Chief Financial Officers (CFOs) and finance executives across six global regions have become the target of a highly sophisticated phishing campaign.
The attackers are using a legitimate remote-access tool, NetBird, to stealthily take control of victims’ computers without exploiting any vulnerability in the tool itself. According to a detailed analysis by cybersecurity firm Trellix, the campaign first came to light on May 15, when their email security products detected suspicious activity.
“This attack isn’t your typical phishing scam,” said Srini Seethapathy, a researcher at Trellix. “It’s well-crafted, targeted, subtle, and designed to slip past technology and people.”
How the attack works
The operation begins with a fake recruitment email that appears to come from a real Rothschild & Co. recruiter. The subject line reads “Rothschild & Co leadership opportunity (Confidential)”. The email tempts recipients with a strategic executive role and contains a link pretending to be a PDF file.
But it’s not a PDF at all. Clicking the link leads the victim to a Firebase-hosted page with a custom math-based CAPTCHA puzzle. Solving the puzzle decrypts a hidden URL that downloads a ZIP file called “Rothschild_&_Co-6745763.zip.” Inside is a small Visual Basic Script (VBS) file.
Once opened, that script fetches another script from an IP address and installs NetBird and OpenSSH, both of which are legitimate tools. Then the attack takes a darker turn: it creates a hidden admin account, enables Remote Desktop Protocol (RDP), and ensures the attacker can return at any time, without the victim knowing.
Attack scope
The campaign has targeted financial executives across Europe, Africa, Canada, the Middle East, and South Asia, with companies in the banking, insurance, investment, and energy sectors especially affected.
While some of the attacker infrastructure overlaps with previous nation-state campaigns, Trellix says they have not attributed this attack to any known threat actor as of now.
Trellix praised the quick action taken by the team behind NetBird, who “acted immediately to block the malicious actors and terminate any access to ensure the continued safety of their platform,” Trellix stated.
They emphasized that NetBird was not exploited through any flaw; the attackers simply misused its capabilities by installing it stealthily.
Not the first time this method has been used
Trellix researchers also discovered older phishing pages using the same custom CAPTCHA trick. One example, still active, is a fake SharePoint link from a year ago that delivers the same VBS script. Another Firebase site showed similar behavior but has since gone offline.
The Autorité des marchés financiers (AMF) in France also recently warned about similar impersonation attacks. The indicators shared by AMF matched those found in this campaign, though the tactics used to lure victims differed.
This campaign is part of a growing trend where attackers rely on legitimate remote access tools such as NetBird, Atera, ConnectWise, Splashtop, and FleetDeck to stay under the radar.
“Adversaries keep evolving their social engineering tricks… leveraging command and script interpreters, legitimate tools and LOLBAS,” Seethapathy notes.
What you can do: Trellix’s recommendations
For executives:
- Be wary of unsolicited job offers or messages, especially those that come with ZIP files or strange links.
- Never bypass warnings to open downloads or enable scripts.
- Report even harmless-looking emails to your IT or security team.
For IT defenders:
- Keep an eye on command-line tools such as wscript.exe, PowerShell.exe, and MSHTA, mainly if triggered by C-suite accounts.
- Monitor new admin accounts, especially those with generic names like “user”.
- Use Endpoint Detection and Response (EDR) tools to flag suspicious installations and persistent behaviors.
- Audit the use of MSI packages and VBS scripts on employee machines.
- Train employees regularly using up-to-date phishing simulations.
This discovery comes as the cybersecurity world contends with a booming phishing economy, driven by platforms like Tycoon2FA, DadSec, and a slick Chinese-language service called Haozi. These Phishing-as-a-Service (PhaaS) tools are making it easier than ever for unskilled criminals to launch professional-looking scams.
