A few days ago, I published a blog analyzing a phishing campaign abusing Google Cloud infrastructure: Analysis of an Integrated Phishing Campaign Utilizing Google Cloud Infrastructure While continuing to monitor the infrastructure used in that campaign, I discovered several additional URLs hosted on Google Cloud Storage (storage[.]googleapis[.]com) that appear to be part of the same ecosystem. These pages act as intermediate redirectors, sending victims to a wide variety of phishing and scam sites hosted primarily on the .autos TLD. What is interesting is that a single Google Cloud Storage page appears to function as a central redirect hub, distributing victims across multiple scam themes such as fake surveys, reward scams, antivirus alerts, job offers, and account storage warnings. Newly Observed Google Cloud Storage URLs The following URLs were identified during the investigation: storage[.]googleapis[.]com/whilewait/successcomes.html storage[.]googleapis[.]com/sndrr/strow.html storage[.]googleapis[.]com/noonchi/noon.html storage[.]googleapis[.]com/sndrr/hmd.html storage[.]googleapis[.]com/wetaobao/taobao.html storage[.]googleapis[.]com/savelinge/goforward.html storage[.]googleapis[.]com/lithesome/stepupnow.html One particular page stood out during analysis: This page appears to function as a traffic distribution page, redirecting visitors to multiple phishing sites depending on campaign configuration. storage[.]googleapis[.]com/whilewait/successcomes.html I also shared an earlier observation on X (Twitter): 18 more phishing emails in just two days. 🔗 Sample URLs: storage[.]googleapis[.]com/whilewait/successcomes.html storage[.]googleapis[.]com/sndrr/strow.html storage[.]googleapis[.]com/noonchi/noon.html storage[.]googleapis[.]com/sndrr/hmd.html… https://t.co/Wsh5ahUiTu pic.twitter.com/5TuRjWogxt — Anurag (@Malwarehunterr) February 27, 2026 Traffic Redirection to .autos Phishing Domains The redirector page was observed sending users to various phishing domains, most of which are hosted under the .autos top-level domain. These phishing sites are themed around different scams designed to lure victims into providing personal or financial information. Below are the different campaign themes identified. Netflix Reward Phishing Pages Some pages impersonate Netflix reward programs, claiming users have won prizes or special promotions. Domains involved: digital-shift-us-bin[.]autos searchonboardloadingrock[.]autos mailanalyticsvolseries[.]autos verifieddreamseriesultimate[.]autos goldavgpenb[.]autos alt-dig-gold-tab[.]autos bio-easy-pe-loading[.]autos analytics-mail-post-quite[.]autos favouritebiochoicelife[.]autos Additional domains were also shared by an X user @skocherhan quoting my earlier post: #phishing golddreamflyrock[.]autos yeahf2fprtctrl[.]autos smartdreambio[.]autos kolloadingshiftanalytics[.]autos analyticsprt[.]autos voldel[.]autos onboardnatf2fdirect[.]autos tipsonboardvolnbllc[.]autos moviefiz[.]autos d3b7b967ea[.]treadwear[.]autos movies-4u[.]autos… https://t.co/LcgfefVofd — ܛܔܔܔܛܔܛܔܛ (@skocherhan) March 12, 2026 Additional domains observed: goldavgpenb[.]autos alt-dig-gold-tab[.]autos bio-easy-pe-loading[.]autos analytics-mail-post-quite[.]autos favouritebiochoicelife[.]autos These pages typically present users with messages claiming they have been selected for a Netflix reward or promotional giveaway, encouraging them to complete a short survey to claim their prize. Like the other scams in this campaign, the pages ultimately attempt to collect personal or payment information, often under the pretext of paying a small shipping fee or verifying eligibility. Fake Dell Laptop Giveaway Survey Another variation promotes a Dell laptop giveaway, typically claiming that users can win a Dell 16 DC16250 laptop worth $699.99. Domains hosting these pages include: avgeasyposttips[.]autos searchonboardloadingrock[.]autos alt-dig-gold-tab[.]autos gold-avg-pe-nb[.]autos tra4fficjumpchoiceclever[.]autos digprtdreamavg[.]autos shifttra4fficcapsmatch[.]autos digitalshiftusbin[.]autos spacevertabnb[.]autos rot-digital-fly-f2f[.]autos These pages typically: Ask the victim to answer a few survey questions. Display a congratulatory message. Request credit card details to pay for shipping fees. Fake “AI Data Assistant – Earn $500/day” Job Lure Another theme used in this campaign promotes a fake online job opportunity, claiming users can earn $500 per day as an AI data assistant. Observed domains: verifieddreamseriesultimate[.]autos pushbuttonsystem[.]net lifeverifiedfavouritever[.]autos mailanalyticsvolseries[.]autos spacevertabnb[.]autos These pages typically claim: No experience required High daily earnings Work from home opportunities Users are often redirected through several steps designed to collect personal information or push affiliate offers. “Antivirus Subscription Expired” Phishing Pages Another set of pages impersonates security alerts, claiming the user’s antivirus subscription has expired. Domains observ...