Back to Networking Knowledge Hub

NetBird’s Response to Spear-Phishing Campaign Targeting Financial Executives

NetBird responds to a spear-phishing campaign that misused its platform post-compromise, confirming no vulnerability in the service and detailing swift action to block malicious activity and secure its infrastructure.

Statement from the CEO of NetBird

We appreciate the diligent work by Trellix in uncovering the recent spear-phishing campaign that misused NetBird’s seamless connectivity.

First and foremost, we want to emphasize that there was no vulnerability in the NetBird platform exploited during this incident. Additionally, it's important to note that prior to installing NetBird and starting the service, administrative privileges are required. The malicious actor had already gained these administrative privileges to execute the involved VBS script, enabling them to proceed with the installation and NetBird service startup.

As Trellix clearly stated in their report, NetBird remains a legitimate and secure networking tool:

"In what appears to be a multi-stage phishing operation, the attackers aimed to deploy NetBird, a legitimate wireguard based remote-access tool on the victim's computer. In recent years, adversaries have increasingly relied on remote-access applications like this to establish persistence and further their way into the victim's network."

NetBird’s growing popularity, reliability, and simplicity have made it a go-to solution for teams and individuals around the world to securely connect to internal infrastructure. NetBird is also proudly open source, a core value that fosters transparency, trust, and collaboration within the community.

Unfortunately, that same accessibility and openness can sometimes be misused. As with many trusted open-source tools, it's disheartening to see NetBird misused by malicious actors — not due to any flaw in the platform, but because of the way it can be repurposed.

In response to this incident, our team acted immediately by investigating the reported activity, blocking the malicious actors, and terminating all related connections. We remain committed to ensuring that NetBird is a safe and trusted platform for all users.

We are continually improving our monitoring and abuse detection systems, and we encourage anyone with additional information or concerns to contact us at security@netbird.io .

What has happened?

The Trellix article titled A Flyby on the CFO's Inbox details a sophisticated spear-phishing campaign targeting CFOs and finance executives across multiple regions, including Europe, Africa, Canada, the Middle East, and South Asia. Attackers impersonated a Rothschild & Co recruiter, sending emails that led recipients through a deceptive CAPTCHA to download a ZIP file containing a malicious VBS script. This script installed NetBird and OpenSSH, created a hidden admin account, and enabled Remote Desktop Protocol (RDP), granting attackers persistent access to the victim's system.

Trellix's recommendations for CFOs and executive teams:

  • Treat unsolicited "opportunities" or cold-recruitment emails with skepticism, especially when they come with a ZIP or obscure download link.
  • Never bypass security warnings to enable content or scripts from downloads.
  • Report unusual contact attempts to security teams, even if the email seems "harmless." Early reporting is often what prevents compromise.

NetBird Investigation Summary

Following the incident, we examined the disclosed setup key used in the exploit and confirmed that it belonged to a user account within our hosted NetBird service. To verify its validity, we attempted to add a peer using the key, which was still active at the time. This allowed us to successfully identify the associated account.

As an immediate response, we:

  • Disabled the identified account
  • Revoked the setup key linked to the account
  • Ensured that no machines within the account could continue to communicate via NetBird

We then conducted a detailed investigation of the user and the associated account, uncovering the following:

  1. Account Creation Date: The account was created on March 25th, 2025.
  2. Setup Key Usage: The disclosed setup key was used 197 times over a period of 65 days to register machines.
  3. Network Policy: The account had a permissive policy in place, allowing unrestricted traffic and connectivity between all registered machines.
  4. SSH Access: NetBird SSH was not enabled on any of the connected machines. The malicious actor used an OpenSSH or other means of connectivity like RDP to access vulnerable machines.
  5. Account Ownership: The account had only one user associated with it; no additional users or administrators were present.

Conclusion

The account involved in the exploit appeared to be used in an automated or scripted manner, given the high number of peer registrations in a short period. The permissive network policy and absence of user oversight (i.e., no additional users or SSH configuration) suggest the account was likely created and maintained for opportunistic or unauthorized use. Our immediate containment actions successfully mitigated any ongoing risk from this account.

You may also like:

NetBird for SOC 2 Compliance

Simplify SOC 2 audits using NetBird’s identity-aware access, logging, and WireGuard encryption.

Read more

Docker for Beginners - Everything You Need to Get Started

Docker is used for almost everything in self-hosting from media servers, web apps, download clients, and more. In this guide, We break down the basics, what Docker is, how to install it, and the core ...

Read more

NetBird v0.63 - Custom DNS Zones for Private Network Resolution

NetBird v0.63 introduces Custom DNS Zones, enabling private DNS resolution within your network. Create zones like internal.company.io, add A/AAAA/CNAME records, and distribute them to specific peer gr...

Read more

We are using cookies

We use our own cookies as well as third-party cookies on our websites to enhance your experience, analyze our traffic, and for security and marketing. View our Privacy Policy for more information.