A sophisticated spear-phishing campaign, likely linked to APT MuddyWater, is targeting CFOs and finance executives across multiple continents. The attackers use Firebase-hosted phishing pages with custom CAPTCHA challenges, malicious VBS scripts, and multi-stage payload delivery to deploy NetBird, a legitimate remote-access tool, for persistent system control. The campaign employs social engineering tactics, impersonating a Rothschild & Co recruiter to lure victims. Analysis revealed evolving infrastructure, updated payload paths, and overlaps with known MuddyWater activities. The attackers abuse legitimate tools like NetBird and AteraAgent for remote access and monitoring, while using sophisticated techniques such as AES encryption and math-based CAPTCHA lures to evade detection.