Fake Job Pitch Opens the Door

Cyber-criminals have launched a fresh spear-phishing operation that zeroes in on chief financial officers and senior money managers at banks, insurers, power companies, and investment houses across Europe, Africa, Canada, the Middle East, and South Asia. The scheme starts with an email that claims to come from a recruiter at Rothschild & Co., promising a “strategic opportunity.” Recipients who take the bait believe they are opening a harmless PDF. Instead, the message hides a link that sends them to a site hosted on Google’s Firebase platform.

CAPTCHA Hurdle Masks the Real Target

When victims land on the page, they are asked to solve a CAPTCHA. The puzzle is not there to keep bots out but to keep security scanners blind. Only after the verification does a short piece of JavaScript unlock the real destination. The script, armed with a hard-coded decryption key, reveals the final URL, which delivers a ZIP file to the unsuspecting finance professional. Experts at Trellix, who first spotted the campaign in mid-May 2025, say this extra CAPTCHA step is becoming popular because defenders already flag many phishing pages protected by mainstream services like Cloudflare Turnstile or Google reCAPTCHA.

Layered Scripts Bring NetBird and OpenSSH On-Board

Inside the ZIP archive sits a Visual Basic Script (VBS). Running that script quietly fetches a second VBS from an attacker-controlled server. The downloader then grabs yet another file, renames it “trm.zip,” and extracts two installer packages: one for NetBird, an open-source remote networking tool that relies on WireGuard, and one for OpenSSH. The scripts next create a hidden local user, turn on Remote Desktop, and schedule tasks so NetBird loads every time the computer restarts. To avoid tipping off the target, any NetBird shortcuts on the desktop vanish as soon as the install finishes.

Legitimate Tools Give Attackers Staying Power

NetBird is hardly the first everyday application bent to criminal goals. Over the past year, investigators have seen malicious actors lean on products such as ConnectWise ScreenConnect, Atera, Splashtop, FleetDeck, and LogMeIn Resolve. Because these tools are built for legitimate remote access, they often slip past antivirus programs and raise fewer red flags during routine audits. Trellix analysts also uncovered a second redirect link tied to the same attack chain that has been active for almost a year, hinting that the threat has been evolving quietly under the radar.

Social Engineering Campaigns Multiply

The NetBird campaign arrives amid a flurry of email ploys that all aim to trick users rather than hack systems directly. Some attackers are sending messages from “company@nifty[.]com,” exploiting the reputation of a trusted Japanese internet service provider to dodge email authentication checks. Others are hosting fake Microsoft login pages on Google Apps Script or crafting Apple Pay invoices that harvest credit-card details and Yahoo Mail passwords. Notion, the popular collaboration platform, has also been abused to host bogus document-sharing links that funnel credentials straight to Telegram bots. In yet another twist, criminals are still exploiting a 2017 Microsoft Office flaw (CVE-2017-11882) to drop Formbook malware disguised as a PNG image.

Phishing-as-a-Service Makes Crime Drag-and-Drop Simple

These incidents highlight how Phishing-as-a-Service (PhaaS) has matured. Trustwave researchers recently mapped overlaps between two kit families, Tycoon and DadSec, showing that both rely on a central pool of servers and share code. DadSec, tracked by Microsoft as Storm-1575, now plugs into an updated “Tycoon 2FA” platform that helps crooks bypass multi-factor authentication.

At the same time, Netcraft has lifted the lid on a Chinese-language kit called Haozi. For a yearly fee of about US $2,000, Haozi buyers receive a sleek web dashboard where they can point-and-click their way through an entire campaign. The service even sells ad space inside the control panel, linking customers with third-party SMS providers and other vendors. An after-sales Telegram channel offers real-time troubleshooting, and Netcraft estimates Haozi has already moved more than US $280,000 in related transactions over five months. Unlike older kits that still demand some command-line know-how, Haozi removes nearly all technical hurdles, making professional phishing as easy as signing up for a streaming service.

Microsoft Flags New Ways Around Multi-Factor Authentication

Microsoft’s security team warns that PhaaS operators are increasingly turning to adversary-in-the-middle attacks, device-code phishing, and OAuth consent scams now that more organizations enforce multi-factor authentication. One newer trick—“device join” phishing—persuades a victim to authorize a rogue machine on the company network via a seemingly routine invitation. The tactic, first documented by Volexity in April 2025, lets intruders roam corporate resources without ever stealing a username or password outright.

Human Vigilance Remains the Weak Link

Srini Seethapathy of Trellix sums up the situation plainly: this latest NetBird campaign is “well-crafted, targeted, and subtle.” By combining believable social-engineering hooks, CAPTCHA smokescreens, and legitimate software, attackers manage to keep a foothold long after the initial email lands. While security tools grow better at spotting rogue attachments and phishing domains, the final defense still rests with users who must recognize an offer that is too good to be true.

With PhaaS platforms lowering the bar for entry and legitimate remote-access tools offering perfect cover, finance leaders and IT teams alike face a growing challenge. Training staff to spot social tricks, tightening controls on remote-access software, and keeping patches up to date remain critical steps in a landscape where hacking no longer requires breaking in—only convincing someone to open the door.