黑客阅读 hackread

Fake Zoom and Google Meet Pages Trick Users Into Installing Monitoring Tool

Security researchers have documented an active phishing campaign that uses convincing clones of Zoom and Google Meet waiting rooms to trick users into installing remote monitoring software on Windows systems.

While many phishing attacks use custom-built malware, this campaign utilizes a legitimate, commercially available employee monitoring tool. In this instance, the tool is being repurposed by unauthorized third parties to spy on victims who believe they are simply joining a professional video call or installing a required update.

The Mechanism of the Attack

The scam typically begins with a phishing link disguised as a meeting invitation. Upon clicking, the user is directed to a page that mimics a Zoom waiting room, complete with audio cues of other participants joining to create a sense of legitimacy.

The page simulates technical difficulties, eventually prompting the user to download an “update” to fix the connection. Once the installer is executed, it silently deploys a monitoring agent in “stealth mode.”

Watch as scammers exploit Zoom

Technical Capabilities of the Tool

According to research from Malwarebytes, the software is configured to run without any visible icons or notifications. Once active, the tool provides the unauthorized operators with extensive access to the device, including:

  • Keystroke logging and clipboard monitoring.
  • Real-time screenshots and screen recording.
  • Browsing history and application usage tracking.
  • File system access and remote telemetry.

The researchers noted that the installer uses a specific configuration to hide from the Windows Programs list and the system tray, making it difficult for an average user to detect. The agent also creates persistent services, tsvchst and pmon, which are configured to restart automatically if terminated.

Expansion to Google Meet

While the campaign initially focused on Zoom, a second variant has been identified targeting Google Meet users. This version uses a fake Microsoft Store interface to deliver the same monitoring payload. The infrastructure behind both variants appears identical, suggesting a single coordinated operation.

Editorial Note

Editor’s Note: This article has been updated to remove the name of the software vendor originally cited in the research following a legal dispute regarding the characterization of their enterprise platform. The underlying research regarding the phishing campaign remains attributed to Malwarebytes.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism.