Hackers have launched a global phishing campaign using the legitimate remote access tool NetBird to infiltrate the computers of financial executives in six regions around the world.
Researchers at Trellix have uncovered a multi-stage phishing operation targeting chief financial officers (CFOs) in Europe, Africa, Canada, the Middle East, and South Asia. The attack begins with an email purporting to be from a Rothschild & Co. recruiter offering a “strategic opportunity.” The link actually leads to a CAPTCHA-protected Firebase page that hides an encrypted download link to a malicious archive. The ZIP file contains a VBScript that triggers a cascade of actions: downloading NetBird and OpenSSH, creating a stealth account, enabling remote access, and stealthily installing it via the Task Scheduler. NetBird, a legitimate WireGuard-based remote access tool, has been transformed into a long-term hacking tool.
Separately, experts noted that such campaigns are increasingly using legal tools such as ConnectWise, Atera, Splashtop, FleetDeck, and LogMeIn Resolve to evade detection. VBS scripts were found in the archives that dynamically download other malicious components. Interestingly, one of the URLs used in the campaign has been active for almost a year, indicating a much longer period of operation.
This case is just part of a wider surge of sociotechnical attacks that use:
The latter, Haozi, is a Chinese PhaaS tool that for $2,000 a year provides a turnkey interface, Telegram support, and ready-made infrastructure. This significantly lowers the threshold of entry into cybercrime even for non-specialists.
Social engineering campaigns today are not isolated phishing emails, but multi-layered attacks that use legitimate software, automation, and artificial intelligence to penetrate protected networks. To counter them, it is necessary to update security policies, train users, and consider a new security philosophy where legitimate tools can no longer be automatically considered “safe.”
