Employees are being targeted by a new fake Zoom meeting scam that silently installs surveillance software on their Windows computers, according to researchers at Malwarebytes. The attack lures victims into what appears to be a legitimate Zoom video call interface and then presents a fraudulent update prompt that leads to the download of a malicious installer. The campaign demonstrates how threat actors continue to exploit widely used collaboration tools to infiltrate corporate environments, relying more on deception than technical complexity.
In this scheme, staff members are typically directed to a convincing imitation of a Zoom waiting room hosted on a malicious domain, uswebzoomus[.]com/zoom/. Once a user lands on the page, the site quietly notifies the attackers that a potential victim has arrived. The interface mimics a real Zoom session, complete with scripted participants joining the meeting one by one. Names such as Matthew Karlsson, James Whitmore, and Sarah Chen appear as attendees, accompanied by authentic sounding join chimes. Audio from a supposed conversation loops in the background, adding to the realism. When users attempt to interact, a persistent network issue warning appears over the main video tile, suggesting connectivity problems. Moments later, an update available prompt is displayed, positioned as a solution to the simulated technical difficulties.
If the victim clicks the download prompt, a pop up without a close button takes over the screen, announcing that a new version is available. A countdown timer ticks from five to zero while a spinner rotates, creating urgency. Once the timer ends, the browser is instructed to download a file automatically. Simultaneously, the page switches to a convincing imitation of the Microsoft Store, showing Zoom Workplace appearing to install. While the user believes a legitimate update is in progress, a covert build of Teramind, a commercial employee monitoring application, is downloaded into the system’s Downloads folder without explicit permission. The installer includes code designed to evade analysis by security tools, making detection difficult because the software itself is a legitimate commercial product. In the wrong hands, however, it can log keystrokes, capture screenshots at intervals, record visited websites and opened applications, monitor clipboard contents, and track email and file activity.
Security experts warn that Zoom has long been a popular lure for attackers because employees are accustomed to receiving meeting invitations from colleagues, managers, and clients. Roger Grimes, CISO advisor at KnowBe4, noted that malicious Zoom invites frequently arrive via Gmail or Microsoft Outlook and may even be automatically added to online calendars. He recently observed a phishing calendar notice with a subject line urging immediate payroll acknowledgement action, a tactic designed to push recipients into clicking without thinking. He emphasized that unexpected messages demanding urgent action, particularly those arriving at unusual times such as weekends, are common warning signs. Grimes advises employees to be highly skeptical of any unexpected communication asking them to perform unfamiliar actions, such as installing software during a meeting, and to verify requests using trusted sources outside the original message.
David Shipley, CEO of Beauceron Security, echoed the importance of training, citing research showing that people often click phishing links because messages appear legitimate or align with something they were anticipating. With artificial intelligence improving the quality and targeting of phishing attempts, he stressed the need to slow down and question incoming communications. Staff should ask whether they recognize the sender, whether they expected the message, and whether anything feels unusual. Malwarebytes advises that updates to Zoom should only be performed within the official application itself and not through links in messages. Organizations discovering that employees visited the malicious domain are urged to treat affected devices as compromised and respond accordingly.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
