A fake Zoom meeting “update” page is silently pushing surveillance software onto Windows machines, masquerading as a Zoom call and delivering an automatic Update Available prompt that downloads a covert installer without user permission. The installer is a stealth build of Teramind, a commercial monitoring tool, with the downloaded file named zoom_agent_x64_s-i(__941afee582cc71135202939296679e229dd7cced) (1).msi and a fingerprint of 644ef9f5eea1d6a2bc39a62627ee3c7114a14e7050bafab8a76b9aa8069425fa.
The operation starts at uswebzoomus[.]com/zoom/, a site that opens as a Zoom waiting room and signals attackers when someone arrives. The page shows three fake participants—“Matthew Karlsson,” “James Whitmore,” and “Sarah Chen”—with a repeated Zoom join chime, and the attack’s progress is hidden until the counter reaches zero and the installer downloads in the background.
According to Malwarebytes, the campaign uses a real Teramind product, with indicators including the domain uswebzoomus[.]com, the Teramind instance ID 941afee582cc71135202939296679e229dd7cced, and the file hash 644ef9f5eea1d6a2bc39a62627ee3c7114a14e7050bafab8a76b9aa8069425fa.