Multi-stage operation impersonates Rothschild & Co recruiters to deploy remote access software across six regions
Cybersecurity researchers have uncovered a sophisticated spear-phishing campaign targeting Chief Financial Officers and financial executives at banks, energy companies, insurers, and investment firms across Europe, Africa, Canada, the Middle East, and South Asia. The campaign, first detected by Trellix in mid-May 2025, uses a legitimate remote access tool called NetBird to establish persistent access to victim systems while evading traditional security measures.
The attack begins with carefully crafted phishing emails that impersonate recruiters from Rothschild & Co, claiming to offer strategic career opportunities to high-profile financial executives. The emails contain what appears to be a PDF attachment that actually redirects victims to a Firebase-hosted URL requiring CAPTCHA verification. This custom CAPTCHA gate serves as both a defense evasion mechanism and a method to decrypt the real redirect URL using JavaScript, ultimately leading to the download of a malicious ZIP archive containing Visual Basic Scripts.
The multi-stage payload deployment process involves downloading and executing additional VBScript components that ultimately install both NetBird and OpenSSH on the compromised system. The malware creates a hidden local account, enables remote desktop access, and establishes persistence through scheduled tasks while removing NetBird desktop shortcuts to avoid detection. This approach allows attackers to maintain long-term access to financial networks while appearing to use legitimate administrative tools.
The campaign represents a broader trend of cybercriminals leveraging legitimate remote access applications to bypass security controls and establish persistent network presence. Researchers note that adversaries are increasingly relying on tools like ConnectWise ScreenConnect, Atera, Splashtop, and LogMeIn Resolve to burrow into victim networks while simultaneously evading detection. The discovery coincides with the emergence of new Phishing-as-a-Service platforms that lower the technical barriers for conducting sophisticated social engineering attacks, making such targeted campaigns more accessible to a wider range of threat actors.