A sophisticated global spear-phishing campaign is actively targeting Chief Financial Officers (CFOs) and senior financial executives. This operation, affecting banking, energy, insurance, and investment firms across multiple regions, underscores a dangerous trend of legitimate software being weaponized and the increasing accessibility of Phishing-as-a-Service (PhaaS) platforms that lower the barrier for cybercriminals.
Chief Financial Officers and high-ranking financial executives globally are being targeted by a sophisticated spear-phishing campaign that cleverly weaponizes a legitimate remote access application, NetBird. Cybersecurity firm Trellix reported first identifying this operation in mid-May 2025. Noting its reach across vital sectors such as banking, energy, insurance, and investment firms in Europe, Africa, Canada, the Middle East, and South Asia.
The currently unattributed attackers are executing a multi-layered phishing strategy designed to install NetBird, a remote access tool built on WireGuard technology, onto victims’ systems. This grants the perpetrators persistent, covert access to compromised networks.
The attack sequence typically initiates with a deceptive email. These messages are crafted to appear as though they originate from recruiters at the prestigious financial institution Rothschild & Co., presenting a “strategic opportunity” to the recipient. Instead of a genuine PDF attachment, the embedded link directs the unsuspecting executive to a webpage hosted on Firebase.
A particularly cunning element of this campaign is its method for bypassing security filters. The attackers have encrypted the actual malicious URL within the landing page. To decrypt and access it, the victim must first solve a CAPTCHA. This tactic is a growing concern, as it aims to circumvent conventional phishing detection systems, including those provided by Cloudflare Turnstile and Google reCAPTCHA, which might otherwise flag suspicious sites.
Successfully navigating the CAPTCHA triggers the download of a ZIP archive. Within this archive lies a Visual Basic Script (VBScript). Once activated, this initial script communicates with an external server to download a secondary VBScript. This second script then retrieves another payload, which it renames to “trm.zip.” This final archive contains installer files for two pieces of software: NetBird and OpenSSH.
Visual overview of the spear-phishing campaign deploying NetBird and OpenSSH.
In the concluding phase of the attack, NetBird and OpenSSH are installed surreptitiously on the target’s computer. The malware then establishes a hidden local administrator account, activates remote desktop functionality, and configures NetBird to launch automatically whenever the system reboots by creating scheduled tasks. To maintain its stealth, the attack script also deletes any desktop shortcuts for NetBird, making detection by the user less likely. Trellix researchers have indicated that a related redirect URL has been operational for almost a year, suggesting this campaign could be part of a longer-running malicious effort.
This incident underscores a worrying pattern observed by cybersecurity experts: the increasing abuse of legitimate remote access software. Tools such as ConnectWise ScreenConnect, Atera, Splashtop, FleetDeck, and LogMeIn Resolve are being repurposed by attackers to infiltrate networks, establish long-term footholds, and operate under the radar. Srini Seethapathy, a Trellix researcher, characterized this specific attack as “well-crafted, targeted, subtle, and designed to slip past technology and people,” highlighting its sophisticated nature.
The emergence of these attacks coincides with a broader wave of email-based social engineering tactics currently active:
The threat landscape is further complicated by the rise and accessibility of Phishing-as-a-Service (PhaaS) platforms. Cybersecurity firm Trustwave recently highlighted the operational connections between phishing kits known as Tycoon and DadSec (also referred to as Phoenix). These kits reportedly share a centralized infrastructure, with DadSec being linked by Microsoft to a threat actor identified as Storm-1575. This shared infrastructure also supports a new campaign utilizing the ‘Tycoon 2FA’ PhaaS platform, indicating a continuous evolution in adversaries’ tactics within this ecosystem.
The Haozi PhaaS kit serves as a prime example of this trend. This “plug-and-play” service, primarily in Chinese, is believed to have enabled over $280,000 in criminal proceeds within the last five months. For an annual fee of approximately $2,000, Haozi provides users with a streamlined web panel that automates the setup of phishing campaigns, a stark contrast to older kits that demanded manual script and infrastructure configuration. Haozi also innovates by offering advertising space, connecting its subscribers with third-party services like SMS vendors, and even provides customer assistance through a dedicated Telegram channel. These features make sophisticated phishing capabilities accessible even to individuals with limited technical expertise.
Microsoft has also issued advisories concerning the role of PhaaS platforms in fueling adversary-in-the-middle (AiTM) credential phishing, a threat that is particularly potent even as multi-factor authentication (MFA) adoption increases. Other advanced techniques being observed include device code phishing, OAuth consent phishing (where attackers use the Open Authorization protocol to trick users into granting malicious third-party applications access), and device join phishing (where phishing links are used to deceive targets into authorizing the domain-join of an attacker-controlled device).
Following Trellix’s disclosure, NetBird reportedly took swift action to block the malicious actors and secure its platform. It is crucial to reiterate that NetBird is a legitimate, open-source tool. The reported attacks exploited the tool through misuse via a hidden admin account, not through any inherent vulnerability in the NetBird software itself.
wscript.exe
or powershell.exe
being initiated by non-IT staff, especially those in executive positions.This recent campaign targeting financial executives is a potent illustration of the evolving threat landscape. For financial institutions across the UK and the US, the increasing sophistication of phishing attacks, amplified by the accessibility of PhaaS platforms, necessitates a vigilant, multi-layered security posture. This must combine advanced technological defenses with a deeply ingrained culture of security awareness and continuous employee education.