{"id":7244,"date":"2026-02-25T02:08:53","date_gmt":"2026-02-25T02:08:53","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7244"},"modified":"2026-02-25T02:08:53","modified_gmt":"2026-02-25T02:08:53","slug":"fake-zoom-meeting-silently-installs-surveillance-software-says-malwarebytes","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7244","title":{"rendered":"Fake Zoom meeting silently installs surveillance software, says Malwarebytes"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>The latest fake Zoom meeting scam silently pushes surveillance software onto the Windows computers of unwitting employees.<\/p>\n<p>That\u2019s <a href=\"https:\/\/www.malwarebytes.com\/blog\/scams\/2026\/02\/fake-zoom-meeting-update-silently-installs-surveillance-software\" target=\"_blank\" rel=\"noopener\">according to researchers at Malwarebytes,<\/a> who warn that staff falling for the scam land in a convincing imitation of a Zoom video call. Moments later, an automatic \u201cUpdate Available\u201d countdown downloads a malicious installer, without asking permission.<\/p>\n<p>The software installed is a covert build of Teramind, a commercial monitoring tool companies use to record what employees do on work computers. Many anti-malware solutions may not catch this because it would look like a legitimate application. But in the hands of a threat actor it\u2019s gold: It logs keystrokes, takes screenshots at regular intervals, records which websites were visited and which applications were opened, captures clipboard contents and tracks email and file activity.<\/p>\n<p>Zoom has long been a service that threat actors try to use to their advantage, because employees are used to getting invitations to join a meeting from colleagues, managers, and customers.<\/p>\n<p>Fake Zoom meeting scams usually start with phishing emails or text messages, so the first defense CSOs need to deploy is employee security awareness training.<\/p>\n<p>\u201cTaking five seconds to confirm a meeting link really leads to <em>zoom.us<\/em> [instead of an impostor link] is a simple habit that can prevent a serious problem,\u201d Malwarebytes advises. The fake website that victims are sent to in this campaign is <em>uswebzoomus[.]com\/zoom\/<\/em><\/p>\n<p><a href=\"https:\/\/blog.knowbe4.com\/author\/roger-grimes\" target=\"_blank\" rel=\"noopener\">Roger Grimes<\/a>, CISO advisor at awareness training provider KnowBe4, said he\u2019s seen many malicious Zoom calls start with meeting invites in both Gmail and Microsoft Outlook. In fact, <a href=\"https:\/\/www.linkedin.com\/pulse\/fake-outlook-meeting-roger-grimes-xznve\/\" target=\"_blank\" rel=\"noopener\">earlier this month he got one<\/a> that was automatically added to his online calendar. Like most phishing lures, the calendar notice had a hard-to-miss subject line: \u201cFinal Notice: Payroll Acknowledgement Action Required: Meeting with \u2026\u201d<\/p>\n<p>One of the key indicators of a possible phishing lure is a subject line that demands fast action so, hopefully, the target doesn\u2019t think before clicking. Another tip this was likely a fake: It arrived on a Sunday afternoon.<\/p>\n<p>Employees must be educated to not trust unexpected calendar invites or Zoom meetings, especially when they include\u00a0unknown names and email addresses, he said.<\/p>\n<p>\u201cThe way to avoid 99% of scams is to be super skeptical of any unexpected incoming message asking you to do something you\u2019ve never done before (for example, install new software while attending a meeting),\u201d he said. \u201cIf you get a message or an invitation including those two traits (they\u2019re unexpected and asking you to do something you\u2019ve never done before), research it using a trusted source outside the message before performing the requested actions.\u201d<\/p>\n<p><a href=\"https:\/\/www.linkedin.com\/in\/dbshipley\/\" target=\"_blank\" rel=\"noopener\">David Shipley<\/a>, CEO of awareness training provider Beauceron Security, agreed employee training about fake Zoom invites is essential.<\/p>\n<p>\u201cOur research has shown that the two top reasons people click on a phishing link are that it looked legitimate and they were expecting something similar,\u201d he said. \u201cThanks to AI, phishes look better than ever and can be more precisely targeted.\u201d\u00a0<\/p>\n<p>The key when teaching people isn\u2019t just offering the traditional advice around checking the sender, subject line, or link, he added; 40% of people don\u2019t even think before they click.\u00a0<\/p>\n<p>\u201cThe key is teaching people to slow down with e-mail (or any communication tool the outside world can send messages to) and to always ask the following questions: \u2018Do I know who is sending me this? Am I expecting it from this person? Does it feel off?\u2019\u201d\u00a0<\/p>\n<p>The second teaching point, he said, is to remind staff to report if, after clicking on a Zoom email invite, it does something new, like installing software.<\/p>\n<p>Warnings about fake Zoom invites are widespread, coming from many sources, from a security vendor to the<a href=\"https:\/\/www.parealtors.org\/blog\/scam-alert-agents-targeted-with-zoom-links-containing-malware\/\" target=\"_blank\" rel=\"noopener\"> <em>Pennsylvania Association of Realtors<\/em><\/a>. Last October the association warned that so-called potential buyers are targeting agents with listings on the Multiple Listing Service (MLS), Realtor.com, and Zillow, showing interest in a property. Before submitting an offer, the potential client insists on having a Zoom meeting to discuss the property with the agent. The scammer sends a Zoom link, but when an agent clicks on it, malware is installed on their computer or phone.<\/p>\n<p>Similarly, last summer the <a href=\"https:\/\/medicine.buffalo.edu\/offices\/omc.host.html\/content\/shared\/www\/ubit\/news\/2025\/fake-zoom-invites.detail.html\" target=\"_blank\" rel=\"noopener\">University at Buffalo warned students and staff <\/a>that hackers were sending fake \u201cZoom invitation\u201d links to UBmail accounts, with the goal of installing malware.<\/p>\n<p>And <a href=\"https:\/\/www.zoom.com\/en\/blog\/zoom-job-scams\/\" target=\"_blank\" rel=\"noopener\">Zoom itself has blogged<\/a> on how to avoid being stung by job offer scams.<\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/569315\/seven-ways-to-make-your-zoom-meetings-safer.html\" target=\"_blank\" rel=\"noopener\"><strong>Related content<\/strong>: 7 ways to make Zoom meetings safer<\/a><\/p>\n<h2 class=\"wp-block-heading\">How it plays out<\/h2>\n<p>Malwarebytes didn\u2019t explain how the specific campaign it reports on in the blog is initiated. But if a victim accepts a meeting invite and goes to the fake site, they arrive in what looks like a Zoom waiting room. At the same time, the site quietly sends a message to the attackers letting them know someone has entered.<\/p>\n<p>Three scripted fake participants\u2014\u201cMatthew Karlsson,\u201d \u201cJames Whitmore,\u201d and \u201cSarah Chen\u201d\u2014appear to join the call one by one, each announced by a genuine-sounding Zoom join chime. But their conversation audio loops on repeat in the background. Nothing else happens unless the victim tries to interact. Then a permanent \u201cNetwork Issue\u201d warning is displayed over the main video tile, seemingly to explain the choppy audio and lagging video. When an \u201cUpdate Available\u201d prompt appears moments later, Malwarebytes says, it feels like a fix for the problem.<\/p>\n<p>At that point there is one chance to stop the attack: The victim has to click on the download for the installation to proceed. Many employees would, for it feels like the natural thing\u00a0to do, says <a href=\"https:\/\/rs.linkedin.com\/in\/stefandasic\" target=\"_blank\" rel=\"noopener\">Stefan Dasic<\/a>, Malwarebytes manager of\u00a0 research and response. That\u2019s why it\u2019s important that employees be trained to never update Zoom from a link in a message. Updates should only come from the Zoom update within the application.\u00a0<\/p>\n<p>If the victim clicks on the download, a pop-up with no close button takes over, saying:\u00a0\u201cUpdate Available \u2014 A new version is available for download.\u201d\u00a0A spinner turns and a counter ticks from five to zero; when the counter hits zero, the browser is instructed to silently download a file. At the same moment, the page switches to what looks like the Microsoft Store, showing \u201cZoom Workplace\u201d mid-installation, spinner and all. While the visitor watches what appears to be a legitimate install resolving the problem, the real installer with the spyware has already landed in their Downloads folder without asking for permission and is compromising their system. The installer contains code to prevent it from being analyzed by anti-malware solutions.<\/p>\n<p>\u201cThe attackers did not write custom malware,\u201d the blog points out. \u201cThey deployed a professionally developed commercial product that is designed to run reliably and persist through restarts. That makes it more durable than many traditional malware strains.\u201d<\/p>\n<p>This campaign does not rely on technical sophistication, the blog adds. \u201cNo new hacking technique was used. The attacker built a convincing fake Zoom page, set an automatic download to fire before any visitor has a reason to be suspicious, and used a fake Microsoft Store screen to explain it all away. From click to install takes less than thirty seconds. Someone who was expecting a Zoom invite and saw what looked like a Microsoft installation in progress could easily walk away believing nothing unusual had happened.\u201d<\/p>\n<p>Malwarebytes advises infosec leaders who learn that an employee visited the <em>uswebzoomus<\/em> site to treat their computer as compromised.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>The latest fake Zoom meeting scam silently pushes surveillance software onto the Windows computers of unwitting employees. That\u2019s according to researchers at Malwarebytes, who warn that staff falling for the scam land in a convincing imitation of a Zoom video call. Moments later, an automatic \u201cUpdate Available\u201d countdown downloads a malicious installer, without asking permission. [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":7245,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7244","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7244"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7244"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7244\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7245"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7244"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7244"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7244"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}