Fake Zoom meeting “update” silently installs surveillance software

A fake Zoom meeting website is silently pushing surveillance software onto Windows machines. Visitors land on a convincing imitation of a Zoom video call. Moments later, an automatic “Update Available” countdown downloads a malicious installer—without asking for permission.

Introduction to Malware Binary Triage (IMBT) Course

Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.

Enroll Now and Save 10%: Coupon Code MWNEWS10

Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.

The software being installed is a covert build of Teramind, a commercial monitoring tool companies use to record what employees do on work computers. In this campaign, it is being quietly dropped onto the machines of ordinary people who thought they were joining a meeting.

You clicked a Zoom link but there was no meeting

The whole operation starts at uswebzoomus[.]com/zoom/, a website that opens as a Zoom waiting room. The moment it loads, it quietly sends a message back to the attackers letting them know someone has arrived.

Three scripted fake participants—“Matthew Karlsson,” “James Whitmore,” and “Sarah Chen”—appear to join the call one by one, each announced by a genuine-sounding Zoom join chime. Their conversation audio loops on repeat in the background.

The page behaves differently if no one interacts with it. The audio and meeting sequence only begin once a real person clicks or types. Automated security tools that scan suspicious pages without interacting may see nothing unusual.

A permanent “Network Issue” warning is displayed over the main video tile. This is not a glitch: the page is hardcoded to always show it. The choppy audio and lagging video are entirely deliberate, and they serve a specific psychological purpose. A visitor sitting through a broken call will naturally assume something is wrong with the app. When an “Update Available” prompt appears moments later, it feels like the fix.

The countdown nobody asked for

Ten seconds after the meeting screen appears, a pop-up takes over: “Update Available — A new version is available for download.” A spinner turns and a counter ticks from five to zero. There is no close button.

By this point the visitor has already sat through a frustrating, glitchy call—and a software update is exactly what they have been primed to want. The pop-up arrives not as a surprise, but as an answer.

When the counter hits zero, the browser is instructed to silently download a file. At the exact same moment, the page switches to what looks like the Microsoft Store showing “Zoom Workplace” mid-installation, spinning and all. While the visitor watches what appears to be a legitimate install resolving the problem, the real installer has already landed in their Downloads folder— and it didn’t ask for permission at any point.

A Zoom update with Teramind inside

The downloaded file is called zoom_agent_x64_s-i(__941afee582cc71135202939296679e229dd7cced) (1).msi. It’s a standard Windows installer format. Its unique digital fingerprint is 644ef9f5eea1d6a2bc39a62627ee3c7114a14e7050bafab8a76b9aa8069425fa.

The filename itself is telling: the string s-i(__) is Teramind’s own naming convention for a stealth instance installer, with the hash after it identifying the specific attacker-controlled Teramind account the agent will report back to.

Security analysis of the file’s contents revealed two particularly telling pieces of text hidden inside it: Agent version 26.3.3403 and a field labelled Server IP or host name. These fields confirm the installer was preconfigured to connect to an attacker-controlled Teramind server.

The installer executes through Windows Installer without presenting a typical interactive consumer installation interface. The target being set up as a surveillance target has no idea it is happening.

Built to be invisible

Inside the installer’s internal build files—notes left over from the development process that are normally only seen by the software’s authors—the folder name out_stealth appears in the build path. This is not a coincidence. Teramind sells a dedicated “stealth mode” deployment option, specifically designed so the agent runs with no visible presence: no icon in the taskbar, no entry in the system tray, no trace in the list of installed programs.

In this version of the Windows agent, Teramind’s MSI defaults to naming the agent binary dwm.exe and installs it under a ProgramData\{GUID} directory. This behavior is documented by the vendor and can be changed using the TMAGENTEXE installer parameter.

During installation, the software assembles itself in stages. Several Teramind components are unpacked into temporary directories during installation. These intermediate files are not individually signed, which can sometimes trigger security tooling during analysis. The installation chain first confirms whether Teramind is already on the machine, then collects the computer’s name, the current user account, the keyboard language, and the system locale. These are the details Teramind needs to identify the device and begin reporting activity back to whoever deployed it.

The agent is configured to communicate with a remote Teramind server instance, consistent with enterprise monitoring deployments.

Designed to fool the tools that would catch it

One of the most deliberate aspects of this installer is how hard it works to avoid being analysed. Security researchers examine suspicious software in controlled “sandbox” environments (essentially isolated virtual machines where the software can run safely while being watched). This installer is built to detect exactly that situation and behave differently.

Runtime analysis flags indicate the presence of debug and environment detection logic (DETECT_DEBUG_ENVIRONMENT). The installer performs checks consistent with identifying analysis or sandbox environments and may alter its behavior under those conditions.

Once installation completes, the installer removes its temporary files and staging folders. That means by the time someone checks the machine, obvious traces of the installer may already be gone. The monitoring agent itself, however, continues running in the background.

Why Teramind makes this campaign unusually dangerous

Teramind is a legitimate product. Businesses pay for it to monitor staff on company-owned devices: it logs every keystroke, takes screenshots at regular intervals, records which websites were visited and which applications were opened, captures clipboard contents, and tracks email and file activity.

In a corporate context, with employees informed and policies in place, this is legal. That same capability, installed secretly on a personal machine, is something else entirely.

The attackers did not write custom malware. They deployed a professionally developed commercial product that is designed to run reliably and persist through restarts. That makes it more durable than many traditional malware strains.

Because the files themselves belong to legitimate software, traditional antivirus tools that look only for known malicious code may not flag them. Context matters. When monitoring software is installed without consent on a personal device, it fits the category often described as stalkerware—software used to monitor someone without their knowledge.

What to do if you may have been affected

If you visited uswebzoomus[.]com/zoom/ and a file with the name above was downloaded:

Do not open it.

If you already ran it, treat your device as compromised.

Check for the installation folder:

1. Open File Explorer.
2. Navigate to C:\ProgramData.
3. Look for a folder named {4CEC2908-5CE4-48F0-A717-8FC833D8017A}.

ProgramData is hidden by default. In File Explorer, select View and enable “Hidden items.”

Check whether the service is running:

1. Open Command Prompt as administrator.
2. Type: sc query tsvchst
3. Press Enter.

If it shows STATE: 4 RUNNING, the agent is active. If the service does not exist, it was not installed using the default configuration.

Change passwords for important accounts—email, banking, and work—from a different, clean device.

If this happened on a work computer, contact your IT or security team immediately.

To avoid similar attacks in the future:

• Open Zoom directly from the app on your device.
• Type zoom.us into your browser yourself instead of clicking unexpected links.
• Be cautious with meeting links you were not specifically expecting.

Closing thoughts

There is a quiet but growing trend of attackers reaching for legitimate commercial software rather than building their own. Tools like Teramind arrive on a machine carrying the credibility of a real company’s product—and that credibility is exactly what makes them useful to someone deploying them without permission.

This campaign does not rely on technical sophistication. No new hacking technique was used. The attacker built a convincing fake Zoom page, set an automatic download to fire before any visitor has a reason to be suspicious, and used a fake Microsoft Store screen to explain it all away. From click to install takes less than thirty seconds. Someone who was expecting a Zoom invite and saw what looked like a Microsoft installation in progress could easily walk away believing nothing unusual had happened.

Zoom is frequently impersonated because people receive meeting links through email, text, Slack, and calendar invites—and click quickly. Taking five seconds to confirm a link really leads to zoom.us is a simple habit that can prevent a serious problem.

Indicators of Compromise (IOCs)

File Hashes (SHA-256)

• 644ef9f5eea1d6a2bc39a62627ee3c7114a14e7050bafab8a76b9aa8069425fa

Domains

• uswebzoomus[.]com

Teramind Instance ID

• 941afee582cc71135202939296679e229dd7cced

Article Link: https://www.malwarebytes.com/blog/scams/2026/02/fake-zoom-meeting-update-silently-installs-surveillance-software

1 post - 1 participant

Read full topic

Malware Analysis, News and Indicators - Latest topics