Employment is like a box of chocolates, you never know what you’re going to get

It starts with a flattering offer—an exclusive job opportunity from Rothschild & Co., sent straight to the inbox of a financial executive. But behind the elegant logo and the promise of career growth hides something else entirely: a spear-phishing campaign crafted to perfection. The target? CFOs and finance leaders at banks, energy conglomerates, insurers, and investment firms across Europe, Africa, the Middle East, South Asia, and Canada.

This is not just another scam. It’s a multi-stage operation built with surgical precision. The attackers leverage the legitimacy of NetBird, a WireGuard-based remote access tool, to infiltrate systems without raising alarms. Everything—from the lure to the installation—is designed to bypass scrutiny, using a clean toolchain and a delivery method that evades both humans and machines.

Financial Targets in the Crosshairs

The campaign zeroes in on decision-makers—those with access to financial systems, confidential reports, sensitive communications, and high-level credentials. Executives in Europe’s banking sector, African energy boards, Middle Eastern insurers, Canadian investment firms, and South Asian conglomerates all find themselves in the attackers’ scope.

But what makes this campaign different is the level of personalization. It’s not a mass email blast. The messages are tailored, calm, and convincing—often pretending to offer high-profile positions at Rothschild & Co., one of the world’s most prestigious financial institutions. And unlike other campaigns that use spoofed logos and typos, this one leans into subtlety and realism.

From CAPTCHA to Compromise

The technical delivery of the attack is just as refined. It starts with an email containing what looks like a PDF attachment, but is instead a phishing link hidden behind a CAPTCHA-gated Firebase-hosted site. This extra step—solving the CAPTCHA—helps the attackers evade automated analysis and increase their odds of reaching human targets.

Once the CAPTCHA is solved, the site delivers a ZIP archive. Inside is a Visual Basic Script (VBScript), the first in a chain of payloads. This script retrieves and runs a second VBScript from an external server, which in turn downloads another archive containing two MSI files: NetBird and OpenSSH.

The installation is silent but powerful. A hidden local account is created. Remote Desktop access is enabled. Scheduled tasks are configured to launch NetBird on reboot. Even desktop shortcuts are removed to avoid arousing suspicion.

Meanwhile, the attackers begin collecting emails, cloud-stored documents, Microsoft Teams messages, and sensitive files—exfiltrated using Microsoft Graph. What starts as a fake job offer becomes a persistent, invisible breach with full remote access to the target environment.

Fighting Back Against Legitimate-Looking Intrusions

This is not a case of amateur hacking or noisy ransomware. It’s a stealthy operation using real tools and clean infrastructure. Organizations must raise their defenses accordingly:

• Audit all incoming remote access applications like NetBird, Atera, Splashtop, and LogMeIn.

• Disable execution of wscript.exe in environments where it is not strictly required.

• Block or sandbox ZIP and MSI file downloads in executive inboxes.

• Monitor the creation of hidden local accounts and scheduled task anomalies.

• Conduct tailored security awareness training for executives, focusing on fake recruiter lures and targeted spear-phishing.

As PhaaS (Phishing-as-a-Service) platforms lower the barrier to entry for sophisticated social engineering attacks, even the most vigilant teams must remain alert. This campaign is not just about a stolen password—it’s about quietly installing a backdoor to your entire organization, with full access to financial, cloud, and communication systems.

When the job offer sounds too good to be true—it might just be the bait.

https://thehackernews.com/2025/06/fake-recruiter-emails-target-cfos-using.html?m=1