This post is also available in:
עברית (Hebrew)
Video conferencing has become routine for workplaces, making platforms like Zoom a familiar part of daily operations. That familiarity is now being exploited. Security researchers report a campaign in which attackers lure Windows users into joining fake Zoom meetings and then push a fraudulent “update” that silently installs commercial workforce monitoring software.
According to Cyber News, the attack begins with a convincing meeting link hosted on a lookalike domain. Victims who click the link are taken to a realistic imitation of a videocall waiting room. Participants appear to join one by one, accompanied by familiar audio cues. The call then simulates technical glitches—lagging video and distorted sound—before displaying a “Network Issue” alert that urges the user to download an update.
There is no visible close option. After a short countdown, a file is automatically downloaded while the site redirects to additional pages mimicking the Microsoft Store and Zoom installation screens. The 103.8 MB package, named “zoom_agent_x64,” is not flagged by antivirus engines on VirusTotal.
The downloaded file is not traditional malware. Instead, it is a preconfigured installer for a legitimate workforce analytics tool commonly used by companies to monitor employee activity on corporate devices. Once installed, the software can log keystrokes, capture screenshots, track browsing and application use, record clipboard data and monitor email and file activity. The agent communicates with a remote server controlled by the attackers.
The installer runs via Windows Installer without presenting a standard user interface. The monitoring agent operates in “stealth mode”, leaving no taskbar icon, system tray entry or visible listing among installed programs. It also includes sandbox detection features and removes temporary installation traces after setup.
This technique—abusing legitimate software for malicious purposes—is often described as “living off the land”. Because the files belong to a commercially developed product, traditional antivirus tools may not identify them as threats.
Surveillance-grade tools deployed without authorization could expose sensitive communications, operational data or classified information on compromised endpoints. The campaign highlights the growing risk posed by misuse of legitimate monitoring technologies and the need for stronger endpoint visibility beyond signature-based detection.
