1. Home
  2. โฏ
  3. Companies
  4. โฏ
  5. Gmail
Gmail

Gmail status: access issues and outage reports

No problems detected

If you are having issues, please submit a report below.

Full Outage Map

Gmail is a free, advertising-supported email service developed by Google. Users can access Gmail on the web and through the mobile apps for Android and iOS, as well as through third-party programs that synchronize email content through POP or IMAP protocols.

Problems in the last 24 hours

The graph below depicts the number of Gmail reports received over the last 24 hours by time of day. When the number of reports exceeds the baseline, represented by the red line, an outage is determined.

At the moment, we haven't detected any problems at Gmail. Are you experiencing issues or an outage? Leave a message in the comments section!

Most Reported Problems

The following are the most recent problems reported by Gmail users through our website.

  • 37% Errors (37%)
  • 35% Website Down (35%)
  • 28% Sign in (28%)

Live Outage Map

The most recent Gmail outage reports came from the following cities:

CityProblem TypeReport Time
Donzรจre Sign in 4 hours ago
Bergerac Sign in 6 hours ago
Saint-Macaire-en-Mauges Website Down 21 hours ago
Paris Errors 23 hours ago
Paris Website Down 1 day ago
Marseille Website Down 1 day ago
Full Outage Map

Community Discussion

Tips? Frustrations? Share them here. Useful comments include a description of the problem, city and postal code.

Beware of "support numbers" or "recovery" accounts that might be posted below. Make sure to report and downvote those comments. Avoid posting your personal information.

Gmail Issues Reports

Latest outage, problems and issue reports in social media:

  • BunnyWhole_
    BunnyWhole (@BunnyWhole_) reported

    @TeamYouTube please help. A hacker stole my Gmail account adding themselves as a family manager. They set my account to under 13 years of age. No account recovery can fix this because of their hacking. You are literally the only thing that can save my Gmail and my YouTube.

  • julisingh5045
    Julie kelly (@julisingh5045) reported

    Hi @telegram my telegram account get hacked by someone and now he put on Gmail on it and I'm not able to login my account please me

  • RichContartesi
    Richie Contartesi (@RichContartesi) reported

    Stop using recruiting software to email coaches. It lands in junk. They never open it. Send from a real Gmail account. That is the entire fix.

  • reddvellvetcake
    azuree (@reddvellvetcake) reported

    how many accounts do i haveee twitter: 5+ discord: 2 (3 technically but i lost the login) insta: 2 main ones facebook: 0 snapchat: 0 tiktok: 3 twitch: 0? steam: 1 youtube: 4 spotify: 1 pinterest: 2 reddit: 1 gmail: a Lot telegram: 1

  • mellotradez
    mello (@mellotradez) reported

    @asaingainz I just tried it with a blank account and created a gmail to make sure. First I got email, in this image, clicked join discord server then it loaded the page on the right then I click that on the top and it took me to discord and said invite accept. Please let me know if it worked. I just had someone else try and it worked for them as well. Iโ€™m not sure if something maybe didnโ€™t go right. Let me check to see if it shows any alerts in my Linktree notifications of granted access

  • iamtrueal
    Tural ๐ŸŒฑ keep growing (@iamtrueal) reported

    one thing i learned building a chrome extension for X that applies to any tool you build for a single page app, notion, linear, gmail, X, they all work the same way under the hood... when you navigate inside these apps, the page never actually reloads. it just swaps content in and out of the same html elements. so if your extension marks something like tags an element, or whatever, and you don't explicitly clean that mark up when the user navigates away. it can silently stick around and reapply itself on a completely different page later. took us a while to catch this with Claude Code, bc it only showed up in one specific case, where something i'd filtered out on the main feed stayed hidden even after i navigated to a page where it should've been visible again. the fix wasn't complicated, where every time your extension's mode turns off, explicitly clear every mark you made. don't just remove the trigger and assume the effects go with it. if you're building anything for a modern web app: state doesn't die when you think it does. clean up after yourself.

  • Nick_Kramer91
    Nick Kramer (@Nick_Kramer91) reported

    A few years ago I built a small tool because I kept losing work inside Gmail: follow-ups, client notes, tiny tasks, project updates. All the things that sit between email threads, docs, spreadsheets, and memory. At first it was just for me. Then friends tried it, and after sometime a few teams. That was when the small details became harder to ignore. People adopt a tool because it fits the way they already work. Not becasue the demo is clever. I see the same thing with AI tools now. A prototype can look great in a demo, but Monday still starts in Gmail, spreadsheets, Slack, docs, calls, and half-finished notes. If the tool does not fit there, it becomes one more place people have to remember. For me, this started with a small task board inside Gmail. The same lesson applies to AI copilots, CRM updates, document workflows, and internal automation. Adoption usually comes down to something very ordinary: Does the tool understand the real work well enough that people keep using it after the demo?

  • degenpiz
    DEGENPIZ (@degenpiz) reported

    Most builders still believe you need code to create real AI agents. One tool inside Claude proves otherwise. Open Projects and paste a system prompt. It runs five steps automatically: research the latest credible sources, select the strongest angle, build a detailed outline with 7 sections and 21 key points, write a full 2,000-3,000 word article, then review quality and fix weaknesses. A simple request now delivers a polished piece in minutes. Point the file agent at any folder of PDFs โ€” contracts, reports, research papers. It reads every document, extracts five-bullet summaries, pulls the three key actions, and compiles one master file sorted by date. Schedule the morning agent for 7:00 AM. It scans Gmail since 5 PM yesterday, sorts emails into action required, FYI only, or ignore, drafts replies for urgent items, checks your calendar, notes attendees, and saves a complete briefing on your desktop. You wake up to everything already organized. No coding required. Just clear workflows that execute relentlessly. This is how smart operators use AI agents today.

  • MusungaMas57652
    Musunga Mashinkila (@MusungaMas57652) reported

    @LankyObserver Is he registered with ZIEA? The spelling errors by "lawyer" Gmail email, he is should just agree settlements with aggrieved parties and move on.

  • james_abdo32494
    James Abdo (@james_abdo32494) reported

    @Putrabrilian_ @TeamYouTube Dude don't have your channels on the same gmail account. If you can don't even have them on the same adsense, one goes down it shadow bans the other with it or worse, a related channel claim like in ur case... Always separate channels.

  • davidihuang
    David Huang ๐Ÿ‘ป๐Ÿ–‹๏ธ๐Ÿšข (@davidihuang) reported

    I spend 60 to 90 minutes every day reading and responding to emails. One complex email can take a whole hour: This is why I am building an Email Concierge agent. AI personalizes each response while I focus on observing classes and coaching teachers. School leaders do not think about delegating their inbox because decision-making has become so automatic in their brain. They cannot imagine anyone else handling it. The problem is that school leaders have much better things to do than answer emails all day, and they should not be tied down to their inbox. ~ Responding to an email for a school leader is not a 1-step process. It is actually an 8-step process. โ€ข Locate the email โ€ข Read the email โ€ข Locate the context of the email: is it from a meeting, which department, what is the ask, who needs to be involved โ€ข Research source documents: student handbook, employee handbook, tech sheets, FAQs โ€ข Recommend a response โ€ข Draft the first response โ€ข Place the draft in Gmail drafts โ€ข Optional: update project pages School leaders who rely on memory do this fast. They also become the bottleneck for their whole team. ~ Here are 3 examples of AI agents leveraging 3 different skills in this sequence: Context locator: The AI agent learns to locate context first. Where did this email come from? What department? What is the ask? Who needs to be looped in? Research Assistant: Then it searches source documents. Handbooks, FAQs, hundreds of reference sheets. The information is already there. The leader just should not have to be the one digging for it every time. Q&A Generator: It uses a Q&A skill trained on past responses to mimic the leader's thought process, priorities, and decision-making framework, and then proposes a first response. Each skill is built on the leader's experience and the information on the organization ~ In the beginning, human checkpoints are installed after each step. After several iterations and quality control, I slowly remove the human elements, allowing the agent to take on more and more steps on its own. Until the last step. I check every draft response, and I click send. A school leader is responsible for every email sent from their email address. ~ It took me a whole week to build all the skills, related documents, nd the AI agent to use the skill. And it is already paying dividends. The same complicated emails that would take me 45-60 minutes now take 5-10 minutes. โ€ข I don't go dig through previous emails โ€ข AI assistant locates the exact page on the handbook โ€ข Previously, Q&A responses are pulled directly from the library. ~ And this is only the beginning of what a personal AI agent can do. Follow me if you want more step-by-step guides to multiply your impact.

  • dwepost
    DWE Post (@dwepost) reported

    Google services are not making any effort to solve the problem. They keep saying, โ€œSend us a DM,โ€ but itโ€™s extremely difficult to reach them. @gmail @Google

  • emmaxtob
    Emmanuel Oluwatudimu (@emmaxtob) reported

    Locked out of my Azure Startup account due to a portal identity error (AADSTS16000) from from a restricted LinkedIn login. My organization has a grant expiring on July 22, but the subscription is marked canceled. Please DM to help me link it directly to my Gmail! @AzureSupport

  • web3_antivirus
    Web3 Antivirus (@web3_antivirus) reported

    Opera GX had a flaw that let a malicious website silently install a GX mod and use it to pull data from pages a victim visited. In a proof of concept, a Gmail address was reconstructed from one visit with no click/approval from the user. Opera has patched the issue and says it found no evidence of exploitation in the wild. Keep your browser updated and treat unexpected add-ons as a warning sign and remember that small browser features can become real attack surfaces.

  • Abuh_abel
    Ehmer ๐Ÿ“Š (@Abuh_abel) reported

    So, contrary to this. If you don't have the patience to wait for your adsense to be approved yet again after following this steps. Then, get an already approved adsense (if you have or buy). Right on YouTube earnings page, click on *Change Association*, choose you already have adsense. Then it will request you sign in to the Gmail with adsense in in it. Link it and instantly your step 2 will be approved. Had it sorted out for my guy.

  • uncover_ai
    Uncover AI (@uncover_ai) reported

    3. Break the job into steps. Your email agent needs to: 1. Open Gmail 2. Find new emails 3. Read each email 4. Decide what matters 5. Summarize the important ones 6. Suggest replies Thatโ€™s all an agent is, a task broken into stepsโ†“

  • virgojyoti02
    Jyoti (@virgojyoti02) reported

    Once your gmail decides that your storage is fix then there is no going back.

  • LEIGHT5
    Leights JL (@LEIGHT5) reported

    @athyuttamre @nicdunz Should it be able to use apps like Gmail? As not working for me

  • dwepost
    DWE Post (@dwepost) reported

    For the past 2 months, I havenโ€™t been able to reach any Google service. My problem has gotten worse, everything has been hacked, and the recovery forms donโ€™t work. Itโ€™s really a shame. #google #gmail #googleai @googleaccount @sundarpichai @TeamYouTube

  • Satydev_S_Negi
    ๐’๐š๐ญ๐ฒ๐๐ž๐ฏ ๐’๐ข๐ง๐ ๐ก ๐๐ž๐ ๐ข (@Satydev_S_Negi) reported

    @PsudoMike Still Gmail is not working my play store not working

  • milan_milanovic
    Dr Milan Milanoviฤ‡ (@milan_milanovic) reported

    ๐—›๐—ผ๐˜„ ๐—ฑ๐—ผ๐—ฒ๐˜€ ๐—ฒ๐—บ๐—ฎ๐—ถ๐—น ๐—ฎ๐—ฐ๐˜๐˜‚๐—ฎ๐—น๐—น๐˜† ๐˜„๐—ผ๐—ฟ๐—ธ? We hit send and the message arrives. Underneath that is a system with no built-in authentication and optional encryption, which is held together by 50 years of patches. Around 376 billion emails move every day, and close to half are spam. Here is the path each mail takes: ๐Ÿญ. ๐—ฌ๐—ผ๐˜‚๐—ฟ ๐—บ๐—ฎ๐—ถ๐—น ๐—ฐ๐—น๐—ถ๐—ฒ๐—ป๐˜ ๐—ป๐—ฒ๐˜ƒ๐—ฒ๐—ฟ ๐—ฎ๐—ฐ๐˜๐˜‚๐—ฎ๐—น๐—น๐˜† ๐˜€๐—ฒ๐—ป๐—ฑ๐˜€ When we hit send, the client submits the message to a server on port 587, which checks our login, stamps a message-ID, and passes it on. ๐Ÿฎ. ๐—˜๐—บ๐—ฎ๐—ถ๐—น ๐—ถ๐˜€ ๐—ป๐—ผ๐˜ ๐—ฟ๐—ฒ๐—ฎ๐—น-๐˜๐—ถ๐—บ๐—ฒ It is store-and-forward. If the receiving server is down, the message waits in a queue and retries on a back-off schedule: 5 minutes, 30 minutes, then hours, up to four or five days. Instant delivery just means the queue cleared fast. ๐Ÿฏ. ๐—ง๐—ต๐—ฒ ๐˜€๐—ฒ๐—ป๐—ฑ๐—ฒ๐—ฟ ๐˜†๐—ผ๐˜‚ ๐˜€๐—ฒ๐—ฒ ๐—ถ๐˜€ ๐—ป๐—ผ๐˜ ๐˜๐—ต๐—ฒ ๐˜€๐—ฒ๐—ป๐—ฑ๐—ฒ๐—ฟ ๐˜๐—ต๐—ฎ๐˜ ๐—ฟ๐—ผ๐˜‚๐˜๐—ฒ๐—ฑ ๐˜๐—ต๐—ฒ ๐—บ๐—ฎ๐—ถ๐—น SMTP carries two "from" values. The envelope (MAIL FROM) routes the message between servers, while the header (From:) is the one we read. SMTP never checks that they match, and that gap is why phishing works. ๐Ÿฐ. ๐—”๐˜‚๐˜๐—ต๐—ฒ๐—ป๐˜๐—ถ๐—ฐ๐—ฎ๐˜๐—ถ๐—ผ๐—ป ๐—ถ๐˜€ ๐˜๐—ต๐—ฟ๐—ฒ๐—ฒ ๐˜€๐˜†๐˜€๐˜๐—ฒ๐—บ๐˜€ ๐—ฎ๐—ฑ๐—ฑ๐—ฒ๐—ฑ ๐—น๐—ฎ๐˜๐—ฒ๐—ฟ SMTP shipped with no way to prove who sent a message. So the industry added SPF (a list of authorized IPs), then DKIM (a cryptographic signature) to cover SPF's gaps, then DMARC to make the visible From: match one of them. Three DNS setups, all easy to misconfigure. ๐Ÿฑ. ๐—˜๐—ป๐—ฐ๐—ฟ๐˜†๐—ฝ๐˜๐—ถ๐—ผ๐—ป ๐—ถ๐˜€ ๐—ผ๐—ฝ๐˜๐—ถ๐—ผ๐—ป๐—ฎ๐—น Email uses opportunistic TLS. The sending server asks if the receiver supports STARTTLS, encrypts if yes, and falls back to plain text if no. For Gmail or Outlook client connections it is effectively mandatory, but server to server it stays optional. TLS also protects the connection, not the content, so the servers read everything. ๐Ÿฒ. ๐—ง๐—ต๐—ฒ ๐˜„๐—ผ๐—ฟ๐˜€๐˜ ๐—ผ๐˜‚๐˜๐—ฐ๐—ผ๐—บ๐—ฒ ๐—ถ๐˜€ ๐˜๐—ต๐—ฒ ๐˜€๐—ถ๐—น๐—ฒ๐—ป๐˜ ๐—ผ๐—ป๐—ฒ A delivered message lands in the inbox, bounces with a 5xx error the sender sees, or gets moved to spam with no notice to anyone. RFC 5321 permits that last one. Email was built in the 1970s for a small network of researchers who trusted each other. Nobody planned for banking or phishing. Billions of messages still arrive correctly every day on top of all of it.

  • ips_yashasvi
    IPS Yashasvi Singh Fans Club (@ips_yashasvi) reported

    If Your Gmail Isn't Secure, Your Bank Account Could Be at Risk. Your Gmail is connected to your banking apps, UPI accounts, social media, shopping websites and many other online services. If cyber criminals gain access to your Gmail, they may be able to reset passwords, intercept important emails and take control of other accounts linked to it. That's why securing your Gmail is one of the most important steps in protecting your digital life. Use a strong, unique password, enable Two-Factor Authentication (2FA), keep your recovery email and phone number updated, and review your login activity regularly. Your Gmail is more than an email account. It's the key to your digital identity. Protect it before someone else does.

  • Lemon6720391272
    ๐˜ฏ๐˜บ๐˜ฐ๐˜ฏ โ€ข * ๏ฝฅ๏พŸโœง (2/22kg) (@Lemon6720391272) reported

    this but i have low storage on everything and my phones shutting down twitter-2 discord-1 instagram-0 facebook-1 snapchat-1 tiktok-3(that i use) steam-0 youtube-1 spotify-1 pinterest-1 reddit-0 gmail-9+ telegram-0

  • mailclaw__io
    Mailclaw.io (@mailclaw__io) reported

    Notion Mail is shutting down. Your workflow doesnโ€™t have to. Mailclaw connects your Gmail with Notion no inbox migration, no setup headaches. Emails automatically become Notion database items: tasks, tickets, or whatever your workflow needs. You can also handle emails right from text messages: reply, snooze, archive without opening your inbox. Not another inbox. An email agent that turns your inbox into actions. Welcome to Mailclaw๐Ÿ™Œ

  • 0xRegressor
    Shanmukh (@0xRegressor) reported

    how many accounts do you have? i have : twitter : 2 discord : 2 facebook :10+ ig i dont use it anymre snapchat : 1 tiktok : 1(banned) twitch : 1 youtube : 5 spotify : 2 pinterest : 1 reddit : 1 gmail : might get in trouble if i say it instagram : 5 telegram : 1

  • bnbcaptain
    Captain X ๐Ÿ”ธ (@bnbcaptain) reported

    @RamXBT @milianstx You are talking this but Your Own Avici infrastructure needs an upgrade . How i Lost Funds on AVICI : - I lost my web3auth MFA on 2023 when avici not even born - avici later force everyone to connect gmail and i did - integrated web3auth MFA login - now i canโ€™t access to avici account No devices changes , however the avici login required mfa verification of web3auth - still i have acess to avici web portal but it required mobile to sing tx - there is no way to transfer my funds either - ended up with losing funds for such conflicting integration

  • gothburz
    Peter Girnus ๐Ÿฆ… (@gothburz) reported

    I am the legal-drafting officer at the Council of the European Union responsible for the interinstitutional file that reappears the week of July 6 under the urgency procedure. I have held the same brief for years. The word is voluntary. I have kept it in the text through every revision, every trilogue, every summer recess, and I would like to explain what it does, because I am proud of it, and pride is permitted when the work is good. Regulation (EU) 2021/1232 is a derogation. That is the first thing to admire about it. A derogation excuses rather than commands. The ePrivacy Directive made it unlawful for a provider to read the private correspondence of a person against whom nothing is alleged. We did not repeal that protection. Repealing looks like something. We suspended it, temporarily, for a narrow and blessed purpose, and a suspension of a prohibition is a very quiet thing. What was forbidden becomes permitted. The provider who was once a trespasser becomes a volunteer. Understand the elegance, because it took me a long time to draft it and longer to keep it. We did not order the scanning. Ordering the scanning would have required a detection order, and a detection order would have required an authority to issue it, and an authority to issue it would have required a judge, and a judge would have required a reason, and a reason is the one thing I have spent my career keeping out of the file. We removed the law that made the scanning illegal. What the providers do with that freedom is between them and the children. I write the permission. The choice is theirs, freely made, every hour, on every message, forever. People who oppose the file believe that mandatory scanning would be worse than voluntary scanning. This is the most persistent misunderstanding I encounter, and I never correct it, because a functionary who explains his own work has stopped working. A mandate creates a record. A mandate names an authority. A mandate can be challenged before the Court of Justice, because there is a decision to point at, a defendant to summon, a moment when the state did a thing to a citizen. Voluntary scanning has no such moment. There is no order to quash. There is no judge to have erred. WhatsApp chose. Gmail chose. Meta chose. The state merely stood aside and made the choosing lawful, and you cannot appeal against a company for accepting a gift, and you cannot appeal against a parliament for giving one. The subject of the scanning is the finest term in the instrument, and I fought for it in three languages. The unsuspected user. We do not scan the suspected. Suspicion would require a reason, and a reason would require a judge, and we have already discussed the judge. We scan the unsuspected, which is to say everyone, which is to say you, and the beauty of scanning the unsuspected is that no one has been accused of anything, so no one has standing to complain of anything, so the machine reads every message in Europe and violates the rights of no identifiable person, because to be violated you must first be suspected, and we are very careful never to suspect you. Now the procedure, which I admire nearly as much as the word. We have placed the file under urgency, and we have structured the reading so that to stop it or to amend it requires an absolute majority of all Members of the Parliament. Not a majority of those present. Not a majority of those voting. A majority of every Member who exists, including the ones at lunch, including the ones who have gone home, including the ones who have never read a data-protection file and never will. To keep the derogation, a Member need do nothing. To end it, hundreds must arrive, agree, and act, together, before recess. The vote passes if enough of you say nothing, and saying nothing is the easiest thing a parliament has ever done. I have watched them do it for years. Silence, in my file, is a yes, and I have built the whole architecture on the certainty that most people, most of the time, will decline to raise their hand. I have heard the derogation described as temporary, and I want to be honest about that word too, because honesty about small words is the only honesty a drafter has. It is temporary. It was temporary in 2021. It was temporary when it lapsed. It is temporary now, on July 6, as we revive it under urgency, and it will be temporary when it is renewed, and renewed, and renewed. Temporary is not a duration. Temporary is a promise that the ending has been scheduled, and we schedule it, faithfully, every time, for a date that arrives only to be extended. A permanent law can be repealed. A temporary one merely expires, and an expiry is so much easier to reverse than a repeal, because reviving something that has lapsed feels like maintenance, and no one marches against maintenance. I keep a printed copy of the operative article on my desk. I do not need it. I could recite the recitals in my sleep and sometimes do. I keep it because I like to look at the word in the morning, sitting there in the clause, holding up the ceiling, doing the work of an entire secret police with none of the paperwork and none of the shame. Voluntary. Four syllables holding up the reading of every private message on the continent, and holding it up so lightly that the people being read call it a safety feature and thank the providers for their care. Let me leave you with the definition, since a drafter's last duty is to the meaning of his terms. Voluntary describes the state, which has chosen, freely and without compulsion, to stop protecting you, to call that choice a favor to the children, to schedule its expiry for a date that will never come, and to require an absolute majority of the absent to take the favor back. The user was never asked. That is what the word means. I drafted it to mean that. It is the finest thing I have ever written, and no one will ever read it, because it was written precisely so that no one would have to.

  • MartineDennis
    Martine Dennis (@MartineDennis) reported

    @TeamYouTube My Gmail account which is linked to my YouTube channel has been hacked. All the recovery information has been changed by the hacker. The automated recovery page is locked down. Iโ€™d appreciate your attention on this. Thanks

  • heynavtoor
    Nav Toor (@heynavtoor) reported

    You changed your phone number last year. Someone else has it now. Every time your bank, Gmail, or WhatsApp sends a code to that number, they get it. Not you. Princeton tested 259 recycled US numbers. 171 could still log into someone's old accounts. Here's how to fix it in 10 minutes ๐Ÿ‘‡

  • Yusufcancakiir
    Yusuf Can ร‡akฤฑr (@Yusufcancakiir) reported

    Active infostealer + crypto clipper campaign run by a Turkish-speaking operator. Live since at least 23 June 2026, still being iterated (last payload push 6 July). The entire toolkit is sitting in an open directory on a DigitalOcean node (46[.]101[.]111[.]120:8080, WsgiDAV, anonymous read-write). Version-stamped backups and installer output strings show the operator moving from an early build to v5 in under two weeks. This is a maintained, actively developed operation, not a commodity dropper. Delivery. Primary vector is a macro-enabled Word doc (Q1 Quarterly Report 2025.docm) that fires on open, XOR-decodes a URL, and pulls a batch script into %TEMP% under an obfuscated filename. That chains to a PowerShell installer. The operator is hedging delivery: a .pdf.lnk, a zipped variant, an .hta, and a .vbs loader all sit in the same directory. Install and evasion. The installer drops a Python payload plus a full bundled runtime into %APPDATA%\Microsoft\Windows\Themes\Cache\, a path chosen to blend with legitimate Windows infra. Before anything runs it carves out Defender exclusions for the drop dir, %TEMP%, and the Python binaries, then applies two in-memory patches: AMSI (AmsiScanBuffer forced to return E_INVALIDARG) and ETW (EtwEventWrite stubbed to a bare return). With ETW silenced, Sysmon, Defender ETW consumers, and any EDR relying on event tracing go blind to what follows. The payload itself is layered (Base64, then XOR against a rolling SHA-256 digest, then marshalled bytecode run in memory). Everything runs at user level, no elevation. What it steals. Chrome saved credentials and cards, decrypted via the standard DPAPI plus AES-GCM path, alongside a file inventory walked across the user profile. Exfil ships to the C2 over HTTPS as a JSON POST, with a Gmail SMTP fallback that sends the same data as an HTML attachment if the primary channel fails. Crypto clipper. Monitors the clipboard and silently swaps copied wallet addresses for the operator's before you paste, across eight coins. If you copy-pasted a crypto address on a suspect host in the last two weeks, verify it before trusting it. Persistence is the difficult part. Five layers running at once: a Run key, a Startup script, two scheduled tasks (one every five minutes, one on a 22-hour cycle), and a WMI event subscription that fires a couple of minutes after each boot. A watchdog checks every five minutes whether the process is alive and holding its outbound connection, and re-downloads and restarts it if not. The maintenance task goes further and rebuilds any missing layer from scratch. Pull three of five and reboot, and you are reinfected. Remediation means isolating the host and taking out all five together. Attribution. Indicators point consistently to a Turkish-speaking operator: the C2 control panel is served in Turkish and the SMTP exfil account follows a recognizable Turkish naming pattern. DuckDNS dynamic DNS, a single DigitalOcean node, and no infrastructure diversification profile a solo or small-team actor. No espionage indicators; this is straightforward credential, card, and crypto theft. IOCs Payload server: 46[.]101[.]111[.]120:8080 (DigitalOcean, WsgiDAV, anon read-write) C2: gogettate[.]duckdns[.]org, ports 443 and 4444 Drop path: %APPDATA%\Microsoft\Windows\Themes\Cache\ Persistence: ThemeSvcHelper (Run key), ThemeSvc.vbs (Startup), ThemeSvcCheck / ThemeSvcMaint (tasks), ThemeEvtFlt / ThemeEvtCns (WMI, root\subscription) YARA string: WinMgmt2024Init