| SYMBOL | COMMON_NAME | aka. SYNONYMS |
GTFire is a threat actor that leverages Google Firebase for hosting phishing pages and Google Translate to disguise malicious URLs, effectively bypassing security filters. The campaign employs a multi-step redirect chain to obscure the final phishing destination and utilizes All-in-1 PHP phishing scripts for rapid deployment and credential harvesting. Credentials are exfiltrated via URL parameters in a standard HTTP GET request, with minimal operational overhead.
There are currently no families associated with this actor.
| 2026-02-26
⋅
Group-IB
⋅
GTFire Phishing Scheme: Avoiding Detection Using Google Services GTFire |