Impersonation of Recruiter Communications Affects CFOs Utilizing Authentic NetBird Tool Across Six Global Regions

Cybersecurity professionals have identified a sophisticated spear-phishing campaign leveraging a legitimate remote access tool, Netbird, to target Chief Financial Officers (CFOs) and financial executives at institutions including banks, energy companies, insurance firms, and investment companies across multiple regions, including Europe, Africa, Canada, the Middle East, and South Asia.

This operation, characterized as a multi-stage phishing effort, was first detected in mid-May 2025. The attackers have yet to be linked to any known threat actor or group. The phishing emails falsely claim to originate from a recruiter at Rothschild & Co., presenting a “strategic opportunity” that lures recipients into clicking on a deceptive PDF attachment — a phishing link redirecting them to a Firebase app-hosted URL.

The mechanism behind the infection is intricate; the actual redirect URL is encrypted and revealed only after the victim successfully completes a CAPTCHA verification. This sequence ultimately leads to a ZIP archive download. Upon solving the CAPTCHA, a JavaScript function decrypts the link, allowing for further attacks. This technique is increasingly being utilized by attackers to bypass defenses that typically identify phishing sites secured by services like Cloudflare Turnstile or Google reCAPTCHA.

Contained within the downloaded archive is a Visual Basic Script (VBScript), which retrieves another VBScript from an external server and executes it via “wscript.exe.” This subsequent downloader acquires a further payload, renaming it to “trm.zip” and extracting two MSI files: NetBird and OpenSSH. The final phase entails installing these programs on the compromised device, generating a hidden local account, enabling remote desktop access, and ensuring NetBird’s persistence through scheduled tasks, instigating automatic launches on system reboot. To conceal the compromise, the malware eliminates any NetBird desktop shortcuts.

Additionally, cybersecurity experts have identified another redirect URL that has been operational for nearly a year, delivering the same VBScript payload, suggesting that this campaign has been active for an extended period.

The findings indicate a troubling trend wherein adversaries increasingly utilize legitimate remote access applications—such as ConnectWise ScreenConnect and others—to establish persistence within victims’ networks, effectively bypassing traditional detection methods.

This form of attack exemplifies a well-crafted approach, designed to be subtle and targeted, blending social engineering techniques with evasive tactics aimed at maintaining long-term access to victim systems. Such operations underscore the growing sophistication of phishing attacks that defy conventional detection systems.

In parallel, recent incidents highlight a surge in diverse email-based social engineering campaigns, including:

• Phishing attacks exploiting a reputable domain linked to a Japanese ISP to initiate credential harvesting.
• Attacks utilizing Google Apps Script for hosting deceptive phishing pages aimed at stealing Microsoft credentials through legitimate-looking invoicing schemes.
• Campaigns mimicking Apple Pay invoices to exfiltrate sensitive information like credit card details and Yahoo Mail accounts.
• Exploitation of Notion workspaces to trick users into providing credentials by masquerading as shared documents.
• Attacks leveraging a longstanding vulnerability in Microsoft Office to distribute data-stealing malware via seemingly innocuous attachments.

The detection of these threats coincides with the emergence of Phishing-as-a-Service (PhaaS), providing adversaries with ready-made tools and operational infrastructure. For instance, the “Haozi” phishing kit offers automated setup and management through a user-friendly web interface, facilitating ease of use for cybercriminals lacking technical expertise.

Unlike traditional phishing kits that require manual configuration, Haozi streamlines the attack process into a subscription model, lowering entry barriers for possible malicious actors. Support for debugging and campaign optimization through dedicated communication channels further legitimizes this model as akin to SaaS business operations.

As security measures improve, threat actors are adapting by refining social engineering and phishing strategies, moving away from compromising fortified perimeters. These developments warrant heightened training and awareness on commonly used social engineering techniques among users to better defend against sophisticated phishing efforts.