Fake Zoom Update Infects 1,437 in Days

A new scam is targeting Zoom users by exploiting trust in meeting invitations.

In just twelve days, 1,437 Windows users downloaded a malicious file after visiting a fake Zoom meeting page. What looked like a routine update turned into silent surveillance.

How the Scam Works

The attack begins with a fake domain designed to closely resemble Zoom’s official website.

When opened, the page displays a realistic Zoom waiting room. Fake participants join the meeting one by one. Background sounds and meeting chimes play to create authenticity.

Everything feels normal.

Then a “Network Issue” message appears on the screen.

This is intentional. The warning creates urgency and makes users believe their Zoom session requires a fix.

The Fake Update Trap

Shortly after the “network issue” appears, users see an “Update Available” pop-up.

A countdown timer starts. There is no option to close it.

Within seconds, a file downloads automatically. The page even switches to what looks like a Microsoft Store installation screen for “Zoom Workplace,” reinforcing the illusion.

But the downloaded file is not a Zoom update.

It is a modified Teramind monitoring agent — a legitimate employee surveillance tool — preconfigured to send data to attacker-controlled servers.

Once executed, the installer:

• Runs silently in the background
• Installs under a hidden system directory
• Uses legitimate Teramind binaries
• Avoids detection because the software itself is genuine

The tool operates in stealth mode, meaning no visible icons or program listings appear.

After installation, it begins collecting:

• Keystrokes
• Screens activity
• Application usage
• Clipboard content

It also includes anti-analysis techniques, behaving differently in sandbox or research environments.

Because it uses authentic software components, many antivirus tools fail to immediately flag it.

Why This Attack Is Effective

This campaign does not rely on sophisticated exploits.

It relies on timing and psychology.

Within 30 seconds, victims believe they are simply fixing a Zoom glitch. The interactive design even prevents automated security scanners from easily detecting the malicious behavior.

Instead of building new malware, attackers are misusing trusted corporate monitoring software.

That makes detection harder — and the deception more convincing.

What To Do If You Suspect Infection

If you visited the fake site or downloaded the file:

• Do not run the installer
• Check for unusual hidden folders in the ProgramData directory
• Review active background services for unknown entries
• Change passwords from a clean device
• Contact your IT or security team immediately

Indicators of Compromise (IOCs)