Global Financial Executives Hit by Multi-Stage Phishing Operation
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Downloader,Spear Phishing
- Attack Complexity: Medium
- Threat Risk: Low Impact/High Probability
Threat Overview
A sophisticated spear-phishing campaign targeted CFOs and finance executives in banking, energy, insurance, and investment sectors across the UK, Canada, South Africa, Norway, South Korea, Singapore, Switzerland, France, Egypt, Saudi Arabia, and Brazil. Disguised as a Rothschild & Co recruiter, the attackers used Firebase-hosted phishing pages protected by custom CAPTCHAs to deliver multi-stage payloads. Victims who executed malicious VBS scripts unknowingly installed NetBird and OpenSSH, granting attackers persistent, encrypted remote access through hidden admin accounts and RDP activation. Trellix researchers identified infrastructure overlaps with previous nation-state campaigns but withheld attribution.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Banking | Verified |
| Sector | Financial | Verified |
| Sector | High-Tech | Verified |
| Sector | Insurance | Verified |
| Sector | Energy | Verified |
| Sector | Tourism | Verified |
| Region | Brazil | Verified |
| Region | Canada | Verified |
| Region | Egypt | Verified |
| Region | France | Verified |
| Region | Norway | Verified |
| Region | Saudi Arabia | Verified |
| Region | Singapore | Verified |
| Region | South Africa | Verified |
| Region | South Korea | Verified |
| Region | Switzerland | Verified |
| Region | United Kingdom | Verified |
Extracted IOCs
- googl-6c11f.firebaseapp[.]com
- googl-6c11f.web[.]app
- db2680688@gmail[.]com
- 4cd73946b68b2153dbff7dee004012c3
- 53192b6ba65a6abd44f167b3a8d0e52d
- b91162a019934b9cb3c084770ac03efe
- 192[.]3.95.152
- hxxp://192[.]3.95.152/cloudshare/atr/pull[.]pdf
- hxxp://192[.]3.95.152/cloudshare/atr/trm
- hxxps://googl-6c11f.firebaseapp[.]com/job/file-846873865383.html
- hxxps://googl-6c11f.web[.]app/job/9867648797586_scan_15052025-736574.html
Tip: 11 related IOCs (1 IP, 2 domain, 4 URL, 1 email, 3 file hash) to this threat have been found.
FAQs
Spear-Phishing Targeting CFOs with Remote Access Tools
A highly targeted phishing campaign impersonated a recruiter from Rothschild & Co to lure CFOs into executing malicious scripts that silently installed remote-access software on their systems.
The exact group is unknown, but the tactics and infrastructure partially overlap with past nation-state campaigns. No official attribution has been made yet.
The attackers aimed to silently gain remote access to executives' systems using legitimate tools, enabling long-term surveillance or data exfiltration.
Finance executives across multiple sectors—banks, energy firms, insurers, and investment groups—in Europe, Africa, Canada, the Middle East, and South Asia.
Through deceptive emails, fake job offers, and phishing links that delivered VBS scripts. These scripts installed tools like NetBird and OpenSSH and created hidden admin accounts.
CFOs have access to sensitive financial data and privileged systems, making them attractive targets for espionage or financially motivated attacks.
Enhance phishing detection, restrict script execution, monitor for unauthorized remote access tools, and audit admin accounts and RDP settings regularly.
This is a targeted attack aimed at high-level executives in specific sectors, but similar techniques could be reused in broader campaigns.