A cleverly crafted fake Zoom website has silently pushed surveillance software onto Windows machines, infecting 1,437 users globally in just 12 days.
The campaign, first detected on February 11, 2026, on the Microsoft Defender for Endpoint (MDE) platform, used a rogue version of Teramind — a legitimate commercial workforce monitoring tool — to spy on victims.
Teramind has confirmed it has no affiliation with the threat actors and did not authorize the deployment of its software in any form.
The attack begins the moment a user lands on uswebzoomus[.]com/zoom/, a website built to look exactly like a genuine Zoom waiting room.
As the page loads, it quietly signals the attackers that a visitor has arrived. Three scripted fake participants — “Matthew Karlsson,” “James Whitmore,” and “Sarah Chen” — appear to join the call one by one, each announced by a realistic Zoom chime, with looped conversation audio playing in the background.
The page only activates this sequence when a real person interacts with it, meaning automated security scanners that probe without clicking see nothing suspicious.
Malwarebytes analysts identified and reported on this campaign on February 24, 2026, noting that the operation was engineered around psychological manipulation rather than advanced technical skills.
A permanent “Network Issue” banner is hardcoded onto the fake call page — not a glitch, but a deliberate setup. The choppy audio and frozen video create frustration, leading visitors to assume something is wrong with their app.
Ten seconds later, a pop-up appears: “Update Available — A new version is available for download,” with a five-second countdown and no option to close it.
When the counter hits zero, the browser silently downloads a malicious installer. Simultaneously, the page displays a fake Microsoft Store screen showing “Zoom Workplace” mid-installation — a convincing distraction while the real payload lands in the Downloads folder without any permission request.
A fake Zoom website (Source – Malwarebytes)
The file, zoom_agent_x64_s-i(__941afee582cc71135202939296679e229dd7cced)(1).msi, carries SHA-256 hash 644ef9f5eea1d6a2bc39a62627ee3c7114a14e7050bafab8a76b9aa8069425fa. At the time of discovery, Microsoft Defender was not flagging this file on VirusTotal, leaving users with no visible warning.
What makes this campaign particularly dangerous is that the attackers did not write custom malware.
They deployed a preconfigured rogue version of Teramind’s stealth deployment option — built to run with no taskbar icon, no system tray entry, and no visible trace in the installed programs list.
Stealth by Design: How the Installer Hides Itself
The installer’s internal build path contains the folder name out_stealth, confirming it was compiled specifically to run invisibly.
Once executed through Windows Installer, the agent collects the computer name, active user account, keyboard language, and system locale, then reports all activity back to an attacker-controlled Teramind server.
The agent binary defaults to the name dwm.exe and installs under C:\ProgramData\{4CEC2908-5CE4-48F0-A717-8FC833D8017A}.
The installer is also designed to detect sandbox environments used by security researchers — a technique called debug environment detection (DETECT_DEBUG_ENVIRONMENT).
If analysis is suspected, the installer can alter its behavior to avoid triggering security tools. Once installation completes, it deletes its own temporary staging files, erasing obvious traces.
Advance hunting (Source – Linkedin)
The monitoring agent, however, continues running silently — logging keystrokes, capturing screenshots, monitoring web activity, clipboard contents, and file transfers.
Since the files belong to a legitimate commercial product, traditional antivirus tools relying on known malicious signatures may not detect this threat. Security teams should immediately add the SHA-256 hash and domain uswebzoomus[.]com to tenant block lists.
Users who visited the fake Zoom page should not open the downloaded file. Anyone who already ran the installer should treat the device as compromised, check for the hidden folder under C:\ProgramData, verify whether the tsvchst service is running, and change all passwords — email, banking, and work accounts — from a separate, clean device.
Work-related incidents must be reported to the IT or security team right away. To prevent similar attacks, always open Zoom from the installed application, type zoom.us manually into your browser, and treat any unexpected meeting link with caution before clicking.
IoCs
TypeValueFile Hash (SHA-256)644ef9f5eea1d6a2bc39a62627ee3c7114a14e7050bafab8a76b9aa8069425faMalicious Domainuswebzoomus[.]comTeramind Instance ID941afee582cc71135202939296679e229dd7ccedMalicious File Namezoom_agent_x64_s-i(__941afee582cc71135202939296679e229dd7cced)(1).msiAgent Binary Namedwm.exeInstallation PathC:\ProgramData\{4CEC2908-5CE4-48F0-A717-8FC833D8017A}Persistence Servicetsvchst
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Zoom Update Scam Infected 1,437 Users to Deploy Surveillance Tools in 12 Days appeared first on Cyber Security News.
