Cybersecurity researchers have identified a new spear-phishing operation that specifically targets Chief Financial Officers (CFOs) and other financial executives in various industries, including banking, energy, insurance, and investment firms across Europe, Africa, Canada, the Middle East, and South Asia. This sophisticated attack takes advantage of a legitimate remote access tool known as Netbird.

Trellix researcher Srini Seethapathy notes that the attack, which surfaced in mid-May 2025, aims to deploy NetBird on the victim’s computer through a multi-stage phishing scheme. The initial phase involves a carefully crafted email that purports to be from a recruiter at Rothschild & Co., claiming to offer a "strategic opportunity." This email lures the recipient into clicking on what appears to be a PDF attachment, but is actually a phishing link redirecting them to a malicious URL hosted on Firebase.

One notable feature of this attack is the method of redirecting victims. The genuine URL is encrypted and can only be accessed after victims correctly solve a CAPTCHA, which is intended to bypass security measures that typically flag phishing attempts. Upon solving the CAPTCHA, the victim is redirected to a download link leading to a ZIP file.

Inside this archive, a Visual Basic Script (VBScript) is concealed, which fetches an additional VBScript from an external server and executes it using "wscript.exe." This second script then retrieves another payload from the same server, renaming it to "trm.zip" and extracting two MSI files: NetBird and OpenSSH.

The final phase of the attack involves installing these programs on the compromised system, creating a hidden local account, enabling remote desktop access, and ensuring that NetBird is set to run automatically upon system reboot. To maintain stealth, the malware also deletes any desktop shortcuts for NetBird, making detection more difficult for the victim.

Trellix has discovered additional redirect URLs active for nearly a year, sharing the same VBScript payload, indicating that the operation may have been ongoing for some time.

The findings highlight a troubling trend in which adversaries increasingly rely on legitimate remote access tools, such as ConnectWise ScreenConnect and LogMeIn Resolve, to maintain consistent access to compromised networks while evading detection.

"This attack isn’t your standard phishing scam," warns Seethapathy. "It’s sophisticated, targeted, and designed to bypass technical defenses and human scrutiny. It is a multi-layered assault utilizing social engineering to achieve persistent access to compromised systems."

This warning is timely, coinciding with the emergence of various email-based social engineering threats that exploit trusted domains and legitimate platforms to deploy malware. Examples include phishing using emails posing as business communications from well-known companies and leveraging vulnerabilities in popular software to compromise systems.

As phishing attacks evolve, platforms offering Phishing-as-a-Service (PhaaS) are making it easier for cybercriminals to launch attacks. These kits lower barriers for attackers with simple setups and community support, emphasizing the urgent need for companies to bolster user training and awareness of social engineering tactics to defend against such threats.

Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.