Fake Zoom Meeting “Update” Silently Installs Surveillance Software
Imagine receiving an update notification for Zoom, your video conferencing software of choice. You click on the link to install it, and before you know it, your device is silently infected with surveillance software. This is exactly what happened in a recent campaign where fake Zoom meeting websites silently installed Teramind, a commercial monitoring tool used by companies to record employee activity on work computers.
A convincing imitation of a Zoom video call lured unsuspecting visitors to the uswebzoomus[.]com/zoom/ website. Moments later, an automatic “Update Available” countdown downloaded a malicious installer without asking for permission. The software being installed was a covert build of Teramind, designed to secretly monitor user activity on personal devices.
The operation starts at the uswebzoomus[.]com/zoom/ website, which opens as a Zoom waiting room. Upon loading, it quietly sends a message back to the attackers letting them know someone has arrived. Three scripted fake participants appear in the call one by one, with their conversation audio looping on repeat in the background. The page behaves differently if no one interacts with it, and a permanent “Network Issue” warning is displayed over the main video tile.
To trick visitors into installing the software, the attackers used psychological tactics such as choppy audio and lagging video. When an “Update Available” prompt appears moments later, it feels like the fix for the supposed issue. The pop-up arrives not as a surprise but as an answer to the visitor's frustration with the broken call.
The downloaded file is called zoom_agent_x64_s-i(__941afee582cc71135202939296679e229dd7cced) (1).msi, and its unique digital fingerprint identifies it as a Teramind stealth instance installer. Security analysis revealed two telling pieces of text hidden inside the file: Agent version 26.3.3403 and a field labeled Server IP or host name.
These fields confirm that the installer was preconfigured to connect to an attacker-controlled Teramind server. The installer executes through Windows Installer without presenting a typical interactive consumer installation interface, making it harder for traditional antivirus tools to detect.
This campaign is particularly dangerous because the attackers used a legitimate product like Teramind, which is designed to run reliably and persist through restarts. This makes it more durable than many traditional malware strains. The fact that the files belong to legitimate software means that traditional antivirus tools may not flag them as malicious.
So what can you do if you may have been affected? If you visited uswebzoomus[.]com/zoom/ and a file with the name above was downloaded, treat your device as compromised. Check whether the service is running, and change passwords for important accounts from a different, clean device. If this happened on a work computer, contact your IT or security team immediately.
To avoid similar attacks in the future, be aware of the growing trend of attackers reaching for legitimate commercial software rather than building their own. Tools like Teramind arrive on a machine carrying the credibility of a real company's product, and that credibility is exactly what makes them useful to someone deploying them without permission.
From click to install takes less than thirty seconds, making it easy for victims to walk away believing nothing unusual happened. Taking five seconds to confirm a link really leads to zoom.us can prevent serious problems. Stay vigilant and be cautious when receiving unexpected update notifications or links from unfamiliar sources.