Spear-Phishing Campaign Targets CFOs with Sophisticated Multi-Stage Intrusion
Do Son 
Spear-Phishing Campaign Installing Netbird and Enabling Remote Access | Image: Trellix
A new report from Hunt Intelligence reveals a highly targeted spear-phishing campaign that has been systematically preying on CFOs and finance executives worldwide. The campaign employs a blend of social engineering, multi-stage malware delivery, and abuse of legitimate remote-access tools to achieve persistent control over victim environments.
The campaign begins with emails masquerading as recruiters from Rothschild & Co, directing victims to Firebase-hosted phishing pages. These pages employ customized CAPTCHA challenges designed to appear credible and frustrate automated detection.
According to Hunt Intelligence, “the attack begins with a socially engineered email impersonating a Rothschild & Co recruiter, leading to a Firebase-hosted phishing page with a custom CAPTCHA.”
Once engaged, targets are tricked into downloading a ZIP archive that contains a malicious VBScript file (VBS). When executed, the VBS initiates the silent installation of NetBird and OpenSSH, creates hidden administrative accounts, and enables Remote Desktop Protocol (RDP).
The report highlights a multi-stage infection chain where the initial VBS downloader retrieves further payloads from attacker-controlled infrastructure. Hunt Intelligence notes:
“The extracted F-144822.vbs file contains a malicious script that downloads an additional payload from http://198.46.178[.]135/34564/cis.ico, saves it locally as C:\bin\cis.vbs, and executes it with elevated privileges in a hidden window.”
Subsequent payloads deploy NetBird tunnels, adjust firewall rules, and configure RDP services for persistence. Attackers also conceal their tracks by deleting desktop shortcuts and automating service restarts, ensuring their presence remains undetected.
“In the final phase, the script ensures the Netbird service starts on system boot… and removes any Netbird shortcut files from all users’ desktops, effectively concealing the newly installed software from casual observation.”
Hunt’s investigation uncovered evolving infrastructure across Firebase and Web.app domains, often using AES-encrypted redirects and “math-gate” CAPTCHA challenges written in French. These tactics both obscure the phishing mechanism and diversify hosting paths to evade takedowns.
Interestingly, the infrastructure strongly overlaps with known APT MuddyWater activity. Hunt Intelligence confirms: “Cross-referencing with Maltrail threat intelligence feeds revealed that this same IP has been previously associated with APT MuddyWater activity, strengthening the attribution towards this threat actor.”
One of the campaign’s most alarming aspects is its reliance on legitimate remote-access and monitoring software to avoid raising suspicion. Beyond NetBird, attackers have also deployed AteraAgent.exe, another commercial remote administration tool abused in prior MuddyWater-linked intrusions.
The campaign spans multiple continents, targeting high-value financial roles with precision. Its advanced persistence techniques and infrastructure overlaps suggest a well-funded, state-aligned threat group, further confirmed by its resemblance to past MuddyWater operations.
Related Posts:
- Spear-Phishing Alert: NetBird RAT Spreads via Deceptive Job Lures
- From Spear-Phishing to Zero-Day: Lazarus Group’s Latest Cyber Strategies
- Cybercriminals Go Mobile: Executives Targeted in Advanced Phishing Campaigns
- Midnight Blizzard Targets 100+ Organizations in RDP Phishing Attack
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
