A dangerous new scam is targeting Zoom users by exploiting their trust in video meeting invites. Over just twelve days, 1,437 Windows users unknowingly installed a malicious version of the Teramind monitoring agent after visiting a fake Zoom meeting page designed to trigger silent downloads.
The operation starts at uswebzoomus[.]com/zoom/ a domain mimicking Zoom’s legitimate interface. When opened, it displays a fake waiting room that replicates real Zoom behavior.
Synthetic participants named “Matthew Karlsson,” “James Whitmore,” and “Sarah Chen” join the call one by one, accompanied by realistic audio and chime sounds looping in the background.
According to the report, fake Zoom meeting website is silently pushing surveillance software onto Windows machines. A permanent “Network Issue” warning overlays the main tile, suggesting a lagging connection.
This intentional visual glitch primes victims to expect a fix making them more likely to trust any “update” that follows. The deception is interactive: the audio and video activity start only after user input, evading automated security crawlers that don’t click or type.
Zoom Update Scam
Within seconds, users see an “Update Available” pop-up with a five-second countdown and no option to close it. When the timer hits zero, the site automatically downloads a file named
zoom_agent_x64_s-i(__941afee582cc71135202939296679e229dd7cced).msi.
Simultaneously, the webpage switches to what appears to be the Microsoft Store showing “Zoom Workplace” installing.
While the graphic seems to indicate a harmless software update, the real installer already in the system’s Downloads folder is quietly executed without consent.
Security researchers found the installer’s internal labels “Agent version 26.3.3403” and “Server IP or host name,” confirming it as a preconfigured Teramind agent pointing to attacker-controlled servers.
The rogue MSI package uses Teramind’s legitimate stealth instance naming convention and installs as dwm.exe under the hidden C:ProgramData{GUID} directory.
Teramind’s “stealth mode” removes visible traces no icons or program listings allowing full background surveillance. Once deployed, the agent begins relaying user activity, including keystrokes, screenshots, application usage, and clipboard content, to the attackers.
The fake installer includes debug and sandbox evasion checks, designed to behave differently when analyzed, making research harder. After setup, it deletes its temporary files and continues operating silently as a background service.
Because it uses authentic Teramind binaries, many antivirus tools fail to flag it as malicious.
What victims can do
If you visited the fake site or downloaded the MSI file:
- Do not run it.
- If installed, check C:ProgramData{4CEC2908-5CE4-48F0-A717-8FC833D8017A} for traces.
- In Command Prompt (as admin), run sc query tsvchst if STATE: 4 RUNNING appears, the agent is active.
- Change passwords from a clean device and contact IT for remediation.
This campaign highlights a growing threat: abuse of legitimate, trusted software for malicious surveillance. Rather than building new malware, attackers are misusing corporate monitoring tools to spy on individuals.
What makes the scheme effective is timing within 30 seconds, victims believe they’re just fixing a Zoom glitch.
Security professionals stress a simple safeguard: always access meetings by typing zoom.us directly, never from unsolicited links. A quick check could be the difference between a routine call and a full-scale privacy breach.
Indicators of Compromise (IOCs)
| Indicator Type | Value |
|---|---|
| File Hash (SHA-256) | 644ef9f5eea1d6a2bc39a62627ee3c7114a14e7050bafab8a76b9aa8069425fa |
| Domain | uswebzoomus[.]com |
| Teramind Instance ID | 941afee582cc71135202939296679e229dd7cced |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
