A Flyby on the CFO's Inbox: Spear-Phishing Campaign Targeting Financial Executives With NetBird Deployment

    Tuesday, June 3, 2025 In: Threat Research Print

    Date: 06/03/2025

    Severity: High 

    Summary

    On May 15th, email security tools detected a sophisticated spear-phishing campaign targeting CFOs and finance executives at banks, energy firms, insurance companies, and investment groups across Europe, Africa, Canada, the Middle East, and South Asia. This multi-stage attack aimed to deliver NetBird, a legitimate WireGuard-based remote access tool, onto victims’ systems. In recent years, threat actors have increasingly adopted such remote-access tools to maintain persistence and deepen access within compromised networks.

    Indicators of Compromise (IOC) List

    Domains\Urls : 

    https://googl-6c11f.firebaseapp.com/job/file-846873865383.html

    https://googl-6c11f.web.app/job/9867648797586_Scan_15052025-736574.html

    http://192.3.95.152/cloudshare/atr/pull.pdf

    http://192.3.95.152/cloudshare/atr/trm

    Sender : 

    <redacted>_863563754768397286998728@notarius.net

    IP Address :

    192.3.95.152

    Hash : 

    4cd73946b68b2153dbff7dee004012c3

    53192b6ba65a6abd44f167b3a8d0e52d

    b91162a019934b9cb3c084770ac03efe

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls : 

    domainname like "http://192.3.95.152/cloudshare/atr/pull.pdf" or url like "http://192.3.95.152/cloudshare/atr/pull.pdf" or siteurl like "http://192.3.95.152/cloudshare/atr/pull.pdf" or domainname like "https://googl-6c11f.web.app/job/9867648797586_Scan_15052025-736574.html" or url like "https://googl-6c11f.web.app/job/9867648797586_Scan_15052025-736574.html" or siteurl like "https://googl-6c11f.web.app/job/9867648797586_Scan_15052025-736574.html" or domainname like "https://googl-6c11f.firebaseapp.com/job/file-846873865383.html" or url like "https://googl-6c11f.firebaseapp.com/job/file-846873865383.html" or siteurl like "https://googl-6c11f.firebaseapp.com/job/file-846873865383.html" or domainname like "http://192.3.95.152/cloudshare/atr/trm" or url like "http://192.3.95.152/cloudshare/atr/trm" or siteurl like "http://192.3.95.152/cloudshare/atr/trm" 

    Sender : 

    sender like "<redacted>_863563754768397286998728@notarius.net" or senderdomain like "<redacted>_863563754768397286998728@notarius.net"

    IP Address : 

    dstipaddress IN ("192.3.95.152") or srcipaddress IN ("192.3.95.152")

    Hash : 

    md5hash IN ("b91162a019934b9cb3c084770ac03efe","53192b6ba65a6abd44f167b3a8d0e52d","4cd73946b68b2153dbff7dee004012c3")

    Reference: 

    https://www.trellix.com/blogs/research/cfo-spear-phishing-netbird-attack/


    Tags

    MalwarePhishingCFOEnergyFinancial ServicesEuropeAfricaCanadaThe Middle EastSouth AsiaNetBirdSpear Phishing

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.