{ "Event": { "analysis": "1", "date": "2026-02-24", "extends_uuid": "", "info": "[Threat Intel] Fake Zoom meeting 'update' silently installs unauthorized version of monitoring tool abused by cybercriminals to spy on victims", "protected": false, "publish_timestamp": "1772807242", "published": true, "threat_level_id": "3", "timestamp": "1772807242", "uuid": "3926c2f6-f7f5-435b-8020-115f99e80ddc", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#0cb256", "local": false, "name": "misp-galaxy:producer=\"Malwarebytes\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#8ee8d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"", "relationship_type": "" }, { "colour": "#9dc839", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Clipboard Data - T1115\"", "relationship_type": "" }, { "colour": "#ff841f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"", "relationship_type": "" }, { "colour": "#75ec20", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#e7980c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Pre-OS Boot - T1542\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#62f4c1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#2e58ce", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Input Capture - T1056\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772506818", "to_ids": false, "type": "link", "uuid": "4b6d81fa-6a9d-458a-8088-fe35747d1c9c", "value": "https://www.malwarebytes.com/blog/scams/2026/02/fake-zoom-meeting-update-silently-installs-surveillance-software" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1772506818", "to_ids": false, "type": "text", "uuid": "7472a2c8-ad72-4b50-a5e5-94d1bc0b9656", "value": "A sophisticated scam campaign is targeting users with a fake Zoom meeting website that automatically downloads and installs an unauthorized version of Teramind, a legitimate workforce monitoring solution. The attackers create a convincing imitation of a Zoom video call, complete with fake participants and audio, to lure victims. After a short delay, an 'Update Available' prompt appears, leading to the silent installation of the monitoring software. The altered Teramind installer is configured to run stealthily and avoid detection by security tools. This campaign is particularly dangerous as it misuses legitimate commercial software, making it difficult for traditional antivirus tools to detect. The attackers gain full surveillance capabilities over the victim's device, including keylogging, screen capture, and file monitoring." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1772506818", "to_ids": false, "type": "text", "uuid": "fb7041d5-ce35-4e0e-9710-09ed649d32a6", "value": "Name: Fake Zoom meeting 'update' silently installs unauthorized version of monitoring tool abused by cybercriminals to spy on victims\nAuthor: AlienVault\nAdversary: \nTags: [\"workforce monitoring\", \"social engineering\", \"fake update\", \"teramind abuse\", \"stealth installation\", \"valleyrat\", \"zoom impersonation\"]\nTgtd countries: []\nMlwr families: [\"ValleyRAT\"]\nAttack_ids: [\"T1113\", \"T1115\", \"T1071\", \"T1036\", \"T1083\", \"T1542\", \"T1204\", \"T1057\", \"T1078\", \"T1056\"]\nIndustries: []" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:04/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772574448", "to_ids": true, "type": "sha1", "uuid": "04aa71de-bf0b-42e7-b1f3-e3727f9ed1f0", "value": "941afee582cc71135202939296679e229dd7cced", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772575807", "to_ids": true, "type": "url", "uuid": "00bb2791-ef74-4f04-80bb-ed30016fe93c", "value": "http://uswebzoomus.com/zoom/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772575828", "to_ids": true, "type": "domain", "uuid": "330e14fe-0bde-4835-8a5d-d95ff6e84194", "value": "uswebzoomus.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772575850", "uuid": "6cba3cdf-5b06-45de-a093-bcbfb277774d", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772575850", "to_ids": true, "type": "md5", "uuid": "375d1992-3e17-424c-8515-cbf60ed86fa1", "value": "ad0a22e393e9289deac0d8d95d8118b5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772574446", "to_ids": true, "type": "sha1", "uuid": "0d566197-3c55-4a5d-9915-cd705b194d1b", "value": "39359ac4c6f23c26809f44526c37411bbfc68e2f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772574446", "to_ids": true, "type": "sha256", "uuid": "24a707ab-1312-459c-8f74-fd84792a41d5", "value": "644ef9f5eea1d6a2bc39a62627ee3c7114a14e7050bafab8a76b9aa8069425fa", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772574353", "to_ids": true, "type": "ssdeep", "uuid": "7085c75e-5e53-48f4-964c-1331a930eb49", "value": "3145728:1/fkceLjNnVxd1QgojwmAeQXdiiKRdfDXr:xaLjFfQbZudsX" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772574353", "to_ids": false, "type": "size-in-bytes", "uuid": "eb964fe2-41d1-43dd-b960-14b19bc37885", "value": "108822528" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772574353", "to_ids": true, "type": "vhash", "uuid": "b3d2512b-5271-47f2-9819-503bc792c6be", "value": "d6d0c35de9a0bda63bbb672080c1cfc0" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772574353", "to_ids": true, "type": "filename", "uuid": "ab1b2701-07e4-4c6a-80e7-bdc0d4066721", "value": "teramind_agent_v26.3.3403_x64 (1).msi" }, { "category": "Other", "comment": "Checked: 04/03/2026\nLast-scan\t: 04/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772574353", "to_ids": false, "type": "text", "uuid": "2d6db673-05f2-4a49-b3b9-0a78f0cdb493", "value": "Type Descriptio%WINDIR%\\Installer\nMicrosoft: None\nVT Total Detection:6/62\nFirst Submission:2026-01-27T15:29:44.000000+00:00\nLast Submission:2026-03-03T15:40:50.000000+00:00" } ] } ] } }