Cybersecurity researchers have sounded the alarm over a new, highly sophisticated spear-phishing campaign aimed at the corporate finance departments of companies from various segments of the marketplace.
This campaign abuses a legitimate remote access tool, named as NetBird, to infringe upon victim systems without proper authorization, emphasizing a growing trend of adversaries abusing legitimate software for malicious purposes.
The campaign, discovered in mid-May 2025, has been directed at people at banks, energy companies, insurers and investment firms in Europe, Africa, Canada, the Middle East and South Asia.
The attackers reach out through extremely convincing spear-phishing emails — in many cases posing as recruiters with respected organizations such as Rothschild & Co. They tend to promise high-paying “strategic opportunities,” but with the attachment click-bait (it looks like a PDF).
But the link in this instance points not to a PDF, but to a Firebase-hosted page that contains a tailored CAPTCHA puzzle. This innocent-sounding step is an evasion of the immune system.
After the CAPTCHA is solved, a hidden encrypted URL is decrypted and the ZIP file is downloaded. The archive includes a VBScript downloader which in turn retrieves additional malicious payloads from the same server.
In the next few phases of the attack, it silently installs NetBird and OpenSSH, a secure shell protocol, onto the compromised machine. Importantly, the script also uses the technique to create a backdoor local admin account and enable Remote Desktop Protocol (RDP) with firewall changes, delivering persistence and covert access for the attackers. In order to be even more stealthy, the malware deletes any NetBird icons from the desktop.
CFOs make tempting victims given their direct computer access to financial systems, personal sensitive information and ability to approve major transactions. A successful breach of the finance chief’s systems could result in significant financial loss, data leaks and serious brand damage for the victimised companies.
Security researchers highlight that this is not a regular mass phishing operation but a thoughtfully planned and targeted action which can overcome both technical security measures and human intuition.
The multi-part nature of the attack, combined with the social engineering methods and real piece of remote access software used in the attack, highlights the increasingly sophistication of cyber attacks.
Companies are advised to train their CFO about the dangers of spear-phishing and take steps to protect themselves from more such attacks, including the use of endpoint detection and response (EDR) products strict email filtering and security-awareness training.
It’s also worth at the very least auditing MSIExec activity and looking for odd script executions to identify and deter such intrusions. The continuing battle is a stark reminder of the constant need for vigilance and proactive defence in an increasingly sophisticated cyber war.
