Google lawsuit vs China-based "Outsider" PhaaS weaponising Gemini to generate phishing pages

UPDATE (originally covered 2026-06-13): the China-based Outsider Enterprise phishing-as-a-service network — the subject of Google's 13 June civil complaint covered last brief — has now been hit on the criminal-enforcement track. On 14 June the FBI, working with Google and Lumen's Black Lotus Labs, executed "Operation Ghost Hook," seizing thousands of Outsider-registered domains (now redirecting ~1 million phishing URLs to an FBI splash page), core admin servers, a Shopify storefront and roughly $100,000 in USDT (BleepingComputer, 2026-06-14; CyberScoop, 2026-06-12).

The delta beyond Google's civil action: agents accessed an Outsider Telegram bot to enumerate the network's criminal customers, and the operation is folded into the FBI's broader "Operation Riptide" against cybercrime infrastructure. Outsider sold AI-assisted phishing kits (it weaponised Gemini and other tools to generate custom phishing-site code) for $88 per week, using fake package-delivery, toll, parking and brokerage lures across 55 countries including the United States (CyberScoop, 2026-06-12).

Defender takeaway: the domain seizure cuts active infrastructure, but Outsider-derived kits — and the prompt-to-phishing-page generation capability — are portable to fresh domains by affiliates. Continue to hunt for AI-generated package/toll/parking credential-harvest pages and brand-impersonation lures targeting staff; the takedown lowers volume, not technique.

Google filed a federal lawsuit against the operators of "Outsider Enterprise," a phishing-as-a-service network that prompted Google's own Gemini model with innocuous-seeming HTML-generation requests and imported the output directly into its kit to stand up live scam pages (Google, 2026-06-12). The kit, sold via Telegram subscription with built-in credential capture, shipped pre-built templates impersonating financial, retail and government services — including postal, parcel-delivery and tax-authority lures that map directly onto common Swiss/EU smishing themes (The Hacker News, 2026-06-12). The operationally relevant signal is not the scale numbers in the complaint but the technique: LLM safety filters police the prompt, not the downstream weaponisation, so AI-generated phishing pages are now produced faster and with more visual variety than template-based detection assumes. Defender action: anti-phishing controls that fingerprint known kit templates should expect higher variant churn; brief citizen-facing and finance teams that postal/delivery/tax-impersonation smishing volume is rising.

Google patched CVE-2026-11645 (CVSS 8.8), an out-of-bounds read and write in the V8 engine, in Chrome 149.0.7827.103; a crafted HTML page achieves code execution inside the renderer sandbox (Chrome, 2026-06-08). The bug was exploited in the wild before patching and CISA added it to the KEV catalog on 9 June; per the Chrome advisory it affects Chromium-based browsers including Edge and Opera (Chrome, 2026-06-08). The KEV listing is the operational signal here — confirmed active exploitation of a one-click browser bug (T1189, T1203). Update Chrome/Edge/Opera to 149.0.7827.103+ across the estate.

Unit 42 enumerates seven cloud-logging attack categories — five evasion, two visibility (Unit 42, 2026-06-09). Evasion techniques: stopping CloudTrail trails (StopLogging), deleting S3/GCS log destinations, removing GCP log-routing sinks, impairing customer-managed encryption keys (CMEK) so logs become unreadable, and log poisoning to mask activity with benign-looking entries; visibility techniques redirect logs to attacker accounts via cross-account delivery for long-term reconnaissance of defender detections (T1562.008, T1070, T1530). Hardening: S3 Object Lock / GCS locked-bucket immutable retention; IAM restrictions on cloudtrail:StopLogging, cloudtrail:DeleteTrail, logging.sinks.delete; alert on cloudtrail:UpdateTrail modifying KMS-key associations and on KMS key-policy changes affecting CloudTrail encryption. Log-integrity monitoring is a NIS2 incident-detection expectation, making this directly relevant to EU cloud-resident public-sector and financial workloads. [SINGLE-SOURCE] (Unit 42 primary research).

Google shipped Chrome 149 (stable 149.0.7827.53/54) on 2026-06-02, patching 429 vulnerabilities — the largest single-release count in Chrome's history, with over 100 rated critical or high (Google Chrome Releases, 2026-06-02; SecurityWeek, 2026-06-05). The highest-severity externally-reported fix is CVE-2026-10881 (CVSS 9.6), an out-of-bounds read and write in ANGLE — Chrome's graphics-translation layer that maps WebGL/GPU calls to the host graphics API — which SecurityWeek reports remote attackers could exploit to escape Chrome's sandbox via a crafted HTML page, with no interaction beyond visiting the page. The sandbox-escape class is the consequential one for enterprises: a renderer compromise chained through ANGLE yields code execution in the browser process, the launch point for subsequent host privilege-escalation chains. No in-the-wild exploitation has been reported. Chrome auto-updates, but managed and extended-stable fleets routinely lag; verify deployment has reached 149.0.7827.53+ via asset inventory or the ADMX update policy, and confirm no MDM version-pin is holding endpoints back. Maps to T1203 (Exploitation for Client Execution).

CVE Summary Table

The table consolidates the CVE-bearing items across this brief; only CVE-2026-10881 is a § 2 trending-vulnerability entry — the Keycloak and FFmpeg rows are cross-references to § 5 and § 3 respectively.

Huntress documented a DesckVB RAT chain from a May 2026 IR engagement that abuses Google DoubleClick Campaign Manager click-tracking for reputation laundering: a German-named HTML attachment (Bestellung_2026.html — "order") does a zero-second meta-refresh to a high-reputation ad.doubleclick.net URL that allowlist-based mail/web filters pass transparently, then steers to a "Download PDF" landing page delivering a JavaScript loader (Huntress, 2026-06-03). The loader runs a .NET assembly via process hollowing (T1055.012) after patching AMSI and ETW at the native-API level (T1562.001) to blind Windows telemetry; persistence is set before C2 over raw TCP. German-language purchase-order lures point at DACH enterprises. Why it matters to us: the DoubleClick hop defeats domain-reputation allowlisting at the gateway — flag HTML email attachments containing meta-refresh to ad-network domains, and watch for runtime patching of AmsiScanBuffer / ETW from node/script-spawned process trees rather than relying on the redirect domain.

Push Security documented LLMShare, a malvertising campaign in which attackers buy Google Ads targeting "ChatGPT" and "ChatGPT download" queries (Push Security, 2026-05-29; BleepingComputer, 2026-05-29). Victims clicking the ads land on legitimate chatgpt.com/s/[unique-id] share URLs that render attacker-controlled HTML — a fake high-traffic outage page with a "Download our desktop app to continue" button — directly from the OpenAI domain. Because chatgpt.com is trusted by enterprise web-filtering rules and firewalls, the landing page is not blocked. The download button redirects to an attacker-controlled domain impersonating OpenAI; the site uses cloaking (serves a benign page to scanners). Windows users receive an infostealer payload. The technique exploits the same ChatGPT Artifacts/sharing feature previously abused in the ACR Stealer campaign (covered 2026-05-26) and extends it to malvertising. Detection: monitor for browser-spawned executable downloads from chatgpt.com domains — legitimate ChatGPT desktop app downloads do not originate from that path; alert on unusual process launch from browser-extracted or browser-downloaded unsigned executables. MITRE ATT&CK: T1566.002, T1204.001, T1036, T1027.

On 2026-05-26T14:00Z, CrowdStrike Counter Adversary Operations, Google, and the Shadowserver Foundation executed a simultaneous takedown of all four C2 channels operated by GlassWorm, a developer-targeting supply-chain campaign active since at least early 2025 (CrowdStrike Counter Adversary Operations, 2026-05-27; TechCrunch, 2026-05-27; The Hacker News, 2026-05-27). GlassWorm's C2 architecture was designed for resilience: (1) Solana blockchain — C2 server addresses encoded in transaction memo fields as an immutable public dead-drop; (2) BitTorrent DHT — GlasswormRAT queries the peer-to-peer network for configuration data stored against hardcoded public keys; (3) Google Calendar — event titles used as Base64-encoded path dead-drops; (4) traditional VPS-hosted C2 for final payload. Taking down any subset would have left the remainder operational.

The attack surface spanned VS Code Marketplace, Open VSX (reaching Forgejo/Gitea-based forks), npm, PyPI, and direct GitHub repository poisoning via stolen developer credentials — 300+ GitHub repositories poisoned across the campaign. Infected hosts were converted into covert infrastructure: SOCKS proxies, hidden VNC (HVNC) servers, and Node.js-based remote execution nodes via WebRTC. CrowdStrike attributes the operators to likely Russia-based actors on the basis of the malware's CIS-locale / language / timezone exit check.

Defender takeaway: the takedown sinkholes existing C2 but does not remediate the infected developer endpoints. Treat every workstation that installed an affected VS Code / Cursor / Windsurf extension between early 2025 and 2026-05-26 as potentially compromised; rotate every CI/CD secret, cloud credential, and GitHub PAT accessible from that host. Hunt: enumerate the org's installed VS Code extension inventory against the published OpenVSX extension allowlist; correlate with developer-endpoint outbound WebRTC connections from node.exe parents.

Google Threat Intelligence Group published a teardown of around a dozen current Chinese-language phishing-as-a-service (PhaaS) offerings — case-studied through "YY Lai Yu" (YY来鱼) — whose shared headline capability is real-time OTP relay: a live operator admin panel captures the one-time code the victim types into a spoofed page and re-submits it on the genuine portal inside its validity window, completing the login and defeating TOTP- and SMS-based MFA without a classic reverse-proxy AiTM stack (Google Threat Intelligence Group, 2026-05-25). [SINGLE-SOURCE] — GTIG primary research at time of writing. Two delivery and evasion properties make it operationally distinct: lures ride RCS and iMessage, whose end-to-end encryption blocks carrier-level SMS content filtering (T1566.002); and the kits use Puppeteer-driven AI page cloning to emit per-campaign-unique HTML/JS that frustrates signature-based phishing detection. Captured card-plus-OTP material is immediately provisioned into contactless wallet tokens for high-value transactions (T1111 MFA interception). GTIG names Europe among explicitly targeted regions (alongside the Americas, Australia and the Middle East), notes targeting across 119 countries, and links UNC5814 to the Darcula PhaaS component; the infrastructure is rented, so victimology is buyer-driven rather than fixed to the Japan-heavy template library.

Why it matters to us: any CH/EU financial institution, e-government SSO portal or public-service login that relies on TOTP or SMS as its second factor is in scope — OTP relay neutralises both. FIDO2/WebAuthn (hardware keys or synced passkeys) removes the exposure entirely because the cryptographic assertion is bound to the legitimate origin and cannot be relayed; where FIDO2 cannot yet be deployed, bind the MFA validation to the original login session (IP/device) so a relayed OTP from a different ASN fails. Detection concept: correlate the IP/ASN seen at OTP issuance against the IP/ASN that consumes it within the SSO/IdP logs — an AiTM relay shows the victim's address on the phishing page and the operator's address on the real portal; alert on OTPs consumed seconds after issuance from a different ASN, and on contactless-wallet provisioning immediately following a credential submission from an unrecognised device.

Aikido Security researcher Joe Leon published findings (2026-05-21, updated 2026-05-22) showing that deleted Google Cloud API keys continue to authenticate API requests for a median of ~16 minutes and up to ~23 minutes, measured across 10 controlled trials against Gemini, BigQuery and Maps APIs (Aikido, 2026-05-21). By contrast, Google service-account keys revoke in ~5 seconds and Gemini-specific keys in ~1 minute. The root cause is eventual consistency in GCP's IAM credential-propagation layer: deletions propagate gradually across distributed authorisation servers rather than atomically. Google first closed the report as "Won't Fix (working as intended)" before reopening it as a P0 after public disclosure (Aikido, 2026-05-21).

Why it matters to us: Key rotation/revocation is the reflexive first containment step in most cloud IR runbooks, and this breaks the assumption that it is immediate. An attacker holding a stolen key retains a usable window to exfiltrate BigQuery datasets, run Gemini inference, or query Maps billing after the defender believes the key is dead. For any CH/EU public-sector tenant on GCP, treat API-key deletion as a ~30-minute containment action: delete to start the clock, then monitor Cloud Audit Logs for post-deletion use of the key, and — for GDPR Art. 33 / Swiss DSG Art. 24 purposes — count the full post-deletion window as continued exposure when the key reached PII. Where viable, prefer service-account keys (near-instant revocation). Maps to ATT&CK T1550.001 (Application Access Token).

GTIG's Europe data-leak landscape analysis (published 2026-04-15, first covered 2026-05-07) is the second-tier annual reference that materially affects DACH defender posture and merits cross-week synthesis: Germany is the primary European ransomware target with SAFEPAY accounting for 25% of German data-leak-site posts (76 victims claimed in 2025), Qilin tripling operational tempo in Germany during Q3 2025 with 13 additional German victims posted by early 2026 (Die Linke this week confirms continued activity into 2026-W19), and Sarcoma actively recruiting German network access via criminal forums since November 2024. 96% of German ransomware victims are organisations with fewer than 5,000 employees — exploited both directly and as supply-chain footholds into larger enterprises and government contractors; legal and professional services rose to 14% of victims — explicitly relevant to Swiss / EU public-sector procurement officers since those firms hold client IP and M&A intelligence. GTIG attributes part of the shift to AI-enabled high-quality localisation eroding the language-barrier protection that historically benefited non-English-speaking markets (daily 2026-05-07).