Large-Scale Phishing Infrastructure Uncovered: 12,704 Servers Exploit Google Cloud and Scraped NYT Content A recent investigation has exposed a sophisticated, globally distributed phishing operation leveraging 12,704 internet-facing servers across 55 countries to facilitate spam and credential-harvesting campaigns. The infrastructure, designed for deliverability, evasion, and resilience, abuses Google Cloud Storage as an initial redirect layer before funneling targets to attacker-controlled landing pages many of which mimic The New York Times to deceive security scanners and non-targeted visitors. ### Key Findings - Scale & Distribution: The network spans 412 hosting providers, with the highest concentrations at HostPapa (630 servers), velia.net (453), OVH SAS (438), and Leaseweb (423). Geographic diversification including heavy use of low-cost VPS markets in Turkey and Romania complicates takedown efforts. - Google Cloud Abuse: Attackers exploit Google Cloud Storage to host benign-looking HTML/JS files, using trusted Google domains (e.g., `storage.googleapis.com`) to bypass initial suspicion. JavaScript redirects then obscure the final phishing destination, allowing operators to rotate infrastructure without updating embedded email links. - Deceptive Landing Pages: Servers serve near-identical pages scraped from The New York Times, likely to evade detection by security tools. Only targeted visitors identified via factors like location, browser type, or referral source are redirected to malicious payloads. - Outdated & Vulnerable Software: 99.8% of servers run end-of-life (EOL) software, including: - Apache/2.4.52 (Ubuntu): 69% - Apache/2.4.6 (CentOS) with OpenSSL/1.0.2k-fips: 21% - Apache/2.4.41 (Ubuntu): 6% - Apache/2.4.58 (Ubuntu): 4% The uniformity suggests automated deployment from a small set of server images. - Low Abuse History: 89% of IP addresses had no prior reports in AbuseIPDB, indicating either rapid rotation or use as intermediate redirectors to avoid reputation-based blocking. - Selective Targeting: The infrastructure appears to filter visitors, serving benign content to scanners while delivering phishing pages to intended victims. The exact filtering logic remains unclear. ### Operational Tactics 1. Initial Contact: Victims receive spam emails with links to Google Cloud Storage URLs, which appear legitimate. 2. First Redirect: JavaScript on the Google-hosted page redirects to an attacker-controlled server. 3. Landing Page: Non-targets see NYT-scraped content; targets are sent to phishing pages. 4. Credential Harvesting: Victims who enter personal or financial data have their information compromised. ### Impact & Unknowns While the investigation confirms the existence and scale of the infrastructure, critical details remain unknown: - Total email volume sent via this network. - Number of victims who clicked links or submitted data. - Identity of the operators, though the coordinated deployment and shared tooling suggest a centralized operation rather than isolated actors. The campaign’s design distributed hosting, EOL software, and Google Cloud abuse prioritizes persistence and evasion, making disruption difficult. Victims who entered credentials on any linked page should assume their data is compromised. Even clicking a link may confirm an email address as active, increasing future spam exposure.

Google Cloud Report Reveals Shift in Cloud Attack Tactics: Vulnerability Exploitation Surges Over Credential Abuse Google Cloud’s latest Threat Horizons Report for H1 2026 highlights a dramatic shift in how threat actors target cloud environments, with a growing preference for exploiting software vulnerabilities over traditional credential-based attacks. Published on 9 March, the report analyzes attack trends observed in Google Cloud services during the second half of 2025, revealing a 44.5% increase in initial access via third-party vulnerabilities up from just 2.9% in the first half of the year. In contrast, attacks leveraging weak or missing credentials declined sharply, dropping from 47.1% to 27.2% over the same period. The report attributes this shift to attackers’ increasing speed in weaponizing newly disclosed flaws, with the window between vulnerability disclosure and mass exploitation shrinking from weeks to days. A standout example is CVE-2025-55182 (React2Shell), a critical remote code execution vulnerability in React Server Components. Within 48 hours of its December 2025 disclosure, threat actors including nation-state groups linked to North Korea and China exploited the flaw to deploy cryptocurrency mining malware. Google Cloud emphasized that while its infrastructure remains secure, attackers are successfully targeting unpatched applications and permissive firewall rules in customer environments. The report also underscores the need for automated defenses, such as Web Application Firewalls (WAFs), to mitigate risks before patches can be applied. Organizations slow to address vulnerabilities face heightened exposure, as attackers now exploit flaws at scale within days of disclosure.

Critical "Pickle in the Middle" Vulnerability in Google Cloud Vertex AI Exposed ML Models to RCE Researchers from Palo Alto Networks’ Unit 42 uncovered a severe vulnerability in Google Cloud’s Vertex AI, dubbed "Pickle in the Middle," which enabled attackers to hijack machine learning (ML) model uploads, poison artifacts, and achieve cross-tenant remote code execution (RCE) without prior access to the victim’s environment. The flaw, affecting the Python SDK (`google-cloud-aiplatform`), exploited a combination of predictable cloud resource naming, bucket squatting, and unsafe deserialization. Vertex AI’s Model Registry relies on Google Cloud Storage (GCS) buckets to stage artifacts before deployment, with the SDK generating default bucket names using a deterministic format based on project ID and region. Versions 1.139.0 and 1.140.0 failed to verify bucket ownership, allowing attackers to pre-create these buckets in their own projects a technique known as bucket squatting. The attack unfolded in six phases: 1. Prediction & Squatting: The attacker predicted the victim’s staging bucket name, created it in their own project, and configured permissive IAM roles. 2. Malicious Function Deployment: A Cloud Function was set up to monitor uploads and replace legitimate model files with malicious payloads within a 2.5-second race-condition window. 3. Victim Upload: The victim’s SDK, unaware of the hijacked bucket, uploaded model artifacts to the attacker-controlled storage. 4. Payload Swap: The attacker’s function triggered immediately, replacing the model with a poisoned version before Vertex AI processed it. 5. Model Deployment: The victim deployed the compromised model, which was treated as legitimate due to absent integrity checks. 6. RCE Execution: During deserialization, the exploit leveraged Python’s `pickle` mechanism to execute arbitrary code, enabling OAuth token exfiltration from Google-managed service accounts. This granted access to sensitive resources, including other models, BigQuery metadata, and internal infrastructure. The impact extended beyond a single deployment, demonstrating cross-deployment data access, model theft, and reconnaissance capabilities. The compromised service account’s broad cloud-platform scope undermined tenant isolation in Vertex AI’s managed environment. Google addressed the issue in SDK versions 1.144.0 and 1.148.0, introducing randomized bucket naming (via UUIDs) and explicit ownership verification. The vulnerability was reported on March 5, 2026, with patches fully deployed by April 15, 2026. The incident highlights emerging security risks in AI/ML pipelines, where cloud misconfigurations intersect with model serialization to create potent attack vectors.

Google API Keys Expose Gemini AI Endpoints in Legacy Security Flaw Security researchers at Truffle Security uncovered a critical vulnerability in Google’s API key architecture, where legacy public-facing keys originally designed for low-risk services like Google Maps can silently gain unauthorized access to Gemini AI endpoints. This flaw allows attackers to exploit exposed keys, accessing private files, cached data, and triggering costly AI queries without detection. The issue stems from insecure defaults in Google Cloud Platform (GCP). When developers enable the Generative Language API on an existing project, previously public API keys once considered safe for client-side use are automatically upgraded into sensitive credentials with unrestricted access. Since Google uses a single key format for both public identification and authentication, there is no separation between low-risk and high-risk environments. Exploitation is straightforward: attackers can scrape exposed keys from public code repositories and use them to query Gemini, potentially stealing data or incurring thousands in billable AI usage. The flaw affects thousands of websites, as many developers followed Google’s past guidance to embed API keys directly in client-side code. Google is mitigating the issue by defaulting new keys in AI Studio to Gemini-only access and blocking known leaked credentials. However, organizations must audit projects for unrestricted keys and rotate exposed credentials to prevent exploitation. The incident underscores the risks of retrofitting modern AI capabilities onto outdated cloud security models.

300 Million Private AI Chat Messages Exposed in Major Firebase Misconfiguration A critical security lapse in the popular AI chat app Chat & Ask AI exposed 300 million private messages from 25 million users, revealing deeply personal conversations with AI models like ChatGPT, Claude, and Gemini. The breach, discovered by independent security researcher Harry and reported to 404 Media, stemmed from a basic misconfiguration in the app’s Google Firebase database rather than a malicious hack. The app, available on Google Play and Apple’s App Store, allows users to interact with third-party AI models. However, its Firebase backend was left publicly accessible due to improper security rules. While Firebase databases are secure by default, developers must manually set access controls. In this case, the rules were set to `allow read: if true;`, effectively leaving the database unlocked. With minimal effort, anyone with a Firebase login could access the entire dataset, including timestamps, user settings, AI model preferences, and custom chatbot names. A sample of 60,000 users and 1 million messages confirmed the breach affected at least half of the app’s 50 million claimed users. While no passwords or financial data were exposed, the leaked conversations included highly sensitive content: suicide notes, self-harm methods, drug manufacturing instructions, and hacking techniques. Many users treated the AI as a confidant, sharing intimate details under the assumption of privacy. The incident underscores the risks of "wrapper" apps third-party services that resell access to major AI models (e.g., OpenAI, Google) without implementing equivalent security measures. Firebase misconfigurations are a recurring issue, with past breaches affecting apps like Fortnite trackers. Developers often prioritize speed to market over security audits, leaving databases vulnerable. The app’s developers secured the database after being alerted, but the damage was already done. The breach serves as a stark reminder of the security gaps in the AI boom, where convenience often overshadows safeguards. For developers, best practices such as testing Firebase rules in production, using security simulators, and encrypting sensitive data are critical to preventing similar exposures.

Arsink: Android Malware Exploits Cloud Tools for Large-Scale Data Theft A sophisticated Android remote access trojan (RAT) dubbed Arsink has been uncovered, leveraging free cloud services to steal sensitive data and remotely control infected devices. Security firm Zimperium tracked the malware over several months, identifying 1,216 unique APK files, 317 Firebase command-and-control (C2) servers, and 45,000 victim IP addresses across 143 countries. ### Distribution & Deception Hackers distributed Arsink through Telegram channels, Discord posts, and MediaFire links, disguising it as modified or "pro" versions of popular apps from over 50 brands, including Google, YouTube, WhatsApp, Instagram, TikTok, and Facebook. Once installed, the malware requests excessive permissions, hides its icon, and operates covertly offering no legitimate functionality while harvesting data. ### Four Attack Variants Zimperium identified four primary Arsink variants, each using different cloud-based exfiltration methods: 1. Firebase + Google Apps Script – Small data (e.g., device info) is sent to Firebase Realtime Database, while larger files (photos, audio) are uploaded via Google Apps Script to Google Drive. 2. Telegram Exfiltration – SMS messages, call logs, and device details are transmitted directly to a hacker-controlled Telegram bot. 3. Embedded Dropper – A secondary payload is hidden within the app, extracted and renamed (e.g., Ai_App.zip to App.apk) without requiring internet downloads, evading detection. 4. Hybrid Cloud Abuse – Combines Firebase, Google Drive, and Telegram for data theft and command execution. ### Data Theft & Remote Control Arsink captures a full device snapshot, including: - Device details (model, battery, location, Google account emails) - SMS messages (including one-time passcodes) - Call logs & contacts - Microphone recordings (stored in cloud storage) - Photos & files (listed for potential upload) Attackers can remotely: - Toggle the flashlight, vibrate the phone, or play sounds - Change wallpaper, display messages, or speak text via text-to-speech - Initiate calls, manage files (upload, delete, wipe external storage) - Hide the app icon and maintain persistence via fake foreground notifications ### Global Impact & Victim Distribution The malware has infected users across the Middle East, Asia, Africa, Europe, and the Americas, with the highest concentrations in: - Egypt (13,000 infections) - Indonesia (7,000) - Iraq & Yemen (3,000 each) - Türkiye (2,000) - Pakistan & India (2,500 each) - Bangladesh (1,600) - Algeria & Morocco (1,000 each) India’s high infection rate correlates with frequent Telegram-based APK distribution. ### Mitigation & Response Zimperium collaborated with Google to dismantle malicious Firebase endpoints, Apps Scripts, and accounts. Google Play Protect now blocks known Arsink samples outside the Play Store. However, attackers rapidly adapt, making behavior-based detection critical for enterprises, particularly as the malware targets work-related credentials via SMS interception. Arsink’s use of legitimate cloud services for C2 operations highlights the growing challenge of detecting malware that blends into normal traffic.

Google Vertex AI Default Configurations Enable Privilege Escalation Attacks Researchers at XM Cyber uncovered critical security flaws in Google’s Vertex AI, where default configurations allow low-privileged users to escalate privileges by hijacking Service Agent roles. Google acknowledged the vulnerabilities but classified them as "working as intended," leaving organizations exposed to potential attacks. The vulnerabilities affect two components: Vertex AI Agent Engine and Ray on Vertex AI. Both rely on Service Agents managed identities with broad project permissions creating a risk when accessed by users with minimal privileges. Attackers exploit these through "confused deputy" scenarios, where read-only access can lead to remote code execution (RCE) and credential theft from instance metadata. ### Attack Vectors Breakdown 1. Vertex AI Agent Engine - Target: Reasoning Engine Service Agent - Vulnerability: Malicious tool injection via `aiplatform.reasoningEngines.update` permissions. - Impact: Attackers upload malicious code (e.g., a reverse shell) disguised as a legitimate tool, gaining access to LLM memories, chat logs, and Cloud Storage (GCS) buckets even public ones without direct storage permissions. 2. Ray on Vertex AI - Target: Custom Code Service Agent - Vulnerability: Insecure default access (`aiplatform.persistentResources.get/list`) allows users with Vertex AI Viewer roles to gain root shell access via the GCP Console’s "Head node interactive shell." - Impact: Attackers extract the agent’s token, enabling read-write access to GCS and BigQuery, though IAM actions like `signBlob` remain restricted. ### Mitigation Recommendations Google’s default configurations treat these risks as features, requiring enterprises to proactively secure deployments. Recommended steps include: - Revoking unnecessary Service Agent permissions via custom roles. - Disabling head node shells and validating tool code before updates. - Monitoring metadata access through Security Command Center’s Agent Engine Threat Detection, which flags RCE and token theft. - Auditing persistent resources and reasoning engines regularly. The findings highlight the need for organizations to treat Vertex AI’s default settings as potential attack surfaces rather than operational conveniences.

Sophisticated Phishing Campaign Abuses Google Cloud Services to Steal Microsoft 365 Credentials Cybercriminals are exploiting Google’s cloud infrastructure to launch highly convincing phishing attacks, bypassing spam filters and tricking users into surrendering their Microsoft 365 login credentials. Researchers identified a campaign where attackers used Google Cloud Application Integration’s Send Email feature to dispatch phishing emails from a legitimate Google address—noreply-application-integration@google[.]com—lending the messages an air of authenticity. The emails, which reference routine actions like voicemail notifications or document access requests, include links to Google Cloud Storage URLs, further masking their malicious intent. After the initial click, victims are redirected through another Google-owned domain (googleusercontent[.]com), where they encounter a CAPTCHA check before being funneled to a fake Microsoft 365 sign-in page. The spoofed login portal, hosted on a non-Microsoft domain, captures any entered credentials. The attack leverages Google’s trusted services to evade detection, though the company clarified that this was not a vulnerability but an abuse of its workflow automation tools. Google has since blocked multiple phishing campaigns tied to this method and is implementing additional safeguards to prevent further misuse. This incident highlights a growing trend of threat actors abusing trusted cloud platforms—including Google, PayPal, and DocuSign—to enhance the credibility of phishing schemes. While Google has taken action, the campaign underscores the need for users to scrutinize login pages, particularly when redirected from seemingly legitimate sources.

AI Systems Under Siege: Every Organization Targeted in Past Year, Unit 42 Finds A new report from Palo Alto Networks’ Unit 42 reveals a stark reality: every organization surveyed has faced at least one attack on its AI systems in the past year. The findings, derived from a survey of over 2,800 participants across 10 countries—including the U.S., UK, Germany, Japan, and India—highlight a growing and systemic vulnerability in AI security, with cloud infrastructure at the heart of the problem. Conducted between September 29 and October 17, 2025, the research underscores that AI security cannot rely on reactive measures. Instead, organizations must adopt a proactive, scientific approach to safeguarding AI systems, given their complexity and critical applications. The report emphasizes that AI security is inherently tied to cloud infrastructure, where most AI workloads—data storage, model training, and application deployment—reside. Cloud platforms like AWS, Microsoft Azure, and Google Cloud, while enabling AI scalability, also present prime targets for cyberattacks. Exploitable weaknesses in cloud security can lead to unauthorized access, data theft, or operational disruptions. Traditional security measures often fall short in addressing the unique challenges of AI, such as securing data pipelines, managing identities, and protecting cloud-hosted workloads. The State of Cloud Security Report 2025 argues that the only effective defense is a holistic approach to cloud security, treating it as foundational to AI protection. This includes enforcing strong policies, encryption standards, regular audits, and isolating AI workloads from cloud vulnerabilities. As AI integrates deeper into sectors like healthcare, finance, and autonomous systems, the stakes rise—breaches could compromise sensitive data, disrupt services, or even endanger lives. Emerging threats, such as adversarial attacks designed to manipulate AI models, further complicate the landscape. The report calls for collaboration between cloud providers, AI developers, and security teams to build robust frameworks and real-time threat detection tools. The future of AI security hinges on securing the cloud infrastructure that powers it, ensuring resilience against an evolving threat landscape.

P2Pinfect Botnet Exploits Exposed Redis Instances to Infiltrate Google Kubernetes Engine Clusters A persistent P2Pinfect botnet campaign has been targeting Google Kubernetes Engine (GKE) clusters by exploiting misconfigured Redis instances, enabling attackers to maintain access for up to six months in some environments. Security researchers at FortiGuard Labs detected the activity, revealing how a single cloud misconfiguration can lead to long-term compromise. The P2Pinfect malware operates as a self-propagating, peer-to-peer (P2P) botnet, distinguishing itself from traditional botnets by using a decentralized mesh of infected nodes rather than a centralized command-and-control (C2) server. This architecture complicates disruption efforts, as infected systems communicate over non-standard ports, evading detection while maintaining persistence. The infection chain begins with publicly exposed Redis services, a known attack vector. Attackers deploy a shell-based dropper script (deplyoer.sh), which fetches a UPX-packed Rust binary from a remote server. The payload uses ChaCha20 encryption though with a trivial key and nonce (all zeros) primarily for obfuscation. Once decoded, the binary reveals a list of peer nodes (IP:Port combinations) that integrate the infected system into the botnet. While no follow-on payloads (e.g., ransomware or cryptominers) were observed in these incidents, P2Pinfect is known to remain dormant before deploying malicious modules. Some variants include user-mode rootkit functionality, enabling stealthy persistence. Fortinet’s telemetry suggests the botnet may function as a "botnet-for-hire", where operators scale infections while third parties deploy custom payloads later. A notable evolution in this campaign is P2Pinfect’s expansion beyond Redis exploits. Between November 2025 and February 2026, researchers linked botnet peers to CVE-2025-11953 (Metro4Shell), a critical remote code execution (RCE) vulnerability in the React Native Metro server. The rapid weaponization of this flaw shortly after public proof-of-concept (PoC) code emerged demonstrates the botnet’s ability to incorporate newly disclosed vulnerabilities into its attack chain. Additionally, researchers assessed CVE-2025-49844 (RediShell), a Redis Lua sandbox escape vulnerability, as a plausible but unconfirmed initial access vector. The timing and exposure conditions align with the campaign, though no direct exploitation was verified. Attackers may have also abused Redis replication features (e.g., the SLAVEOF command) to execute malicious code on exposed nodes. In a related finding, four compromised Redis nodes were simultaneously infected with cryptominers tied to a separate React2Shell campaign active in December 2025, indicating that multiple threat actors may be targeting the same vulnerable cloud environments. The campaign highlights the risks of exposed cloud services, where a single misconfiguration can grant attackers a persistent foothold. With P2Pinfect continuing to evolve and adopt new exploits, the threat underscores the need for proactive security measures in Kubernetes and cloud environments.