MALWAREBYTES’ deep dive into a campaign that started with a fake Zoom meeting “update” shows attackers using a legitimate Teramind monitoring tool to surveil Windows machines. The initial piece, published on 24 February 2026, documented a convincing fake Zoom waiting room that delivered a Teramind MSI, with Namecheap later reporting the malicious domain was suspended.
According to Namecheap, the campaign has since expanded to impersonate Google Meet, running from a separate domain and infrastructure, with a fake Microsoft Store page branded “Google Meet for Meetings” delivering the same payload. The MSI parses its own filename to pull a Teramind instance ID while retaining a hardcoded C2 address of rt.teramind[.]co, and analysts observed two persistent services—tsvchst and pmon—that autostart and support stealth operation.
The researchers demonstrated a CheckHosts gate that blocks installation if the C2 cannot be contacted, and noted the presence of SOCKS5 proxy support that can route C2 traffic through attacker-controlled proxies. This makes a single binary capable of serving multiple attacker accounts simply by renaming the installer, underscoring the campaign’s scalability and the risk to enterprises using legitimate monitoring software.