June 4, 2025
Fake Recruiter Emails Target CFOs Using Legit NetBird Tool Across 6 Global Regions
Cybersecurity researchers have warned of a new spear-phishing campaign that uses a legitimate remote access tool called Netbird to target Chief Financial Officers (CFOs) and financial executives at banks, energy companies, insurers, and investment firms across Europe, Africa, Canada, the Middle East, and South Asia.  "In what appears to be a multi-stage phishing operation, the attackers

Cybersecurity researchers have warned of a new spear-phishing campaign that uses a legitimate remote access tool called Netbird to target Chief Financial Officers (CFOs) and financial executives at banks, energy companies, insurers, and investment firms across Europe, Africa, Canada, the Middle East, and South Asia.

“In what appears to be a multi-stage phishing operation, the attackers aimed to deploy NetBird, a legitimate wireguard-based remote access tool on the victim’s computer,” Trellix researcher Srini Seethapathy said in an analysis.

The activity, first detected by the cybersecurity company in mid-May 2025, has not been attributed to a known threat actor or group.

The starting point of the attack is a phishing email that impersonates a recruiter from Rothschild & Co. and claims to offer a “strategic opportunity” with the company. The email is designed to entice the recipients into opening a purported PDF attachment that, in reality, is a phishing link that redirects them to a Firebase app-hosted URL.

What’s notable about the infection is that the real redirect URL is stored in the page in encrypted form and is accessible only after the victim solves a CAPTCHA verification check, ultimately leading to the download of a ZIP archive.

“Solving the puzzle executes a [JavaScript] function that decrypts it with a hard-coded key and redirects the user to the decrypted link,” Seethapathy said. “Attackers are leaning on these custom CAPTCHA gates more and more, hoping to slip past defenses that already flag phishing sites protected by Cloudflare Turnstile or Google reCAPTCHA.”

Present within the archive is a Visual Basic Script (VBScript) that’s responsible for retrieving a next-stage VBScript from an external server and launching it via “wscript.exe.” This second-stage VBScript downloader then fetches another payload from the same server, renames it to “trm.zip,” and extracts two MSI files from it: NetBird and OpenSSH.

The last phase involves installing the two programs on the infected host, creating a hidden local account, enabling remote desktop access, and persisting NetBird via scheduled tasks such that it automatically launches on system reboot. The malware also removes any NetBird desktop shortcuts to ensure that the compromise is not detected by the victim.

Trellix said it identified another redirect URL that has been active for nearly a year and serves the same VBScript payload, indicating that the campaign may have been around for some time.

The findings once again show how adversaries are increasingly relying on legitimate remote access applications such as ConnectWise ScreenConnect, Atera, Splashtop, FleetDeck, and LogMeIn Resolve to establish persistence and use it to burrow into the victim’s network, while simultaneously evading detection.

“This attack isn’t your typical phishing scam,” Seethapathy said. “It’s well-crafted, targeted, subtle, and designed to slip past technology and people. It is a multi-stage attack where the adversary uses social engineering and defense evasion techniques to create and maintain persistent access to the victim system.”

The disclosure coincides with the discovery of various email-based social engineering campaigns in the wild –

  • Attacks that abuse a trusted domain associated with a well-known Japanese internet service provider (ISP) to send phishing messages from the email address “company@nifty[.]com” in an attempt to get past email authentication checks and harvest credentials
  • Attacks that abuse the Google Apps Script development platform to host phishing pages that look legitimate and steal Microsoft login credentials by employing invoice-themed email lures
  • Attacks that mimic an Apple Pay invoice to steal sensitive user data, including credit card details and Yahoo Mail account details
  • Attacks that abuse Notion workspaces to host phishing pages that trick users into clicking on links that take the victims to a fake Microsoft login page under the guise of viewing a shared document and exfiltrate the credentials via a Telegram bot
  • Attacks that exploit a years-old security flaw in Microsoft Office (CVE-2017-11882) to deliver the Formbook malware variant hidden in a fake PNG file and steal sensitive data from compromised hosts

PhaaS Services Lower the Bar

The findings also come as Trustwave detailed the operational connections between Tycoon and DadSec (aka Phoenix) phishing kits, highlighting their infrastructural overlaps and the use of a centralized phishing infrastructure. DadSec is the work of a threat actor tracked by Microsoft under the moniker Storm-1575.

“The infrastructure used by DadSec is also connected to a new campaign leveraging the ‘Tycoon 2FA’ Phishing-as-a-Service (PhaaS) platform,” Trustwave researchers Cris Tomboc and King Orande said. “The investigation into the Tycoon2FA phishing kit reveals how adversaries continue to refine and expand their tactics within the Phishing-as-a-Service (PhaaS) ecosystem.”

Tycoon 2FA PhaaS Operation

The growing popularity of PhaaS services is evidenced by the emergence of a new “plug-and-play” Chinese-language kit dubbed Haozi that’s estimated to have facilitated over $280,000 worth of criminal transactions over the past five months by selling advertising to third-party services. It operates on a subscription basis for $2,000 per year.

“Unlike legacy phishing kits that require attackers to configure scripts or infrastructure manually, Haozi offers a sleek, public-facing web panel,” Netcraft said. “Once an attacker purchases a server and puts its credentials into the panel, the phishing software is automatically set up, with no need to run a single command.”

“This frictionless setup contrasts with other PhaaS tools like the AI-enabled Darcula suite, where minimal command-line usage is still necessary.”

Besides supporting an admin panel where users can manage all their campaigns in one place, Haozi has been found to offer advertising space, acting as an intermediary to connect phishing kit buyers with third-party services, such as those related to SMS vendors.

Haozi phishing dashboard

Another aspect that sets Haozi apart from other kits is a dedicated after-sales Telegram channel (@yuanbaoaichiyu) to assist customers with debugging issues and optimizing their campaigns, positioning it as an attractive option for aspiring cybercriminals who have no technical expertise.

“As enterprise security teams become more effective at detecting and addressing intrusion attempts, attackers are deploying social engineering and phishing scams, tactics that don’t require breaching a hardened perimeter,” Netcraft researcher Harry Everett said.

“PhaaS offerings lower the skill floor and scale campaigns through automation and community support. These new models function more like SaaS businesses than black-market hacking groups, complete with subscription pricing, customer service, and product updates.”

Microsoft, in an advisory published last week, further revealed how PhaaS platforms are increasingly driving adversary-in-the-middle (AiTM) credential phishing as the adoption of multi-factor authentication (MFA) surges.

Some of the other techniques include device code phishing; OAuth consent phishing; where threat actors employ the Open Authorization (OAuth) protocol and send emails with a malicious consent link for a third-party application; device join phishing, where threat actors use a phishing link to trick targets into authorizing the domain-join of an actor-controlled device.

The Windows maker said it has observed suspected Russian-linked threat actors employing third-party application messages or emails referencing upcoming meeting invitations to deliver a malicious link containing a valid authorization code. The device join phishing technique was first documented by Volexity in April 2025.

“While both end users and automated security measures have become more capable at identifying malicious phishing attachments and links, motivated threat actors continue to rely on exploiting human behavior with convincing lures,” Igor Sakhnov, corporate vice president and deputy CISO of Identity at Microsoft, said.

“As these attacks hinge on deceiving users, user training and awareness of commonly identified social engineering techniques are key to defending against them.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.