Fake Zoom Meetings Silently Installs Surveillance Software

Published Date: February 25, 2026
Category: ShadowOpsIntel
Share:

A recently identified phishing campaign is abusing a fake Zoom meeting page to silently deploy surveillance software onto Windows systems. Instead of delivering traditional malware, the attackers leverage a legitimate commercial employee monitoring product “Teramind”, configured in stealth mode and pre-registered to an attacker-controlled server. The campaign relies heavily on social engineering, automated download triggers, and UI deception rather than technical exploitation, making it both effective and difficult to detect with conventional signature-based defenses.

Severity: High

Threat Infrastructure & Delivery

The campaign utilizes a sophisticated social engineering “waiting room” to facilitate the infection.

  • Primary URL: uswebzoomus[.]com/zoom/.
  • Deception Mechanism:
    • Fake Participants: Three scripted bots (“Matthew Karlsson,” “James Whitmore,” and “Sarah Chen”) appear to join the call with authentic audio chimes.
    • Simulated Technical Issues: A hardcoded “Network Issue” warning and deliberate audio/video lagging encourage the user to accept an “Update”.
    • Visual Mimicry: After the download, the site displays a fake Microsoft Store interface showing “Zoom Workplace” mid-installation to mask the malicious activity.
  • The Payload: Ten seconds after the meeting screen appears, a mandatory five-second countdown triggers a silent download of the installer without user permission.

Malware technical profile: teramind “stealth mode”

The attackers have repurposed Teramind, a commercial monitoring product, as a form of “stalkerware”.

  • Filename: zoom_agent_x64_s-i(_941afee582cc71135202939296679e229dd7cced) (1).msi
  • Persistence: Installs as a system service named tsvchst.
  • Stealth: Runs as dwm.exe in C:\ProgramData{GUID}; has no taskbar icon or system tray entry.
  • Capabilities: Logs keystrokes, screenshots, clipboard contents, app usage, and email/file activity.
  • Evasion: Includes DETECT_DEBUG_ENVIRONMENT logic to change behavior if run in a sandbox.

Analysis & Impact

This campaign is particularly dangerous because it uses legitimate, signed software to bypass traditional antivirus tools that primarily look for known malicious code.

  • Targeting: users joining personal or professional meetings.
  • Ease of Infection: The transition from click to installation takes less than 30 seconds.
  • Attacker Advantage: Using commercial software provides the attackers with professional-grade stability and persistence that custom malware often lacks.

Recommendations

  1. Always hover over a link to inspect the actual destination URL; if it is not zoom[.]us, do not click it.
  2. Launch meetings directly through the installed Zoom application rather than following browser-based redirects from unexpected emails or messages.
  3. Be wary of any “update” that triggers automatically with a countdown and provides no option to cancel or close the window.
  4. Use tools like AppLocker or Windows Defender Application Control (WDAC) to prevent unauthorized .msi files from executing in user directories.
  5. Configure EDR tools to alert on any new executables (specifically dwm.exe) being created within the C:\ProgramData{GUID} directory path.
  6. Create a detection rule for the creation of a new system service named tsvchst, which is the primary persistence mechanism for this stealth agent.
  7. If Compromise is Suspected:
    • Verify Infection: Open Command Prompt as admin and run sc query tsvchst; a RUNNING state confirms the presence of the agent.
    • Identify Files: Enable “Hidden items” in File Explorer and check C:\ProgramData for the {4CEC2908-5CE4-48F0-A717-8FC833D8017A} folder.
    • Change passwords for all sensitive accounts (banking, email, corporate) using a separate, known-clean device.
    • If the machine is company-owned, immediately disconnect from the network and report to the IT or security team.
  8. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/86b192ed851b9c3354a4e890322a031b9b7638e65f4de62ce13fe0071429c46e/iocs

Source:

  • https://www.malwarebytes.com/blog/scams/2026/02/fake-zoom-meeting-update-silently-installs-surveillance-software

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Talk to an expert