Skip to main content
Mallory
Back to threat actors
🇨🇳 CN

Outsider Enterprise

Also known asoutsider_enterprise

Outsider Enterprise is an alleged China-based cybercrime network that Google says operates on Telegram and supplies phishing tools and infrastructure to other fraudsters. According to the provided reporting, Google sued the group, alleging it used AI tools, including Gemini, to help generate code for phishing websites and related scam infrastructure and to accelerate phishing content creation at scale. Google linked the operation to more than 9,000 fake or fraudulent websites and more than 1 million fraudulent or malicious URLs, and said it was associated with millions of scam text messages, including roughly 2.5 million messages sent during a two-week period in May. Android users reportedly flagged 55,000 spam texts tied to the operation in that same period. The phishing kits supported large-scale smishing campaigns and fake websites designed to steal passwords, login credentials, payment card data, and other sensitive information. Reported lures included fake package delivery alerts, banking notifications, and account security warnings, and the campaigns impersonated technology companies, mobile carriers, financial institutions, package delivery services, Google, and other trusted brands. Google said the operation affected hundreds of thousands of victims and caused losses in the millions of dollars. No additional aliases or sub-groups are identified in the provided content.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Banks
  • Financial Services
  • Government & Administration
  • Transportation
  • Software & Services

Where they target

Geographies tied to known operations.

  • 🇺🇸 United States

Where they're from

Attributed origin per open-source reporting.

  • CN
MITRE ATT&CK

Tradecraft

8 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

7 of 15 tactics9 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1598
Phishing for Information
TA0042
Resource Development
1 technique
T1583
Acquire Infrastructure
TA0001
Initial Access
1 technique
T1566×3
Phishing
T1566.002
Spearphishing Link
T1566.003×3
Spearphishing via Service
TA0002
Execution
1 technique
T1059
Command and Scripting Interpreter
TA0005
Stealth
1 technique
T1036×2
Masquerading
TA0006
Credential Access
1 technique
T1056×2
Input Capture
TA0009
Collection
1 technique
T1056×2
Input Capture
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
cyber security newsNews
Jun 12, 2026
Google Sues Chinese Cybercrime Network for Using Gemini AI to Launch Cyberattacks

Operates a phishing-as-a-service platform that distributes phishing kits and prebuilt scam templates to affiliates, enabling large-scale phishing and smishing campaigns. The group abused Google Gemini to generate custom phishing website code and scaled fraud targeting U.S. consumers and trusted brands.

Read more
register securityNews
Jun 12, 2026
Google fires sueball at alleged Chinese phishers over AI-powered fraud ops

A China-based cybercrime operation allegedly operating on Telegram, distributing phishing kits to other fraudsters, impersonating trusted brands including Google, and running large-scale SMS phishing campaigns that direct victims to fraudulent websites to steal credentials, payment card data, and other sensitive information.

Read more
help net securityNews
Jun 12, 2026
Google sues China-based scammers over Gemini AI abuse - Help Net Security

China-based cybercrime network operating phishing and scam infrastructure at scale, including fake websites, fraudulent URLs, spam text campaigns, and phishing kits distributed via Telegram. The group used Gemini to help generate code for phishing websites and supported campaigns impersonating technology companies, mobile carriers, financial institutions, and package delivery services.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping8

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.