A sophisticated phishing campaign has emerged, tricking 1,437 users worldwide into downloading surveillance software via a fraudulent Zoom website over a mere 12-day span. The alarming operation was first identified on February 11, 2026, through the Microsoft Defender for Endpoint platform, using a counterfeit version of Teramind’s legitimate workforce monitoring tool to monitor unsuspecting victims.
Discovery of the Malicious Campaign
The attack begins when users visit the deceptive website uswebzoomus[.]com/zoom/, which mimics a legitimate Zoom waiting room. Upon arrival, the site signals the attackers, triggering the appearance of three scripted, fake participants. These virtual attendees, named “Matthew Karlsson,” “James Whitmore,” and “Sarah Chen,” seemingly join the call as a realistic Zoom chime sounds, accompanied by looped conversation audio.
This elaborate setup, engineered to evade automated security checks, activates only when a real user interacts with the page. Malwarebytes analysts, who reported the campaign on February 24, 2026, emphasized the attackers’ reliance on psychological manipulation over advanced technical prowess.
Technical Exploitation and User Deception
The fake Zoom page displays a permanent “Network Issue” banner, luring users into believing their app is malfunctioning. The frustration mounts with choppy audio and frozen video, prompting users to download an ostensible update that appears as a pop-up.
Once the five-second countdown concludes, the browser clandestinely downloads a malicious installer. At the same time, a fake Microsoft Store screen appears, showing “Zoom Workplace” mid-installation. This distraction facilitates the malicious payload’s arrival in the user’s Downloads folder without any consent.
The file, identified by its SHA-256 hash (644ef9f5eea1d6a2bc39a62627ee3c7114a14e7050bafab8a76b9aa8069425fa), was not flagged by Microsoft Defender on VirusTotal at the time of discovery, leaving users vulnerable without warnings.
Stealthy Operations and Security Measures
The attackers utilized a preconfigured rogue version of Teramind, designed to operate without visible traces. The installer features a specific internal build path, ‘out_stealth’, confirming its intention to run covertly. Once executed, it collects system data and reports to a Teramind server controlled by the attackers.
Security teams are advised to immediately blacklist the SHA-256 hash and domain uswebzoomus[.]com to prevent further intrusions. Users who interacted with the fake page should avoid opening the downloaded file. Compromised systems should be checked for a hidden folder under C:ProgramData, and all passwords should be changed from a secure device.
To safeguard against such threats, users are encouraged to access Zoom through the official application, manually type zoom.us in the browser, and handle unexpected meeting links with caution.
