A sophisticated phishing campaign is targeting Zoom users, employing a fake website to trick individuals into downloading surveillance software. In a mere 12 days, this elaborate scheme, detected on February 11, 2026, infected 1,437 Windows users worldwide, turning legitimate workforce monitoring tools into potent spyware. The campaign highlights a growing trend of attackers leveraging legitimate software for malicious purposes, making detection by traditional antivirus solutions challenging.
The operation was unmasked by Microsoft Defender for Endpoint (MDE) and subsequently detailed by Malwarebytes analysts on February 24, 2026. The attackers meticulously crafted a fraudulent Zoom waiting room page at `uswebzoomus[.]com/zoom/`, designed to mimic the official Zoom interface with uncanny accuracy. This tactic exploits user trust and familiarity with the popular video conferencing platform to lure unsuspecting victims into compromising their devices with advanced surveillance capabilities.
The Elaborate Deception of the Fake Zoom Update
Upon landing on the fake Zoom page, visitors are met with a seemingly typical waiting room scenario. Three scripted participants—”Matthew Karlsson,” “James Whitmore,” and “Sarah Chen”—appear to join the call sequentially, accompanied by realistic Zoom chimes and looped background conversation audio. This immersive experience is designed to appear natural, loading only when a real person interacts with the page, effectively bypassing automated security scanners that do not engage with the content.
The core of the deception lies in psychological manipulation. A persistent “Network Issue” banner is hardcoded onto the fake call page, intentionally creating frustration with choppy audio and frozen video. After approximately ten seconds, a pop-up appears, announcing “Update Available — A new version is available for download,” with a non-closable five-second countdown. This countdown instills a sense of urgency, prompting users to act without critical evaluation.
When the countdown concludes, the browser silently initiates the download of a malicious installer. Simultaneously, the page overlays a simulated Microsoft Store screen, displaying “Zoom Workplace” in the process of installation as a convincing visual distraction. Meanwhile, the actual payload, a file named `zoom_agent_x64_s-i(__941afee582cc71135202939296679e229dd7cced)(1).msi` with SHA-256 hash `644ef9f5eea1d6a2bc39a62627ee3c7114a14e7050bafab8a76b9aa8069425fa`, is downloaded to the victim’s Downloads folder without any explicit permission request.
Stealthy Deployment of Teramind for Surveillance
What makes this campaign particularly insidious is the attackers’ decision not to develop custom malware. Instead, they weaponized a preconfigured, rogue version of Teramind, a legitimate commercial workforce monitoring tool. Teramind has officially confirmed no affiliation with the threat actors and has not authorized the use of its software in any capacity. This approach leverages Teramind’s built-in stealth deployment features, which are designed to operate without visible taskbar icons, system tray entries, or presence in the list of installed programs.
The installer’s internal build path, containing `out_stealth`, explicitly confirms its compile for invisible execution. Once activated via Windows Installer, the Teramind agent stealthily gathers critical system information, including the computer name, active user account, keyboard language, and system locale. This data is then transmitted to an attacker-controlled Teramind server. The agent binary itself is disguised as `dwm.exe` and resides in a hidden folder located at `C:ProgramData{4CEC2908-5CE4-48F0-A717-8FC833D8017A}`.
Furthermore, the installer incorporates sophisticated anti-analysis techniques, such as debug environment detection. If it suspects it is running within a security researcher’s sandbox, it can alter its behavior to evade detection. Post-installation, it meticulously deletes its own temporary staging files, erasing readily apparent traces of its presence. However, the monitoring agent continues to operate in the background, silently logging keystrokes, capturing screenshots, tracking web activity, monitoring clipboard contents, and recording file transfers.
Due to the use of legitimate commercial software, traditional antivirus solutions relying solely on known malicious signatures may fail to identify this threat. Security teams are advised to immediately add the identified SHA-256 hash and the malicious domain `uswebzoomus[.]com` to their tenant block lists. Users who visited the fake Zoom page but did not download the file should exercise caution. Those who executed the installer are urged to treat their devices as compromised. Immediate steps include checking for the hidden installation folder, verifying the running status of the `tsvchst` service, and changing all critical passwords (email, banking, and work accounts) from a separate, confirmed clean device. Work-related compromises must be reported to the IT or security team promptly.
To mitigate the risk of similar attacks, users should always launch Zoom directly from their installed application. When accessing Zoom links via a browser, it is best practice to manually type `zoom.us` into the address bar. Any unexpected meeting links should be approached with extreme skepticism before clicking, ensuring the source is verified as legitimate.
Indicators of Compromise (IoCs)
| Type | Value |
|---|---|
| File Hash (SHA-256) | `644ef9f5eea1d6a2bc39a62627ee3c7114a14e7050bafab8a76b9aa8069425fa` |
| Malicious Domain | `uswebzoomus[.]com` |
| Teramind Instance ID | `941afee582cc71135202939296679e229dd7cced` |
| Malicious File Name | `zoom_agent_x64_s-i(__941afee582cc71135202939296679e229dd7cced)(1).msi` |
| Agent Binary Name | `dwm.exe` |
| Installation Path | `C:ProgramData{4CEC2908-5CE4-48F0-A717-8FC833D8017A}` |
| Persistence Service | `tsvchst` |