Home > Security > Security News

CFOs in the Crosshairs as Sophisticated NetBird Spear-Phishing Campaign Unfolds

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer

A multi-stage operation attempts to deploy NetBird onto compromised endpoints to establish persistent, encrypted backdoor access, targeting Chief Financial Officers and other finance executives across banking, energy, insurance, and investment sectors worldwide. 

Detailed by Trellix Advanced Research Center, this newly uncovered spear-phishing campaign leverages a legitimate WireGuard-based remote-access tool via fake emails.

The campaign begins with a highly targeted email masquerading as a recruitment opportunity from Rothschild & Co, enticing recipients with a supposed leadership position. 

Spear-phishing campaign installs Netbird and enables remote access
Spear-phishing campaign installs Netbird and enables remote access | Source: Trellix

Instead of delivering a PDF as promised, the message links to a Firebase-hosted phishing site hidden behind a custom math CAPTCHA, designed to evade detection by standard security tools. 

Initial URL webpage with custom CAPTCHA implementation
Initial URL webpage with custom CAPTCHA implementation | Source: Trellix

Upon solving the CAPTCHA, the victim receives a ZIP archive containing a VBS script. Execution of this script triggers a waterfall sequence that downloads additional payloads, ultimately installing both NetBird and OpenSSH silently. 

The malware establishes a concealed local administrator account, enables Remote Desktop Protocol (RDP), modifies firewall settings, and ensures persistence by auto-starting NetBird on boot. Attackers gain encrypted remote access channels while maintaining a low profile to avoid detection.

This campaign demonstrates an escalation in attacker sophistication. By leveraging trusted remote access tools, custom CAPTCHA gates, and staged scripting, adversaries are subverting traditional phishing defenses and endpoint protection strategies. 

Trellix notes overlaps in infrastructure with known nation-state actors, but to date, it has not attributed the activity to any specific threat group.

The geographic reach is significant, spanning financial organizations in Europe, Africa, Canada, the Middle East, and South Asia. Notably, France’s securities commission (AMF) has issued a parallel warning about similar lures.

Add a Comment
Related
A hacker trying to do phishing attack
Czech Government Attributes 2022 Cyberattack to Chinese State-Backed APT31
Spanish Police Dismantle Cybercriminal Network, Hacker ‘Alcasec’ and Former Secretary of State for Security Arrested
Online Shopping Photo
Victoria’s Secret Takes Website Offline to Contain Security Incident
Hacker accessing major telecons in the US
APT41 Leveraging Google Calendar for C2, Distributes TOUGHPROGRESS Malware
Malicious WordPress Plugin Targets Windows Users with Fake Java Update Pop-Up
Ransomware Developer Arrest
Iranian National Pleads Guilty in Robbinhood Ransomware Case
Most Popular
The Pickup
The Pickup (2025) film: All we know About Eddie Murphy, Pete Davidson & Keke Palmer’s Explosive Heist Comedy
VPN Ban Enforced in Doda Sparks Privacy Debate
VPN Ban in Doda District Sparks Debate Over Privacy and Digital Rights
Karate Kid: Legends
Karate Kid: Legends- Ending Explained, Post-Credit Scene Revealed, and more
Mercy For None
Mercy For None: What to Expect from this Gritty K-Drama Thriller Starring So Ji-seob and Huh Joon-ho
A hacker trying to do phishing attack
Czech Government Attributes 2022 Cyberattack to Chinese State-Backed APT31
Spanish Police Dismantle Cybercriminal Network, Hacker ‘Alcasec’ and Former Secretary of State for Security Arrested
The Pickup (2025) film: All we know About Eddie Murphy, Pete Davidson & Keke Palmer’s Explosive Heist Comedy
VPN Ban in Doda District Sparks Debate Over Privacy and Digital Rights
Karate Kid: Legends- Ending Explained, Post-Credit Scene Revealed, and more
Mercy For None: What to Expect from this Gritty K-Drama Thriller Starring So Ji-seob and Huh Joon-ho
Czech Government Attributes 2022 Cyberattack to Chinese State-Backed APT31
Spanish Police Dismantle Cybercriminal Network, Hacker ‘Alcasec’ and Former Secretary of State for Security Arrested

Most Popular
The Pickup
The Pickup (2025) film: All we know About Eddie Murphy, Pete Davidson & Keke Palmer’s Explosive Heist Comedy
VPN Ban Enforced in Doda Sparks Privacy Debate
VPN Ban in Doda District Sparks Debate Over Privacy and Digital Rights
Karate Kid: Legends
Karate Kid: Legends- Ending Explained, Post-Credit Scene Revealed, and more
Mercy For None
Mercy For None: What to Expect from this Gritty K-Drama Thriller Starring So Ji-seob and Huh Joon-ho
A hacker trying to do phishing attack
Czech Government Attributes 2022 Cyberattack to Chinese State-Backed APT31
Spanish Police Dismantle Cybercriminal Network, Hacker ‘Alcasec’ and Former Secretary of State for Security Arrested
The Pickup (2025) film: All we know About Eddie Murphy, Pete Davidson & Keke Palmer’s Explosive Heist Comedy
VPN Ban in Doda District Sparks Debate Over Privacy and Digital Rights
Karate Kid: Legends- Ending Explained, Post-Credit Scene Revealed, and more
Mercy For None: What to Expect from this Gritty K-Drama Thriller Starring So Ji-seob and Huh Joon-ho
Czech Government Attributes 2022 Cyberattack to Chinese State-Backed APT31
Spanish Police Dismantle Cybercriminal Network, Hacker ‘Alcasec’ and Former Secretary of State for Security Arrested

TechNadu keeps you informed with the latest in cybersecurity, VPNs, streaming, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2025 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: