GTFire is a threat actor that leverages Google Firebase for hosting phishing pages and Google Translate to disguise malicious URLs, effectively bypassing security filters. The campaign employs a multi-step redirect chain to obscure the final phishing destination and utilizes All-in-1 PHP phishing scripts for rapid deployment and credential harvesting. Credentials are exfiltrated via URL parameters in a standard HTTP GET request, with minimal operational overhead.