Click, Install, Compromised: The New Wave of Zoom-Themed Attacks

By Cobi Aloia, Cofense Phishing Defense Center

As with most things, change is inevitable - especially for threat actors operating in a rapidly evolving threat landscape. What starts as a familiar Zoom invite can quickly escalate into a full-blown compromise. Recently, the Cofense Phishing Defense Center (PDC) has observed a shift in which traditional credential-harvesting phishing campaigns and familiar social engineering tactics are increasingly being repurposed to deliver more significant threats, including malware and unauthorized remote access.

In this campaign, adversaries impersonate the widely used communications platform Zoom to lure victims into downloading ConnectWise ScreenConnect - a legitimate remote monitoring and management (RMM) tool that threat actors frequently abuse. Once installed, ScreenConnect enables attackers to harvest sensitive data and credentials, establish persistent remote access, deploy secondary malware (such as ransomware), and conduct follow-on malicious activity and reconnaissance from a trusted foothold.

Figure 1: Email Body

In the email body illustrated above, a basic text-only message is presented with no official branding or design elements. For users familiar with legitimate Zoom meeting invitations, there is a stark contrast compared to an authentic invite. The “Join here" text includes the additional "JOIN ZOOM MEETING" language and is hyperlinked to direct the victim to the spoofed Zoom-branded landing page shown in Figure 2.

Figure 2: Landing Page

Upon clicking the hyperlink in the email body, the user is directed to the page displayed in Figure 2. This spoofed page features Zoom branding, including for the favicon and the page title shown in the browser tab. Additionally, the URL address has been structured to mimic the format of legitimate Zoom meeting URLs. The page briefly loads as it "Prepar[es] your meeting experience...", before loading the Join Meeting interaction shown in Figure 3.

Figure 3: Join Meeting Page

The page shown above features a very convincing interactive prompt to join the fraudulent meeting, once again disguising itself as a legitimate Zoom invitation with subtle details included such as the number of people expected to join, the meeting host’s name and position, fake meeting ID, and the length of the meeting – all added to help reinforce deception. The page even prompts a browser request to allow or deny microphone usage, mirroring what would happen when joining a real Zoom meeting.

Figure 4: Meeting Page

Upon joining the meeting, the user is presented with an interface that again heavily mimics that of a legitimate Zoom meeting. Cunningly, the threat actor goes as far as playing a distorted audio track for the meeting host to make it seem real, as audio issues are a common occurrence that users face during such meetings. This tactic is designed to further exploit victims' trust and reinforce the illusion of legitimacy.

Figure 5: Update

Figure 6: Update Download

After a few seconds pass, a popup appears (Figure 5), notifying the user that an update is available and is downloaded automatically. The victim is redirected to a separate page showcasing instructions for running said "update". This page is once again branded to be similar to Zoom's UI, as well as the download name "_zoommeeting_Zoom_installer_64_bit.exe.vbs" masquerading as a Zoom installer - most users would see this and not even recognize the .VBS (Visual Basic Script) extension.

Figure 7: VBS Script

The downloaded .VBS file acts as a lightweight downloader for the next-stage payload. When opened in Notepad, the script contains a hardcoded URL pointing to 212[.]11[.]64[.]45, where a ScreenConnect.ClientSetup.msi installer is hosted. The URL also includes multiple references to Zoom, which helps the payload blend into the overall Zoom-themed lure.

Once executed, the script downloads the ScreenConnect installer, saves it to the user’s %TEMP% directory, and launches it using Windows Script Host. The file is executed in a hidden window, reducing the chance that the user will notice anything unusual.

In short, the VBS file is not complex malware by itself. Its purpose is to quietly retrieve and run a legitimate remote access tool, ScreenConnect, which can then give the attacker interactive access to the victim’s system.

Figure 8: Processes
 

Figure 9: Temp Folder

Upon execution of the .VBS script, the downloaded MSI installer can be observed in the running processes shown in Figure 8, with the saved payload location in %TEMP% shown in Figure 9. This campaign highlights the continued evolution of phishing operations from simple credential theft toward multi-stage social engineering workflows designed to establish persistent remote access. By combining a convincing Zoom spoof, realistic meeting interactions, and a themed fake software update, the threat actor creates a highly believable ruse that lowers suspicion at every stage of the attack.

The use of ConnectWise ScreenConnect as the final payload is particularly effective because it leverages a legitimate and widely trusted RMM solution rather than a traditional malware family. This allows attackers to blend malicious activity with expected enterprise administration behavior while enabling credential theft, internal reconnaissance, lateral movement, and the deployment of secondary payloads such as ransomware. As threat actors continue to weaponize trusted platforms such as Zoom and legitimate administrative tools like ConnectWise ScreenConnect, rapid detection and response remain critical to reducing organizational risk. 

With Cofense Managed Phishing Detection and Response (MPDR), organizations can stop threats in their tracks with a 99.9% accuracy rate and an average response time of just 8 minutes. Contact us today to learn how Cofense can help strengthen your defenses and make your environment more secure.

Email(s) IOCs: