Researchers identified a sophisticated spear-phishing campaign leveraging NetBird, a legitimate WireGuard-based remote access tool, to gain persistent access to high-level financial executives’ systems.
This campaign specifically targeted Chief Financial Officers (CFOs) and finance executives at banks, insurance companies, energy firms, and investment institutions across Europe, Africa, Canada, the Middle East, and South Asia.
Advanced Social Engineering
The operation began with carefully crafted emails impersonating a Rothschild & Co recruiter, offering enticing “strategic opportunities” to executive recipients.
These socially engineered messages included a fake PDF attachment, which, when clicked, redirected victims to a Firebase-hosted webpage featuring a custom math CAPTCHA.
This CAPTCHA was designed to bypass traditional phishing defenses, including those that flag websites protected by reCAPTCHA or Cloudflare’s Turnstile.
Once solved, the CAPTCHA triggered a download of a ZIP archive named “Rothschild_&_Co-6745763.zip.”
This archive extracted to a lightweight VBS script. Execution of the script initiated a multi-stage payload retrieval process:
- The initial VBS used MSXML2.XMLHTTP to pull a second VBS file disguised as “pull.pdf” from a remote server.
- The second-stage script downloaded a further payload, which, when renamed to a ZIP, unpacked two MSI installers for NetBird and OpenSSH.
- These packages were silently installed. The script also created a hidden local administrator account, enabled Remote Desktop Protocol (RDP), whitelisted through the firewall, and scheduled NetBird to auto-start at boot.
Critically, the attackers ensured stealth by removing NetBird desktop shortcuts and using generic, nondescript usernames for the admin account, maximizing persistence while minimizing visibility.
Wider Infrastructure
Analysis by Trellix revealed partial infrastructure overlap with previous nation-state spear-phishing activity.
However, as of publication, the exact threat group remains unidentified. Notably, some elements including the custom CAPTCHA and VBS downloader were observed in lookalike campaigns as early as mid-2024, showing long-term use and refinement of attack tactics.
The scheme’s sophistication is further underlined by its defense evasion capabilities using legitimate, signed binaries for software installation, scripting for execution, custom CAPTCHAs, and leveraging legitimate network protocols (WireGuard, SSH, RDP) to maintain covert access.
The campaign’s victims spanned multiple sectors and countries, including banking, insurance, energy, mining, investment, and even semiconductor industries.
Recent advisories from the Autorité des marchés financiers (AMF) in France highlight the ongoing risk, with overlapping indicators observed.
Given the attackers’ ability to establish encrypted backdoors, create hidden privileged accounts, and enable persistent remote access, compromised systems are at significant risk of further lateral movement, data exfiltration, and potential financial or reputational damage.
Security teams are urged to enforce greater scrutiny on unsolicited executive-targeted emails, particularly those featuring non-standard attachments or download links.
Endpoints should be monitored for the execution of scripts by non-IT staff, suspicious user creation, and anomalous MSI installation events.
Regular employee training, endpoint detection and response (EDR) deployment, and threat simulation exercises aligned with emerging phishing trends are strongly recommended.
Indicators of Compromise (IOC)
| Indicator Type | Value | Context / Purpose |
|---|---|---|
| Email Sender | <redacted>[email protected] | Impersonated recruiter |
| Email Subject | Rothschild & Co leadership opportunity (Confidential) | Social engineering lure |
| Email Reply-to | [email protected] | Alternate reply address |
| IP Address (C2) | 192[.]3[.]95[.]152 | Hosts stage-2 payloads |
| Stage-0 URL | hxxps://googl-6c11f.firebaseapp[.]com/job/file-846873865383.html | Phishing with custom CAPTCHA |
| Redirect URL | hxxps://googl-6c11f.web[.]app/job/9867648797586_Scan_15052025-736574.html | ZIP download page |
| ZIP Download | Rothschild_&_Co-6745763.zip | Archive with VBS payload |
| Stage-1 Payload | hxxp://192[.]3[.]95[.]152/cloudshare/atr/pull.pdf | Downloaded as pull.vbs |
| Stage-2 Payload | hxxp://192[.]3[.]95[.]152/cloudshare/atr/trm | Downloaded, unpacked |
| Malicious Files | Rothschild_&_Co-6745763.zip (4cd73946b68b2153dbff7dee004012c3) | VBS dropper archive |
| Malicious Files | Rothschild_&_Co-6745763.vbs (53192b6ba65a6abd44f167b3a8d0e52d) | Stage-1 VBS |
| Malicious Files | pull.vbs (b91162a019934b9cb3c084770ac03efe) | Stage-2 VBS |
| Local Admin Account | user / Bs@202122 | Hidden account |
| NetBird Setup Key | E48E4A70-4CF4-4A77-946B-C8E50A60855A | Used for auto-enrollment |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
