A new and highly sophisticated scam has emerged, exploiting Zoom’s popularity to silently install surveillance software on unsuspecting Windows machines. The scam leverages a fake Zoom meeting website that tricks users into downloading a malicious “update” that installs Teramind, a legitimate monitoring tool, without their consent. This attack highlights a growing trend of cybercriminals using legitimate software for malicious purposes, making detection more difficult.
How They Scam Victims
The scam begins when a user clicks on a malicious Zoom link that leads them to a convincing fake website mimicking a Zoom waiting room. Upon loading, the site appears like a typical Zoom call interface, but with a few key differences. As soon as the page opens, it quietly notifies the attacker that someone has arrived.
The scam is designed to make users feel comfortable. The site shows scripted participants, such as “Matthew Karlsson,” “James Whitmore,” and “Sarah Chen,” joining the call one by one. These names and the background audio loop create a false sense of legitimacy. However, the purpose of this is not to conduct an actual meeting but to trick the user into believing they are waiting for a call to begin.
The attackers intentionally create a frustrating experience for the user. A “Network Issue” warning is always displayed over the main video window, and the audio and video quality are deliberately choppy. This glitchy behavior is not a mistake but a psychological tactic. It primes the user to expect something is wrong with the Zoom application, making the subsequent “Update Available” prompt appear as a natural solution to the problem.
The Silent Installation of Teramind
After several moments of sitting through a broken, unresponsive call, the victim is presented with an “Update Available” pop-up. This message offers a software update, which the user, now primed by frustration, is likely to accept. The pop-up countdown begins, and at the moment the timer reaches zero, a file starts downloading to the victim’s machine. This is when the attacker silently installs Teramind, a commercial employee monitoring software, under the guise of a Zoom update.
The downloaded file is named something like zoom_agent_x64_s-i(__941afee582cc71135202939296679e229dd7cced) (1).msi, a standard Windows installer format. The filename itself includes a unique Teramind identifier, showing that the attacker is using the software’s stealth features to run undetected. The installer does not ask for user permission to run, and there is no typical installation interface. The user watches a fake “Zoom Workplace” installation process in what appears to be the Microsoft Store, unaware that the real surveillance tool is being installed in the background.
Why Teramind Makes This Scam Unusually Dangerous
Teramind is a legitimate software product designed for monitoring employees on company-owned devices. It tracks keystrokes, takes screenshots, logs websites visited, and records file activity. However, when installed on personal devices without consent, it becomes “stalkerware”—an intrusive tool used to monitor someone without their knowledge. Because Teramind is a legitimate tool, traditional antivirus software may not flag it as malicious, making it especially difficult to detect.
Moreover, Teramind is designed to operate in stealth mode, meaning once installed, it leaves no trace on the taskbar or in the system tray. The software runs silently in the background, continuously reporting user activity to the attacker. This makes it far more durable and harder to remove than typical malware.
The most alarming part of this scam is that no new hacking techniques were used. The attackers simply created a convincing fake Zoom website, added a realistic psychological trigger, and silently installed the monitoring software with minimal interaction required from the victim. The use of Teramind’s legitimate software in such a way makes it incredibly dangerous and more difficult to detect compared to traditional malware.
How to Protect Yourself
If you suspect that you have fallen victim to this scam, here are the immediate steps you should take:
- Do not open any suspicious files that may have been downloaded from fake Zoom links.
- Check your system for malicious installations by opening File Explorer, navigating to C:\ProgramData, and looking for a folder with a name similar to {4CEC2908-5CE4-48F0-A717-8FC833D8017A}.
- Check if the surveillance agent is running: Open Command Prompt as Administrator and type
sc query tsvchst. If it is running, the agent is active. - Change your passwords for important accounts (email, banking, and work) from a different, secure device.
If this happened on a work computer, contact your IT department immediately for assistance in removing the software.
Prevention Tips
To avoid falling victim to similar attacks in the future:
- Always open Zoom directly from the app or type zoom.us into your browser rather than clicking on unknown links.
- Be cautious with unexpected meeting links, especially those you were not specifically expecting.
- Verify the URL of any meeting invitation to ensure it is a legitimate Zoom link (zoom.us), not a fraudulent domain.
This attack serves as a reminder that attackers are becoming increasingly resourceful, using legitimate tools like Teramind to conduct surveillance without the user’s consent. While the scam may seem harmless at first glance, the potential for abuse is significant, as the monitoring software continues to operate in the background without the user’s knowledge.
Indicators of Compromise (IOCs)
| Indicator | Details |
|---|---|
| File Hash (SHA-256) | 644ef9f5eea1d6a2bc39a62627ee3c7114a14e7050bafab8a76b9aa8069425fa |
| Domain | uswebzoomus[.]com |
| Teramind Instance ID | 941afee582cc71135202939296679e229dd7cced |
By staying vigilant and verifying the legitimacy of Zoom meeting links, users can better protect themselves from this growing type of scam that relies on psychological manipulation and legitimate software for nefarious purposes.
No Comment! Be the first one.