A new campaign linked to APT MuddyWater is targeting CFOs and senior finance professionals through multi-stage phishing.

The operation begins with emails posing as recruitment outreach, luring recipients to Firebase-hosted pages that simulate job listings. These phishing sites use simple math challenges in French as CAPTCHAs.

After solving the challenge, victims are redirected to attacker-controlled domains that deliver ZIP files containing VBScript payloads.

Once opened, these scripts silently deploy remote access software, create hidden administrative accounts, and configure persistent access methods.

The campaign spans multiple regions and shows continued infrastructure development.

Investigators tracked rotating domains and changing payload directories. The use of NetBird and OpenSSH, coupled with minimal malware indicators, allows the operation to proceed with little interruption.

Infrastructure overlap with past incidents further connects this activity to MuddyWater, reinforcing attribution through reused setup keys and persistent use of the same delivery format.

Why It Matters: The operation shows how attackers can bypass traditional defenses by abusing tools that are already trusted in enterprise environments. By using remote access software like NetBird and AteraAgent, they avoid detection while maintaining persistent access. This poses a particular risk to environments tied to financial oversight, where attackers can quietly monitor activity or move laterally. It challenges assumptions about which software is safe and forces a closer look at how legitimate tools are being used within the network.

• Staged Delivery Through Firebase and Phishing Redirects: The initial email contains a link to a Firebase site styled to look like a job posting. A CAPTCHA prompt using basic math in French acts as a gate. Upon solving the challenge, a script decrypts an embedded URL and redirects the victim to a second site, which delivers a ZIP archive labeled as a document.

• Execution of VBS Scripts and Remote Tool Installation: Inside the ZIP file is a VBS script that downloads and runs a secondary script from an external server. This secondary payload installs NetBird and OpenSSH, creates a new administrator account with fixed credentials, enables RDP access, and adjusts firewall settings. Shortcuts and visual indicators are removed to reduce the chance of discovery.

• Infrastructure Rotation and Consistent Payload Behavior: The infrastructure includes a mix of Firebase and Google Web App domains, each using similar logic for CAPTCHA validation and redirection. IP addresses shifted over time, but the behavior of the payloads and scripts remained consistent. This approach indicates a structured operation with infrastructure designed for reuse and redundancy.

• Use of Trusted Tools for Remote Control: NetBird, OpenSSH, and AteraAgent are used as remote access channels. These tools, while legitimate, are repurposed here for unauthorized access. Since they are commonly installed in enterprise environments, their presence does not immediately indicate compromise.

• Overlap with Documented MuddyWater Activity: Setup keys, script structure, administrative credentials, and remote access methods match previous reports of MuddyWater activity. Even with minor adjustments in domain names and payload paths, the campaign mirrors earlier attacks in both intent and execution. Analysis of IP addresses and past phishing domains further supports the connection.

Go Deeper -> APT MuddyWater Deploys Multi-Stage Phishing to Target CFOs – Hunt.io