----c1a2cj-xn----p1ai[.]translate.goog/mon9K20E/KvQkJ/Y6U\r\nIntermediate Translated Domain\r\nhttps://gxvv3mrr1-xn--wtsyr9q6-xn----c1a2cj-xn----p1ai-translate.xn--c1a2cj[.]xn--p1ai/CzP\r\nThe initial link\r\nVictim clicks a translate.goog URL distributed via phishing messages.\r\n1.\r\nGoogle Translate proxy layer\r\nThe request is processed by Google Translate’s web translation service, which rewrites the URL\r\nand forwards the request through Google-controlled infrastructure.\r\n2.\r\nIntermediate translated domain\r\nThe browser resolves encoded and translated domain names (including IDN/Punycode variants),\r\nfurther obscuring the true destination.\r\n3.\r\nFinal destination on Firebase (Primary Request)\r\nThe request ultimately resolves to the phishing page hosted on Firebase (see below). Even at\r\nthis stage, the Firebase domain only becomes visible in network traffic or browser developer\r\ntools, not necessarily in the address bar during earlier steps.\r\n4.\r\nhttps://www.group-ib.com/blog/gtfire-phishing-scheme/\r\nPage 12 of 23\n\nPrimary Request on Firebase https://it1lhz.web[.]app/host:-%20%20login.:4592?+\u0026_x_tr_sl=pJ\r\nURL Obfuscation and Encoding\r\nThe phishing URLs frequently contain Base64-encoded parameters that embed victim-specific\r\ninformation, such as email addresses, language preferences, and targeted brands. In some cases,\r\nparameters are double-encoded to further hinder analysis and signature-based detection.\r\nFigure 6. Double base64 decoding the url parameter:\r\nWTJGc2JDNTJhWEowZFdGc09VQmlZVzV2Y25SbExtTnZiUT09OkI0STNY\r\nCredential Harvesting Workflow\r\nOnce a victim lands on the phishing page, the credential harvesting process follows a consistent\r\nand deliberate workflow:\r\n1. The victim enters their username and password.\r\n2. The phishing page displays an “incorrect password” message.\r\n3. Credentials from the first attempt are silently exfiltrated.\r\n4. The victim is prompted to re-enter their password.\r\n5. Credentials from the second attempt are also harvested.\r\n6. The victim is redirected to the legitimate website of the impersonated brand.\r\nhttps://www.group-ib.com/blog/gtfire-phishing-scheme/\r\nPage 13 of 23\n\nThis design increases the attacker’s chances of capturing valid credentials while minimizing user\r\nsuspicion.\r\nFigure 7. Phishing pages use fake error prompts and retry attempts to hide credential\r\nexfiltration in the background.\r\nData Exfiltration\r\nCaptured credentials are transmitted via HTTP GET requests to attacker-controlled command-and-control (C2) servers. Passwords are Base64-encoded and accompanied by metadata such as:\r\nVictim email address\r\nCountry of access\r\nBrowser language\r\nhttps://www.group-ib.com/blog/gtfire-phishing-scheme/\r\nPage 14 of 23\n\nFigure 8. The request with the credentials are sent on the url parameters, the password\r\nencrypted in base64, alongside with the country of the visit and the language.\r\nThe primary C2 infrastructure observed by Group-IB researchers in this campaign operates on\r\nLiteSpeed Web Server instances, hosting centralized PHP-based collection scripts (e.g., All-in-1.php).\r\nThe operational mechanics of the GTFire threat actor’s web application phishing campaign reveal a\r\nreliance on simplicity and automation for maximum scale. Credential exfiltration is achieved through\r\nan unsophisticated but effective method. The captured credentials are simply submitted via URL\r\nparameters within a standard HTTP GET request. Specifically, the compromised user’s email is\r\ntransmitted directly, while the corresponding password is first Base64 encoded before being\r\nincluded. This information is bundled with telemetry data, including the geographical country of the\r\nvictim’s visit (\u003cCOUNTRY\u003e) and the user’s browser language setting (\u003cLANGUAGE\u003e), providing the\r\nthreat actor with valuable context for post-phishing operations or filtering.\r\nhttps://www.group-ib.com/blog/gtfire-phishing-scheme/\r\nPage 15 of 23\n\nThe structure of the exfiltration request is as follows:\r\nGET /myown/All-in-1.php=user=\u0026pass=\u0026pass2=\u0026visit=\u0026lang= HTTP/1.1\r\nOnce again, the cornerstone of the GTFire campaign’s success is its strategic utilization of readily\r\navailable tools such as commercialized All-in-1 PHP phishing scripts. This tactical choice dramatically\r\nreduces the operational overhead and speeds up the deployment cycle. These pre-packaged\r\nscripts are highly efficient, simplifying the creation of sophisticated, convincing phishing pages and\r\nautomating the critical backend logic required for credential harvesting and exfiltration. This\r\nchanges an attack that is typically complex, multi-stage, and highly customized per target, into a\r\nreadily available plug-and-play operation.\r\nBy building their infrastructure on common, legitimate software components, such as the ubiquitous\r\nPHP scripting language and the high-performance LiteSpeed Web Server, the GTFire actor\r\nminimizes the need for specialized custom development and reduces the risk of being associated\r\nwith maintaining unique, easily fingerprinted infrastructure. This commitment to automation enables\r\nGTFire to instantly replicate and deploy new credential harvesting pages across their continually\r\nrotating network of domains. all while maintaining minimal resource investment.\r\nCommand-and-Control (C2) Infrastructure\r\nhttps://www.group-ib.com/blog/gtfire-phishing-scheme/\r\nPage 16 of 23\n\nFigure 9. Group-ib Graph of observed GTFire network infrastructure.\r\nAnalysis of exposed directories on observed C2 servers reveals structured storage of stolen\r\ncredentials, organized by:\r\nThis level of organization suggests a mature operational workflow and potential downstream use of\r\nthe stolen data for account takeover, resale, or secondary fraud campaigns.\r\nDate\r\nLanguage\r\nTargeted service or brand\r\nhttps://www.group-ib.com/blog/gtfire-phishing-scheme/\r\nPage 17 of 23\n\nFigure10. Litespeed Web Server where the harvested credentials and phishing scripts are stored.\r\nConclusion\r\nThe GTFire phishing scheme demonstrates how modern threat actors can effectively weaponize\r\ntrusted platforms to conduct global, large-scale credential harvesting campaigns. By abusing\r\nGoogle Firebase and Google Translate, GTFire significantly reduces detection rates while\r\nmaintaining operational efficiency. The observed use of other legitimate services and tools such as\r\nLiteSpeed Web Server and All-in-1 PHP scripts further enhances the scalability and rapid\r\ndeployment capability of this phishing campaign. The campaign’s longevity and scale highlight the\r\nurgent need for defenders to rethink trust models and improve detection strategies around\r\nlegitimate service abuse.\r\nRecommendations\r\nhttps://www.group-ib.com/blog/gtfire-phishing-scheme/\r\nPage 18 of 23\n\nFor Organizations\r\nFor Security Teams\r\nFrequently Asked Questions (FAQ)\r\nIts systematic abuse of trusted Google services and global scale.\r\nImplement phishing-resistant MFA\r\nMonitor for brand impersonation on trusted cloud platforms\r\nEducate employees about Google-based phishing techniques\r\nCorrelate URL patterns involving translate.goog and web.app\r\nShare IOCs across industry and CERT communities\r\nWhat makes GTFire different from typical phishing campaigns?\r\narrow_drop_down\r\nWhy is Google Translate used in this scheme? arrow_drop_down\r\nAre only Latin American companies targeted? arrow_drop_down\r\nHow does redirection to the real brand website reduce suspicion?arrow_drop_down\r\nhttps://www.group-ib.com/blog/gtfire-phishing-scheme/\r\nPage 19 of 23\n\nGroup-IB Fraud Matrix\r\nIndicators of Compromise (IOCs)\r\nNetwork IOCs\r\nNetwork Indicators\r\nFile Indicators\r\nDISCLAIMER: All technical information, including malware analysis, indicators of compromise and\r\ninfrastructure details provided in this publication, is shared solely for defensive cybersecurity and\r\nresearch purposes. Group-IB does not endorse or permit any unauthorized or offensive use of the\r\ninformation contained herein. The data and conclusions represent Group-IB’s analytical assessment\r\nbased on available evidence and are intended to help organizations detect, prevent, and respond to\r\ncyber threats.\r\nGroup-IB expressly disclaims liability for any misuse of the information provided. Organizations and\r\nreaders are encouraged to apply this intelligence responsibly and in compliance with all applicable\r\nlaws and regulations.\r\njnhwzs[.]fyi\r\ngnpnia[.]lat\r\n*.web.app with Google Translate redirects\r\nAll-in-1.php credential collection scripts\r\nhttps://www.group-ib.com/blog/gtfire-phishing-scheme/\r\nPage 20 of 23\n\nThis blog may reference legitimate third-party services such as Telegram and others, solely to\r\nillustrate cases where threat actors have abused or misused these platforms.\r\nThis material is provided for informational purposes, prepared by Group-IB as part of its own\r\nanalytical investigation, and reflects recently identified threat activity.\r\nAll trademarks referenced herein are the property of their respective owners and are used solely for\r\ninformational purposes, without any implication of affiliation or sponsorship.\r\nShare this article\r\nFound it interesting? Don't hesitate to share it to wow your friends or colleagues\r\nResources\r\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nWebinars\r\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nProducts\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nAttack Surface Management\r\nDigital Risk Protection\r\nBusiness Email Protection\r\nhttps://www.group-ib.com/blog/gtfire-phishing-scheme/\r\nPage 21 of 23\n\nCyber Fraud Intelligence AI Cybersecurity Hub\r\nPlatform\r\nUnified Risk Platform\r\nIntegrations\r\nPartners\r\nPartner Program\r\nMSSP and MDR Partner\r\nProgram\r\nTechnology Partners\r\nPartner Locator\r\nCompany\r\nAbout Group-IB\r\nTeam\r\nCERT-GIB\r\nCareers\r\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nContact\r\nAPAC: +65 3159 3798\r\nEU \u0026 NA: +31 20 226 90 90\r\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers\r\naround the world by preventing breaches, eliminating fraud and protecting brands.\r\nSubscription plans Services Resource Center\r\nSubscribe to stay up to date with the\r\nlatest cyber threat trends\r\nContact\r\nhttps://www.group-ib.com/blog/gtfire-phishing-scheme/\r\nPage 22 of 23\n\nTerms of Use Cookie Policy Privacy Policy\r\nhttps://www.group-ib.com/blog/gtfire-phishing-scheme/\r\nPage 23 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.group-ib.com/blog/gtfire-phishing-scheme/"
	],
	"report_names": [
		"gtfire-phishing-scheme"
	],
	"threat_actors": [
		{
			"id": "3b89aa11-e712-49fd-a6aa-31cbf6587972",
			"created_at": "2026-03-08T02:00:03.47895Z",
			"updated_at": "2026-04-10T02:00:03.985644Z",
			"deleted_at": null,
			"main_name": "GTFire",
			"aliases": [],
			"source_name": "MISPGALAXY:GTFire",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775433968,
	"ts_updated_at": 1775791623,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/692ac931fa972f59bb225907c236b9eace38ac2b.pdf",
		"text": "https://archive.orkl.eu/692ac931fa972f59bb225907c236b9eace38ac2b.txt",
		"img": "https://archive.orkl.eu/692ac931fa972f59bb225907c236b9eace38ac2b.jpg"
	}
}