Google Threat Intelligence Group — Europe Data Leak Landscape 2025 (Germany dominant, 96% of victims <5,000 employees)

Unit 42 disclosed a cross-tenant RCE class in the Google Cloud Vertex AI SDK for Python (Unit 42, 2026-06-16). When a caller uploads a model without specifying a custom staging bucket, the SDK's stage_local_data_in_gcs() builds a deterministic, globally-unique bucket name from the project ID and region ({project-id}-vertex-staging-{region}). Because GCS bucket names are publicly claimable, an attacker who knows the target project ID can pre-register that bucket, attach a Cloud Function on object.finalize, and silently receive the victim's uploaded model.joblib — then swap in a malicious pickle. Vertex AI's serving agent deserialises the pickle and executes attacker code inside Google's serving container with the platform service account's privileges (The Hacker News, 2026-06-16). Google added bucket-name randomization (UUID4) in google-cloud-aiplatform 1.144.0 (2026-03-31) and the bucket-ownership check in the fully hardened 1.148.0 (2026-04-15); versions from 1.139.0 are affected and orgs on 1.144.0–1.147.x are only partially protected, so 1.148.0 is the version to target. No in-the-wild exploitation was observed.

Why it matters to us: Any EU/CH org running Vertex AI ML pipelines on the affected SDK that did not pin a staging bucket is exposed to the broader "resource-squatting" class — predictable cloud resource names without ownership verification. Upgrade the SDK to ≥ 1.148.0, audit jobs for default staging_bucket use, and alert on GCS objectCreate / ownership changes for any bucket matching the {project-id}-vertex-staging-{region} pattern not owned by your org.

Google's Threat Intelligence Group attributes a September 2023 – November 2025 espionage campaign to UNC6508, a PRC-nexus cluster that compromised North American academic, medical and military-health organisations by exploiting externally-facing REDCap (Research Electronic Data Capture) servers, then dropping a bespoke PHP implant tracked as INFINITERED (Google GTIG, 2026-06-15). INFINITERED trojanises REDCap's own upgrade mechanism to survive platform updates, harvests credentials from the REDCap login page, and exposes a cookie-gated backdoor for shell, file, SQL and credential operations (Help Net Security, 2026-06-15). The exfiltration tradecraft is the notable part: after pivoting to a Workspace admin account, the actor created a Google Workspace content-compliance rule named "Patroit" that silently BCC-forwarded any message matching ~150 research/defence keywords to an attacker-controlled Gmail address — abusing a legitimate administrative feature rather than dropping exfiltration malware (T1114.003 Email Forwarding Rule), which evades most DLP that watches for new tooling (SecurityWeek, 2026-06-15). Initial access mapped to T1190; web-shell persistence to T1505.003; admin credential reuse to T1078.

Why it matters to us: REDCap is deployed across Swiss and EU university hospitals, cantonal research bodies and clinical-trial coordinators, and the Workspace BCC-rule technique is tenant-agnostic. Hunt now: Google Workspace admin audit logs for content-compliance/BCC rule creation by non-IT-admin accounts (especially rules with external Gmail recipients), and file-integrity-monitor the REDCap upgrade-staging directory and login handlers — standard web-root scanning misses the upgrade-path implant.

UPDATE (originally covered 2026-06-13): the China-based Outsider Enterprise phishing-as-a-service network — the subject of Google's 13 June civil complaint covered last brief — has now been hit on the criminal-enforcement track. On 14 June the FBI, working with Google and Lumen's Black Lotus Labs, executed "Operation Ghost Hook," seizing thousands of Outsider-registered domains (now redirecting ~1 million phishing URLs to an FBI splash page), core admin servers, a Shopify storefront and roughly $100,000 in USDT (BleepingComputer, 2026-06-14; CyberScoop, 2026-06-12).

The delta beyond Google's civil action: agents accessed an Outsider Telegram bot to enumerate the network's criminal customers, and the operation is folded into the FBI's broader "Operation Riptide" against cybercrime infrastructure. Outsider sold AI-assisted phishing kits (it weaponised Gemini and other tools to generate custom phishing-site code) for $88 per week, using fake package-delivery, toll, parking and brokerage lures across 55 countries including the United States (CyberScoop, 2026-06-12).

Defender takeaway: the domain seizure cuts active infrastructure, but Outsider-derived kits — and the prompt-to-phishing-page generation capability — are portable to fresh domains by affiliates. Continue to hunt for AI-generated package/toll/parking credential-harvest pages and brand-impersonation lures targeting staff; the takedown lowers volume, not technique.

Google filed a federal lawsuit against the operators of "Outsider Enterprise," a phishing-as-a-service network that prompted Google's own Gemini model with innocuous-seeming HTML-generation requests and imported the output directly into its kit to stand up live scam pages (Google, 2026-06-12). The kit, sold via Telegram subscription with built-in credential capture, shipped pre-built templates impersonating financial, retail and government services — including postal, parcel-delivery and tax-authority lures that map directly onto common Swiss/EU smishing themes (The Hacker News, 2026-06-12). The operationally relevant signal is not the scale numbers in the complaint but the technique: LLM safety filters police the prompt, not the downstream weaponisation, so AI-generated phishing pages are now produced faster and with more visual variety than template-based detection assumes. Defender action: anti-phishing controls that fingerprint known kit templates should expect higher variant churn; brief citizen-facing and finance teams that postal/delivery/tax-impersonation smishing volume is rising.

Google patched CVE-2026-11645 (CVSS 8.8), an out-of-bounds read and write in the V8 engine, in Chrome 149.0.7827.103; a crafted HTML page achieves code execution inside the renderer sandbox (Chrome, 2026-06-08). The bug was exploited in the wild before patching and CISA added it to the KEV catalog on 9 June; per the Chrome advisory it affects Chromium-based browsers including Edge and Opera (Chrome, 2026-06-08). The KEV listing is the operational signal here — confirmed active exploitation of a one-click browser bug (T1189, T1203). Update Chrome/Edge/Opera to 149.0.7827.103+ across the estate.

Unit 42 enumerates seven cloud-logging attack categories — five evasion, two visibility (Unit 42, 2026-06-09). Evasion techniques: stopping CloudTrail trails (StopLogging), deleting S3/GCS log destinations, removing GCP log-routing sinks, impairing customer-managed encryption keys (CMEK) so logs become unreadable, and log poisoning to mask activity with benign-looking entries; visibility techniques redirect logs to attacker accounts via cross-account delivery for long-term reconnaissance of defender detections (T1562.008, T1070, T1530). Hardening: S3 Object Lock / GCS locked-bucket immutable retention; IAM restrictions on cloudtrail:StopLogging, cloudtrail:DeleteTrail, logging.sinks.delete; alert on cloudtrail:UpdateTrail modifying KMS-key associations and on KMS key-policy changes affecting CloudTrail encryption. Log-integrity monitoring is a NIS2 incident-detection expectation, making this directly relevant to EU cloud-resident public-sector and financial workloads. [SINGLE-SOURCE] (Unit 42 primary research).

Google shipped Chrome 149 (stable 149.0.7827.53/54) on 2026-06-02, patching 429 vulnerabilities — the largest single-release count in Chrome's history, with over 100 rated critical or high (Google Chrome Releases, 2026-06-02; SecurityWeek, 2026-06-05). The highest-severity externally-reported fix is CVE-2026-10881 (CVSS 9.6), an out-of-bounds read and write in ANGLE — Chrome's graphics-translation layer that maps WebGL/GPU calls to the host graphics API — which SecurityWeek reports remote attackers could exploit to escape Chrome's sandbox via a crafted HTML page, with no interaction beyond visiting the page. The sandbox-escape class is the consequential one for enterprises: a renderer compromise chained through ANGLE yields code execution in the browser process, the launch point for subsequent host privilege-escalation chains. No in-the-wild exploitation has been reported. Chrome auto-updates, but managed and extended-stable fleets routinely lag; verify deployment has reached 149.0.7827.53+ via asset inventory or the ADMX update policy, and confirm no MDM version-pin is holding endpoints back. Maps to T1203 (Exploitation for Client Execution).

CVE Summary Table

The table consolidates the CVE-bearing items across this brief; only CVE-2026-10881 is a § 2 trending-vulnerability entry — the Keycloak and FFmpeg rows are cross-references to § 5 and § 3 respectively.

Huntress documented a DesckVB RAT chain from a May 2026 IR engagement that abuses Google DoubleClick Campaign Manager click-tracking for reputation laundering: a German-named HTML attachment (Bestellung_2026.html — "order") does a zero-second meta-refresh to a high-reputation ad.doubleclick.net URL that allowlist-based mail/web filters pass transparently, then steers to a "Download PDF" landing page delivering a JavaScript loader (Huntress, 2026-06-03). The loader runs a .NET assembly via process hollowing (T1055.012) after patching AMSI and ETW at the native-API level (T1562.001) to blind Windows telemetry; persistence is set before C2 over raw TCP. German-language purchase-order lures point at DACH enterprises. Why it matters to us: the DoubleClick hop defeats domain-reputation allowlisting at the gateway — flag HTML email attachments containing meta-refresh to ad-network domains, and watch for runtime patching of AmsiScanBuffer / ETW from node/script-spawned process trees rather than relying on the redirect domain.

Push Security documented LLMShare, a malvertising campaign in which attackers buy Google Ads targeting "ChatGPT" and "ChatGPT download" queries (Push Security, 2026-05-29; BleepingComputer, 2026-05-29). Victims clicking the ads land on legitimate chatgpt.com/s/[unique-id] share URLs that render attacker-controlled HTML — a fake high-traffic outage page with a "Download our desktop app to continue" button — directly from the OpenAI domain. Because chatgpt.com is trusted by enterprise web-filtering rules and firewalls, the landing page is not blocked. The download button redirects to an attacker-controlled domain impersonating OpenAI; the site uses cloaking (serves a benign page to scanners). Windows users receive an infostealer payload. The technique exploits the same ChatGPT Artifacts/sharing feature previously abused in the ACR Stealer campaign (covered 2026-05-26) and extends it to malvertising. Detection: monitor for browser-spawned executable downloads from chatgpt.com domains — legitimate ChatGPT desktop app downloads do not originate from that path; alert on unusual process launch from browser-extracted or browser-downloaded unsigned executables. MITRE ATT&CK: T1566.002, T1204.001, T1036, T1027.

On 2026-05-26T14:00Z, CrowdStrike Counter Adversary Operations, Google, and the Shadowserver Foundation executed a simultaneous takedown of all four C2 channels operated by GlassWorm, a developer-targeting supply-chain campaign active since at least early 2025 (CrowdStrike Counter Adversary Operations, 2026-05-27; TechCrunch, 2026-05-27; The Hacker News, 2026-05-27). GlassWorm's C2 architecture was designed for resilience: (1) Solana blockchain — C2 server addresses encoded in transaction memo fields as an immutable public dead-drop; (2) BitTorrent DHT — GlasswormRAT queries the peer-to-peer network for configuration data stored against hardcoded public keys; (3) Google Calendar — event titles used as Base64-encoded path dead-drops; (4) traditional VPS-hosted C2 for final payload. Taking down any subset would have left the remainder operational.

The attack surface spanned VS Code Marketplace, Open VSX (reaching Forgejo/Gitea-based forks), npm, PyPI, and direct GitHub repository poisoning via stolen developer credentials — 300+ GitHub repositories poisoned across the campaign. Infected hosts were converted into covert infrastructure: SOCKS proxies, hidden VNC (HVNC) servers, and Node.js-based remote execution nodes via WebRTC. CrowdStrike attributes the operators to likely Russia-based actors on the basis of the malware's CIS-locale / language / timezone exit check.

Defender takeaway: the takedown sinkholes existing C2 but does not remediate the infected developer endpoints. Treat every workstation that installed an affected VS Code / Cursor / Windsurf extension between early 2025 and 2026-05-26 as potentially compromised; rotate every CI/CD secret, cloud credential, and GitHub PAT accessible from that host. Hunt: enumerate the org's installed VS Code extension inventory against the published OpenVSX extension allowlist; correlate with developer-endpoint outbound WebRTC connections from node.exe parents.

Mandiant / Google Threat Intelligence Group published an incident-response investigation into a late-2025 compromise of a web server running KnowledgeDeliver, an ASP.NET learning-management system from Japan-based Digital Knowledge that is widely deployed in Japanese enterprise and education environments (Google Threat Intelligence Group, 2026-05-25; Mandiant Vulnerability Disclosures MNDT-2026-0009). The root cause (CVE-2026-5426) is identical pre-shared ASP.NET machineKey values shipped across all customer installations by default: any party who recovers the hardcoded key from one instance can forge a valid signed/encrypted ViewState payload and replay it against any other deployment. Because ASP.NET ViewState is deserialized through ObjectStateFormatter → BinaryFormatter, a forged payload yields arbitrary .NET object-graph deserialization and remote code execution (T1190). Mandiant states the flaw was exploited as a zero-day prior to the 2026-02-24 patch.

Post-exploitation, the actor deployed BLUEBEAM (a variant of the Godzilla web shell) that runs entirely inside the IIS worker process w3wp.exe — no shell file on disk — receiving commands over encrypted HTTP POST (T1505.003, T1071.001), then injected content into the LMS to mount a watering-hole attack against its users (T1189). Targeting is Japan-primary, but the transferable lesson is broad and urgent for CH/EU public-sector .NET estates: audit every ASP.NET application for shared or default machineKey values and rotate to unique, cryptographically strong per-deployment keys — there is no default-config toggle that removes the shared-key risk. Hunt for Windows Application-log Event ID 1316 (ViewState validation failure — Mandiant notes even successful exploitation generated these) on LMS-adjacent web servers, and for w3wp.exe spawning cmd.exe/powershell.exe/cscript.exe or making unexpected outbound connections (Sysmon EID 1 with a parent-image filter on w3wp.exe). Because BLUEBEAM is memory-resident with no on-disk shell file, live-memory collection on the IIS worker is the primary post-exploitation detection path.

CVE Summary Table

Google Threat Intelligence Group published a teardown of around a dozen current Chinese-language phishing-as-a-service (PhaaS) offerings — case-studied through "YY Lai Yu" (YY来鱼) — whose shared headline capability is real-time OTP relay: a live operator admin panel captures the one-time code the victim types into a spoofed page and re-submits it on the genuine portal inside its validity window, completing the login and defeating TOTP- and SMS-based MFA without a classic reverse-proxy AiTM stack (Google Threat Intelligence Group, 2026-05-25). [SINGLE-SOURCE] — GTIG primary research at time of writing. Two delivery and evasion properties make it operationally distinct: lures ride RCS and iMessage, whose end-to-end encryption blocks carrier-level SMS content filtering (T1566.002); and the kits use Puppeteer-driven AI page cloning to emit per-campaign-unique HTML/JS that frustrates signature-based phishing detection. Captured card-plus-OTP material is immediately provisioned into contactless wallet tokens for high-value transactions (T1111 MFA interception). GTIG names Europe among explicitly targeted regions (alongside the Americas, Australia and the Middle East), notes targeting across 119 countries, and links UNC5814 to the Darcula PhaaS component; the infrastructure is rented, so victimology is buyer-driven rather than fixed to the Japan-heavy template library.

Why it matters to us: any CH/EU financial institution, e-government SSO portal or public-service login that relies on TOTP or SMS as its second factor is in scope — OTP relay neutralises both. FIDO2/WebAuthn (hardware keys or synced passkeys) removes the exposure entirely because the cryptographic assertion is bound to the legitimate origin and cannot be relayed; where FIDO2 cannot yet be deployed, bind the MFA validation to the original login session (IP/device) so a relayed OTP from a different ASN fails. Detection concept: correlate the IP/ASN seen at OTP issuance against the IP/ASN that consumes it within the SSO/IdP logs — an AiTM relay shows the victim's address on the phishing page and the operator's address on the real portal; alert on OTPs consumed seconds after issuance from a different ASN, and on contactless-wallet provisioning immediately following a credential submission from an unrecognised device.

Aikido Security researcher Joe Leon published findings (2026-05-21, updated 2026-05-22) showing that deleted Google Cloud API keys continue to authenticate API requests for a median of ~16 minutes and up to ~23 minutes, measured across 10 controlled trials against Gemini, BigQuery and Maps APIs (Aikido, 2026-05-21). By contrast, Google service-account keys revoke in ~5 seconds and Gemini-specific keys in ~1 minute. The root cause is eventual consistency in GCP's IAM credential-propagation layer: deletions propagate gradually across distributed authorisation servers rather than atomically. Google first closed the report as "Won't Fix (working as intended)" before reopening it as a P0 after public disclosure (Aikido, 2026-05-21).

Why it matters to us: Key rotation/revocation is the reflexive first containment step in most cloud IR runbooks, and this breaks the assumption that it is immediate. An attacker holding a stolen key retains a usable window to exfiltrate BigQuery datasets, run Gemini inference, or query Maps billing after the defender believes the key is dead. For any CH/EU public-sector tenant on GCP, treat API-key deletion as a ~30-minute containment action: delete to start the clock, then monitor Cloud Audit Logs for post-deletion use of the key, and — for GDPR Art. 33 / Swiss DSG Art. 24 purposes — count the full post-deletion window as continued exposure when the key reached PII. Where viable, prefer service-account keys (near-instant revocation). Maps to ATT&CK T1550.001 (Application Access Token).

Google Threat Intelligence Group published on 2026-05-15 an analysis of UNC6671 — a financially-motivated extortion cluster operating under the "BlackFile" brand since February 2026 — documenting a real-time vishing + adversary-in-the-middle chain that bypasses traditional MFA and pivots to mass SharePoint exfiltration (Google Threat Intelligence Group, 2026-05-15). The chain starts with a phone call placed to a victim's personal mobile number in which an operator impersonates internal IT helpdesk and directs the target to an attacker-registered lookalike single sign-on portal (Tucows-registered hostnames in the <org>.enrollms[.]com and <org>.passkeyms[.]com namespaces); the operator captures credentials and TOTP / push approvals live and immediately registers a new attacker-controlled MFA device for persistent post-vishing access, mapping to T1556 Modify Authentication Process. Post-compromise, BlackFile uses Python requests and PowerShell scripts against the Microsoft Graph API and direct SharePoint file-stream URLs to exfiltrate, with single-victim file counts exceeding one million; the API requests surface Microsoft Office's ClientAppId (d3590ed6-52b3-4102-aeff-aad2292ab01c) in the M365 audit log AppAccessContext field — the same value legitimate Office clients carry — to blend in with normal Office activity. The detection break is the underlying user-agent: legitimate Office clients do not present python-requests/2.28.1 or WindowsPowerShell/5.1 as the user-agent header against Graph or SharePoint endpoints. GTIG also notes that the FileAccessed audit event distinguishes the bulk-API extraction pattern from interactive FileDownloaded events. Geographic focus is North America, Australia, and the UK — but the playbook is language-agnostic; any European helpdesk-fronted M365 / Okta environment is one successful call away from the same outcome. The BlackFile data-leak site went offline in late April 2026 and relaunched on 2026-05-11 with a shutdown announcement, which GTIG assesses as probable rebrand rather than cessation. GTIG explicitly distinguishes UNC6671 from ShinyHunters (UNC6240). MITRE ATT&CK additionally: T1566.004 Spearphishing Voice, T1557 Adversary-in-the-Middle, T1528 Steal Application Access Token. Detection priorities: alert on Okta system.multifactor.factor.setup events not preceded by a user-initiated session; flag M365 audit FileAccessed events with AppAccessContext.ClientAppId == d3590ed6-52b3-4102-aeff-aad2292ab01c AND a user-agent containing python-requests or PowerShell; require Conditional Access compliant-device for Graph API access from administrative accounts; and move helpdesk-privileged accounts to FIDO2 phishing-resistant MFA.

GTIG's Europe data-leak landscape analysis (published 2026-04-15, first covered 2026-05-07) is the second-tier annual reference that materially affects DACH defender posture and merits cross-week synthesis: Germany is the primary European ransomware target with SAFEPAY accounting for 25% of German data-leak-site posts (76 victims claimed in 2025), Qilin tripling operational tempo in Germany during Q3 2025 with 13 additional German victims posted by early 2026 (Die Linke this week confirms continued activity into 2026-W19), and Sarcoma actively recruiting German network access via criminal forums since November 2024. 96% of German ransomware victims are organisations with fewer than 5,000 employees — exploited both directly and as supply-chain footholds into larger enterprises and government contractors; legal and professional services rose to 14% of victims — explicitly relevant to Swiss / EU public-sector procurement officers since those firms hold client IP and M&A intelligence. GTIG attributes part of the shift to AI-enabled high-quality localisation eroding the language-barrier protection that historically benefited non-English-speaking markets (daily 2026-05-07).