Skip to content

Google Translate

Description

Google Translate is a widely used legitimate web service for translating text and web pages.
Attackers can abuse Google Translate as a proxy tunneling mechanism by leveraging the URL parameter u= to access external web content indirectly, bypassing network restrictions and filtering.

Technique

  • Use the URL pattern:
    https://translate.google.com/translate?u=<target_url>
  • This makes Google Translate fetch the target URL and render its content inside Google’s domain.
  • Traffic appears as requests to translate.google.com, which is often whitelisted in corporate environments.

Examples of abuse

  • Exfiltrating data through crafted URLs.
  • Command and Control (C2) communication by tunneling requests through Google Translate.
  • Bypassing firewalls or web filters by hiding malicious requests behind Google Translate traffic.

Detection and Mitigation

Indicators

  • Monitor your infrastructure for high frequency of requests to https://translate.google.com

References