CFOs targeted globally by phishing attacks

Chief Financial Officers and high-ranking financial executives globally are being targeted by a sophisticated spear-phishing campaign that cleverly weaponizes a legitimate remote access application, NetBird. Cybersecurity firm Trellix reported first identifying this operation in mid-May 2025. Noting its reach across vital sectors such as banking, energy, insurance, and investment firms in Europe, Africa, Canada, the Middle East, and South Asia.

The currently unattributed attackers are executing a multi-layered phishing strategy designed to install NetBird, a remote access tool built on WireGuard technology, onto victims’ systems. This grants the perpetrators persistent, covert access to compromised networks.

The attack sequence typically initiates with a deceptive email. These messages are crafted to appear as though they originate from recruiters at the prestigious financial institution Rothschild & Co., presenting a “strategic opportunity” to the recipient. Instead of a genuine PDF attachment, the embedded link directs the unsuspecting executive to a webpage hosted on Firebase.

A particularly cunning element of this campaign is its method for bypassing security filters. The attackers have encrypted the actual malicious URL within the landing page. To decrypt and access it, the victim must first solve a CAPTCHA. This tactic is a growing concern, as it aims to circumvent conventional phishing detection systems, including those provided by Cloudflare Turnstile and Google reCAPTCHA, which might otherwise flag suspicious sites.

Successfully navigating the CAPTCHA triggers the download of a ZIP archive. Within this archive lies a Visual Basic Script (VBScript). Once activated, this initial script communicates with an external server to download a secondary VBScript. This second script then retrieves another payload, which it renames to “trm.zip.” This final archive contains installer files for two pieces of software: NetBird and OpenSSH.

Visual overview of the spear-phishing campaign deploying NetBird and OpenSSH.

In the concluding phase of the attack, NetBird and OpenSSH are installed surreptitiously on the target’s computer. The malware then establishes a hidden local administrator account, activates remote desktop functionality, and configures NetBird to launch automatically whenever the system reboots by creating scheduled tasks. To maintain its stealth, the attack script also deletes any desktop shortcuts for NetBird, making detection by the user less likely. Trellix researchers have indicated that a related redirect URL has been operational for almost a year, suggesting this campaign could be part of a longer-running malicious effort.

This incident underscores a worrying pattern observed by cybersecurity experts: the increasing abuse of legitimate remote access software. Tools such as ConnectWise ScreenConnect, Atera, Splashtop, FleetDeck, and LogMeIn Resolve are being repurposed by attackers to infiltrate networks, establish long-term footholds, and operate under the radar. Srini Seethapathy, a Trellix researcher, characterized this specific attack as “well-crafted, targeted, subtle, and designed to slip past technology and people,” highlighting its sophisticated nature.

The emergence of these attacks coincides with a broader wave of email-based social engineering tactics currently active:

• Malicious actors are exploiting the trusted domain of a prominent Japanese Internet Service Provider to distribute phishing emails, aiming to bypass authentication checks and steal credentials.
• The Google Apps Script platform is being misused to host realistic-looking phishing pages, often employing invoice-themed lures to deceive victims into surrendering Microsoft login details.
• Fraudulent campaigns are mimicking Apple Pay invoices to trick users into divulging sensitive information, including credit card numbers and Yahoo Mail account credentials.
• Notion workspaces are being abused to host phishing pages that redirect victims to counterfeit Microsoft login portals, typically under the guise of accessing a shared document, with stolen credentials often exfiltrated via Telegram bots.
• Threat actors continue to exploit older vulnerabilities, such as CVE-2017-11882 in Microsoft Office, to distribute malware like Formbook, concealed within seemingly harmless fake PNG files.

The democratization of phishing

The threat landscape is further complicated by the rise and accessibility of Phishing-as-a-Service (PhaaS) platforms. Cybersecurity firm Trustwave recently highlighted the operational connections between phishing kits known as Tycoon and DadSec (also referred to as Phoenix). These kits reportedly share a centralized infrastructure, with DadSec being linked by Microsoft to a threat actor identified as Storm-1575. This shared infrastructure also supports a new campaign utilizing the ‘Tycoon 2FA’ PhaaS platform, indicating a continuous evolution in adversaries’ tactics within this ecosystem.

The Haozi PhaaS kit serves as a prime example of this trend. This “plug-and-play” service, primarily in Chinese, is believed to have enabled over $280,000 in criminal proceeds within the last five months. For an annual fee of approximately $2,000, Haozi provides users with a streamlined web panel that automates the setup of phishing campaigns, a stark contrast to older kits that demanded manual script and infrastructure configuration. Haozi also innovates by offering advertising space, connecting its subscribers with third-party services like SMS vendors, and even provides customer assistance through a dedicated Telegram channel. These features make sophisticated phishing capabilities accessible even to individuals with limited technical expertise.

Microsoft has also issued advisories concerning the role of PhaaS platforms in fueling adversary-in-the-middle (AiTM) credential phishing, a threat that is particularly potent even as multi-factor authentication (MFA) adoption increases. Other advanced techniques being observed include device code phishing, OAuth consent phishing (where attackers use the Open Authorization protocol to trick users into granting malicious third-party applications access), and device join phishing (where phishing links are used to deceive targets into authorizing the domain-join of an attacker-controlled device).

Following Trellix’s disclosure, NetBird reportedly took swift action to block the malicious actors and secure its platform. It is crucial to reiterate that NetBird is a legitimate, open-source tool. The reported attacks exploited the tool through misuse via a hidden admin account, not through any inherent vulnerability in the NetBird software itself.

Recommendations for CFOs and executive personnel:

• Approach unsolicited career opportunities or recruitment emails with a high degree of skepticism, especially if they involve downloading ZIP files or clicking on unfamiliar links.
• Under no circumstances should security warnings be bypassed to enable content or run scripts from downloaded files.
• Report any unusual or suspicious contact attempts to your organization’s security team promptly. Early reporting is often critical in preventing a successful compromise.

Recommendations for cybersecurity defenders:

• Deploy robust Endpoint Detection and Response (EDR) solutions to gain visibility into and receive alerts for suspicious activities, such as unusual script execution (via PowerShell, CMD.exe, MSHTA, WScript) and the creation of unauthorized user accounts, particularly those with elevated privileges.
• Maintain close observation of processes like wscript.exe or powershell.exe being initiated by non-IT staff, especially those in executive positions.
• Conduct regular audits of MSIExec activity on end-user devices to detect any anomalous installations, particularly those driven by scripts.
• Establish and enforce policy rules to identify and investigate uncommon combinations of ZIP archives and VBS files.
• Ensure continuous monitoring for new local accounts being added to the Administrators group, paying special attention to accounts with generic usernames (e.g., “user”).
• Integrate intelligence on current phishing trends and themes into regular cybersecurity awareness training and phishing simulation exercises for all employees.

This recent campaign targeting financial executives is a potent illustration of the evolving threat landscape. For financial institutions across the UK and the US, the increasing sophistication of phishing attacks, amplified by the accessibility of PhaaS platforms, necessitates a vigilant, multi-layered security posture. This must combine advanced technological defenses with a deeply ingrained culture of security awareness and continuous employee education.