What happened
Threat actors are abusing free Firebase developer accounts to host malware and support malicious infrastructure in ongoing campaigns. According to the report by Palo Alto Networks Unit 42, attackers create Firebase accounts using free tiers and deploy hosting services that serve malicious payloads such as infostealers, credential harvesters, and phishing content. Firebase’s content delivery and reputation as a trusted platform help the malicious assets evade detection and reach victims who are more likely to accept resources served from legitimate cloud domains. Researchers noted that the abuse includes use of Firebase hosting to deliver payloads for malware families and credential extraction tools, and that URLs associated with the free developer accounts are used to distribute secondary stages or act as command-and-control endpoints. This tactic complicates defensive filtering and increases the likelihood that malicious files and links will bypass traditional domain or IP-based blocks.
Who is affected
Users and systems that interact with resources hosted on abused free Firebase developer accounts are affected, as those resources can deliver malware payloads, enable credential harvesting, or redirect victims to phishing sites.
Why CISOs should care
The exploitation of trusted cloud hosting infrastructure like Firebase demonstrates how threat actors can leverage legitimate platforms to evade detection and serve malicious content, increasing risk to enterprise endpoints and users who may interact with compromised or deceptive resources.
3 practical actions
- Monitor outbound connections to cloud hosting URLs. Identify connections to developer Firebase domains that could deliver malicious payloads.
- Block known abused hosts. Maintain filtering rules to restrict access to Firebase accounts associated with malicious activity.
- Educate users on cloud-hosted threats. Inform stakeholders about deceptive links that leverage trusted cloud infrastructure for malware delivery.