MalwareUsed by 2 actors

NetBird

NetBird is a legitimate remote access and tunneling tool that threat actors have abused to provide covert connectivity inside victim environments. In the provided reporting, VOID MANTICORE deployed NetBird on compromised systems, downloading it from the official site to build a zero-trust mesh network and tunnel traffic to internal hosts that were not directly reachable. This enabled control of multiple victim devices at once and supported lateral movement, which was otherwise conducted mainly over RDP. The content also states that newly observed TTPs included deployment of NetBird to tunnel traffic into victim networks. Separately, Trellix reported a spear-phishing campaign targeting CFOs and finance executives globally in the banking, energy, insurance, and investment sectors, where the actors sought to infect victims with a version of a NetBird remote access trojan. High-confidence associations in the content link NetBird abuse to VOID MANTICORE activity and to phishing-led intrusions against finance-focused targets.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Handala

VOID MANTICORE has installed NetBird on victim devices to create a mesh network that facilitated control of several victim devices at once.

via mitre attack websiteattack.mitre.org

MuddyWater

Legitimate remote management tools, including Atera, AnyDesk, Syncro, SimpleHelp, and NetBird, were systematically abused to establish persistent remote access...

via trellix blogtrellix.com

MITRE ATT&CK

Techniques & procedures

14 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

3 techniques

T1078Valid AccountsEvidence1

“Legitimate remote management tools … were systematically abused to establish persistent remote access, with attackers registering compromised trial accounts and impersonating credible organizations …”

T1133External Remote ServicesEvidence2

In recent years, adversaries have increasingly relied on remote-access applications like this to establish persistence and further their way into the victim's network.

T1566.001Spearphishing AttachmentEvidence1

The Trellix article titled A Flyby on the CFO's Inbox details a sophisticated spear-phishing campaign targeting CFOs and finance executives... Attackers impersonated a Rothschild & Co recruiter, sending emails that led recipients through a deceptive CAPTCHA to download a ZIP file containing a malicious VBS script.

Execution

2 techniques

T1059.005Visual BasicEvidence1

The malicious actor had already gained these administrative privileges to execute the involved VBS script, enabling them to proceed with the installation and NetBird service startup.

T1204.002Malicious FileEvidence1

Attackers impersonated a Rothschild & Co recruiter, sending emails that led recipients through a deceptive CAPTCHA to download a ZIP file containing a malicious VBS script.

Persistence

3 techniques

T1078Valid AccountsEvidence1

T1133External Remote ServicesEvidence2

In recent years, adversaries have increasingly relied on remote-access applications like this to establish persistence and further their way into the victim's network.

T1136Create AccountEvidence1

This script installed NetBird and OpenSSH, created a hidden admin account, and enabled Remote Desktop Protocol (RDP), granting attackers persistent access to the victim's system.

Privilege Escalation

1 technique

T1078Valid AccountsEvidence1

Stealth

1 technique

T1078Valid AccountsEvidence1

Lateral Movement

2 techniques

T1021Remote ServicesEvidence1

Lateral movement has typically been achieved through remote services (T1021), such as SMB or RDP

T1021.001Remote Desktop ProtocolEvidence2

This script installed NetBird and OpenSSH, created a hidden admin account, and enabled Remote Desktop Protocol (RDP), granting attackers persistent access to the victim's system.

Command and Control

5 techniques

T1090ProxyEvidence1

To reach internal hosts not directly reachable, the group deploys NetBird—downloaded from the official site on compromised systems—to build a zero-trust mesh and tunnel traffic.

T1105Ingress Tool TransferEvidence1

The attackers first connected to compromised hosts via RDP and then used the local web browser to download the software directly from the official NetBird website.

T1219Remote Access ToolsEvidence1

"deployment of OpenSSH and NetBird, a legitimate remote access tool for persistent access"

T1219.002Remote Desktop SoftwareEvidence1

VOID MANTICORE has installed NetBird on victim devices to create a mesh network that facilitated control of several victim devices at once.

T1572Protocol TunnelingEvidence1

To reach hosts that were not directly accessible from outside the network, the group was observed deploying NetBird... to create secure, private zero-trust mesh networks.

Other

1 technique

T1562Impair DefensesEvidence1

...installs FTK Imager to remove all Microsoft Defender exclusions... In another case, the threat actors used NetBird ... and executed a PowerShell script to disable Microsoft Defender.

INDICATORS OF COMPROMISE

IOCs tracked for this family

2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Hashes

2 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

hash.md5●●●●●●●●●●●●View more in app4 months ago

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

mitre attack websiteNews

Mar 20, 2026

VOID MANTICORE, COBALT MYSTIQUE, Handala Hack, Homeland Justice, Karma, Karmabelow80, BANISHED KITTEN, Red Sandstorm, Group G1055 | MITRE ATT&CK®

Remote access/mesh networking tool installed on victim devices to facilitate centralized control of multiple systems.

splunk researchNews

Mar 16, 2026

Analytics Story: Void Manticore | Splunk Security Content

Zero-trust mesh networking and tunneling tool used by Void Manticore to reach internal hosts and facilitate lateral movement.

checkpoint research blogNews

Mar 12, 2026

“Handala Hack” - Unveiling Group's Modus Operandi - Check Point Research

Legitimate mesh VPN/zero-trust networking tool abused to create internal connectivity and tunnel traffic, enabling operators to reach otherwise inaccessible internal hosts and coordinate hands-on activity from multiple footholds.

cloudatg insightsNews

Feb 13, 2026

AI Development & Software Engineering | CloudATG

Legitimate remote access tool abused in spear-phishing operations to establish remote connectivity/control over victim environments.

+1 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching2

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping14

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.