Two criminal groups discovered utilizing Google Cloud projects for malicious operations
Google Cloud Abused by Multiple Latin American Hacking Groups in Phishing Campaigns
Phishing Campaigns Exploit Google Cloud Projects According to Google’s biannual Threat Horizons Report, several hacking collectives, including FLUXROOT and PINEAPPLE, have been observed exploiting Google Cloud infrastructure for their malicious activities in Latin America.
FLUXROOT, for instance, orchestrated a phishing campaign aimed at stealing login credentials for Mercado Pago, a prominent online payments platform in the region. The threat actors utilized Google Cloud container URLs to host their phishing pages, leveraging the platform’s serverless architecture for flexibility and cost efficiency.
Meanwhile, PINEAPPLE employed compromised Google Cloud instances and created their own projects to distribute Astaroth (also known as Guildma), a well-known infostealer malware. This involved setting up container URLs on legitimate Google Cloud domains such as cloudfunctions.net and run.app, directing victims to malicious infrastructure.
Google responded swiftly by shutting down the malicious Google Cloud projects and updating its Safe Browsing list to mitigate further risks. The company emphasized that threat actors are increasingly exploiting serverless computing services across various cloud providers to evade detection and execute malicious activities.