Fake Zoom Update Scam Infects Over 1,400 Users with Surveillance Software in Under Two Weeks
In a recent cyberattack, a counterfeit Zoom website has been used to deploy surveillance software onto Windows computers, compromising 1,437 users worldwide within a span of just 12 days. This campaign, first identified on February 11, 2026, by the Microsoft Defender for Endpoint (MDE) platform, utilized a rogue version of Teramind—a legitimate workforce monitoring tool—to clandestinely monitor victims. Teramind has confirmed that it has no connection with the attackers and did not authorize the misuse of its software.
Deceptive Tactics Employed
The attack initiates when a user visits uswebzoomus[.]com/zoom/, a fraudulent site designed to mimic an authentic Zoom waiting room. Upon accessing the page, it discreetly notifies the attackers of the visitor’s presence. The site then simulates a meeting environment by introducing three fictitious participants—“Matthew Karlsson,” “James Whitmore,” and “Sarah Chen”—each joining the call sequentially, accompanied by realistic Zoom notification sounds and looped conversation audio. This sequence is triggered only when a real user interacts with the page, thereby evading detection by automated security scanners that do not engage with the content.
Malwarebytes analysts reported this campaign on February 24, 2026, highlighting that the operation relies more on psychological manipulation than on advanced technical exploits. A persistent “Network Issue” banner is intentionally embedded on the fake call page, creating an illusion of technical problems. The resulting choppy audio and frozen video feed frustrate users, leading them to believe their Zoom application is malfunctioning. Approximately ten seconds later, a pop-up appears stating, “Update Available — A new version is available for download,” accompanied by a five-second countdown and no option to dismiss it.
Once the countdown reaches zero, the browser automatically downloads a malicious installer. Simultaneously, the page displays a counterfeit Microsoft Store screen indicating that “Zoom Workplace” is being installed, serving as a convincing distraction while the actual payload is saved to the Downloads folder without any permission prompts.
Technical Details of the Malicious Installer
The downloaded file, named `zoom_agent_x64_s-i(__941afee582cc71135202939296679e229dd7cced)(1).msi`, has a SHA-256 hash of `644ef9f5eea1d6a2bc39a62627ee3c7114a14e7050bafab8a76b9aa8069425fa`. At the time of discovery, Microsoft Defender did not flag this file on VirusTotal, leaving users without any warning signs.
What makes this campaign particularly insidious is that the attackers did not develop custom malware. Instead, they deployed a preconfigured rogue version of Teramind’s stealth deployment option, designed to operate without a taskbar icon, system tray entry, or visible presence in the installed programs list.
Stealth Mechanisms and Data Collection
The installer’s internal build path includes the folder name `out_stealth`, indicating it was specifically compiled for covert operation. Once executed via Windows Installer, the agent gathers information such as the computer name, active user account, keyboard language, and system locale, transmitting all activity back to an attacker-controlled Teramind server.
The agent binary is named `dwm.exe` and installs itself under `C:\ProgramData\{4CEC2908-5CE4-48F0-A717-8FC833D8017A}`. The installer is also equipped to detect sandbox environments used by security researchers—a technique known as debug environment detection (`DETECT_DEBUG_ENVIRONMENT`). If it suspects analysis, the installer can modify its behavior to avoid triggering security tools. After installation, it deletes its temporary staging files to erase obvious traces.
Despite these measures, the monitoring agent continues to run silently, logging keystrokes, capturing screenshots, monitoring web activity, clipboard contents, and file transfers.
Recommendations for Users and Organizations
Given that the files originate from a legitimate commercial product, traditional antivirus tools relying on known malicious signatures may not detect this threat. Security teams should promptly add the SHA-256 hash and the domain `uswebzoomus[.]com` to their block lists.
Users who visited the fake Zoom page should refrain from opening the downloaded file. Those who have already executed the installer should consider their device compromised, check for the hidden folder under `C:\ProgramData`, verify whether the `tsvchst` service is running, and change all passwords—including email, banking, and work accounts—from a separate, clean device.
Work-related incidents must be reported to the IT or security team immediately. To prevent similar attacks, always open Zoom from the installed application, manually type `zoom.us` into your browser, and exercise caution with any unexpected meeting links before clicking.
Indicators of Compromise (IoCs):
– File Hash (SHA-256): `644ef9f5eea1d6a2bc39a62627ee3c7114a14e7050bafab8a76b9aa8069425fa`
– Malicious Domain: `uswebzoomus[.]com`
– Teramind Instance ID: `941afee582cc71135202939296679e229dd7cced`
– Malicious File Name: `zoom_agent_x64_s-i(__941afee582cc71135202939296679e229dd7cced)(1).msi`
– Agent Binary Name: `dwm.exe`
– Installation Path: `C:\ProgramData\{4CEC2908-5CE4-48F0-A717-8FC833D8017A}`
– Persistence Service: `tsvchst`
