A recent spear-phishing campaign has emerged, targeting chief financial officers and senior financial executives across various sectors, including banking, energy, insurance, and investment. This campaign, which began on May 15, 2025, employs advanced social engineering techniques to compromise high-value targets worldwide.
Campaign Overview
The attackers impersonate prestigious financial firm Rothschild & Co, sending emails with the subject line Rothschild & Co leadership opportunity (Confidential) from the address [email protected]. These emails contain what appears to be a PDF attachment named Rothschild_&_Co-6745763.PDF. However, this attachment functions as a phishing link, redirecting recipients to a Firebase-hosted application at hxxps://googl-6c11f.firebaseapp[.]com/job/file-846873865383.html.
Infection Mechanism
Upon accessing the link, victims encounter a custom CAPTCHA mechanism requiring them to solve a simple mathematical problem, such as What is the result of 9 + 10? This tactic aims to evade automated security scanners and instill a false sense of legitimacy. After completing the CAPTCHA, JavaScript functions decrypt a hardcoded redirect URL, leading victims to hxxps://googl-6c11f.web[.]app/job/9867648797586_Scan_15052025-736574.html. Here, they are prompted to download an archive named Rothschild_&_Co-6745763.zip, which contains an initial VBS script that establishes the infection foothold.
Deployment of NetBird Malware
Unlike traditional malware deployment strategies, this campaign utilizes NetBird, a legitimate WireGuard-based remote access tool, instead of conventional backdoors or trojans. By leveraging NetBird, attackers can blend malicious activities with legitimate network management tools, complicating detection efforts and extending persistence capabilities.
Global Reach and Implications
The campaign’s global reach spans multiple industries and geographic regions, with confirmed targeting of financial institutions in the United Kingdom, Canada, South Africa, Norway, South Korea, Singapore, Switzerland, France, Egypt, Saudi Arabia, and Brazil. The precision targeting suggests extensive reconnaissance capabilities and access to detailed corporate organizational charts, indicating a well-resourced threat actor with strategic objectives beyond immediate financial gain.
Recommendations for Mitigation
To mitigate the risks associated with such sophisticated spear-phishing campaigns, organizations should consider the following measures:
1. Employee Training: Conduct regular security awareness training to help employees recognize phishing attempts and understand the importance of verifying unexpected requests.
2. Email Filtering and Authentication: Implement email filtering solutions and authentication protocols such as DMARC, SPF, and DKIM to detect and block suspicious emails.
3. Multi-Factor Authentication (MFA): Enforce MFA to add an extra layer of security, making it more difficult for attackers to gain unauthorized access.
4. Regular Software Updates: Ensure all systems and software are up to date with the latest security patches to protect against known vulnerabilities.
5. Incident Response Plan: Develop and regularly update an incident response plan to quickly address and mitigate the impact of security breaches.
By implementing these measures, organizations can enhance their defenses against sophisticated spear-phishing attacks targeting financial executives.
