Cybersecurity researchers have warned of a new spear-phishing campaign that uses a legitimate remote access tool called Netbird to target Chief Financial Officers (CFOs) and financial executives at banks, energy companies, insurers, and investment firms across Europe, Africa, Canada, the Middle East, and South Asia. "In what appears to be a multi-stage phishing operation, the attackers aimed to deploy NetBird, a legitimate wireguard-based remote access tool on the victim's computer," Trellix researcher Srini Seethapathy said in an analysis. The activity, first detected by the cybersecurity company in mid-May 2025, has not been attributed to a known threat actor or group. The starting point of the attack is a phishing email that impersonates a recruiter from Rothschild & Co. and claims to offer a "strategic opportunity" with the company. The email is designed to entice the recipients into opening a purported PDF attachment that, in reality, is a phishing link that redirects them to a Firebase app-hosted URL. What's notable about the infection is that the real redirect URL is stored in the page in encrypted form and is accessible only after the victim solves a CAPTCHA verification check, ultimately leading to the download of a ZIP archive. "Solving the puzzle executes a [JavaScript] function that decrypts it with a hard-coded key and redirects the user to the decrypted link," Seethapathy said. "Attackers are leaning on these custom CAPTCHA gates more and more, hoping to slip…Read More