EXECUTIVE SUMMARY
GTFire is a phishing campaign that abuses Google Translate and Firebase to hide malicious pages behind trusted Google domains, bypassing security filters. Victims are redirected to fake login portals where cre-dentials are stolen before being sent to legitimate sites to avoid suspicion. The campaign has impacted 1,000+ organizations globally, demonstrating the risks of weaponized cloud infrastructure.
- Active Region: Global
- Affected Sector: Multiple sectors
- Affected Product: Brand login portals impersonated via Google Translate (translate.goog) and Firebase (*.web.app) infrastructure
- Severity: High
- Published Date: March 02, 2026
TECHNICAL DETAILS
- Target: Enterprise and consumer account credentials (e.g., corporate email, SaaS platforms, financial services, government portals), enabling follow-on compromise such as account takeover, business email compromise (BEC), and lateral movement.
- Root Cause: Exploitation of trusted Google-owned domains (translate.goog) as a proxy relay combined with Firebase-hosted phishing pages (*.web.app), allowing attackers to bypass URL-reputation filtering, evade static blocklists, and leverage brand impersonation through reusable phishing templates.
- Prerequisite for Exploitation: The victim must click a phishing link delivered via email or messaging platforms and enter credentials into a spoofed login page;……
