PostHole
Compose
Login
Fake Zoom meeting “update” silently installs unauthorized version of monitoring tool abused by cybercriminals to spy on victims
A fake Zoom meeting page looks real, triggers a bogus “update,” and silently installs a legitimate commercial monitoring product.
UPDATE (February 27, 2026): We have added more clarity around the abuse of legitimate commercial products.
UPDATE (February 25, 2026): Teramind has stated that it is not affiliated with the threat actors described and did not authorize the deployment of the software referenced. Further updates have been made throughout for clarification.
A fake Zoom meeting website is silently pushing surveillance software onto Windows machines. Visitors land on a convincing imitation of a Zoom video call. Moments later, an automatic “Update Available” countdown downloads a malicious installer—without asking for permission.
The scam campaign pushes a Teramind installer, which is a legitimate product and commercial workforce monitoring solution companies use to record what employees do on work computers, to unsuspecting victims. In this cybercriminal campaign, however, which Teramind has no affiliation with, the abused and altered program is being quietly dropped onto the machines of ordinary people who thought they were joining a meeting.
A fake Zoom website
You clicked a Zoom link but there was no meeting
The whole operation starts at uswebzoomus[.]com/zoom/, a website that opens as a Zoom waiting room. The moment it loads, it quietly sends a message back to the attackers letting them know someone has arrived.
Three scripted fake participants—“Matthew Karlsson,” “James Whitmore,” and “Sarah Chen”—appear to join the call one by one, each announced by a genuine-sounding Zoom join chime. Their conversation audio loops on repeat in the background.
The page behaves differently if no one interacts with it. The audio and meeting sequence only begin once a real person clicks or types. Automated security tools that scan suspicious pages without interacting may see nothing unusual.
A permanent “Network Issue” warning is displayed over the main video tile. This is not a glitch: the page is hardcoded to always show it. The choppy audio and lagging video are entirely deliberate, and they serve a specific psychological purpose. A visitor sitting through a broken call will naturally assume something is wrong with the app. When an “Update Available” prompt appears moments later, it feels like the fix.
The countdown nobody asked for
Ten seconds after the meeting screen appears, a pop-up takes over: “Update Available — A new version is available for download.” A spinner turns and a counter ticks from five to zero. There is no close button.
By this point the visitor has already sat through a frustrating, glitchy call—and a software update is exactly what they have been primed to want. The pop-up arrives not as a surprise, but as an answer.
When the counter hits zero, the browser is instructed to silently download a file. At the exact same moment, the page switches to what looks like the Microsoft Store showing “Zoom Workplace” mid-installation, spinning and all. While the visitor watches what appears to be a legitimate install resolving the problem, the real installer has already landed in their Downloads folder— and it didn’t ask for permission at any point.
A Zoom update with Teramind inside
The downloaded file is called zoom_agent_x64_s-i(__941afee582cc71135202939296679e229dd7cced) (1).msi. It’s a standard Windows installer format. Its unique digital fingerprint is 644ef9f5eea1d6a2bc39a62627ee3c7114a14e7050bafab8a76b9aa8069425fa.
The filename itself is telling: the string s-i(__) copies Teramind’s own naming convention for a stealth instance installer, with the hash after it identifying the specific attacker-controlled Teramind account the agent will report back to.
The installer executes through Windows Installer without presenting a typical interactive consumer installation interface. The target being set up as a surveillance target has no idea it is happening.
Built to be invisible
Inside the installer’s internal build files—notes left over from the development process that are normally only seen by the software’s authors—the folder name out stealth appears in the build path. This indicates the attackers configured the installer using Teramind’s “stealth mode” deployment option, a legitimate enterprise feature designed for authorized IT deployments where an invisible agent is required. However, in this criminal campaign, that feature is being misused to avoid detection on victims’ personal devices.
In this version of the Windows agent, Teramind’s MSI defaults to naming the agent binary dwm.exe and installs it under a ProgramData\{GUID} directory. This behavior is documented by the vendor and can be changed using the TMAGENTEXE installer parameter.
During installation, the software assembles itself in stages. Several Teramind components are unpacked into temporary directories during installation. These intermediate files are not individually signed, which can sometimes trigger security tooling during analysis. The installation chain first confirms whether Teramind is already on the machine, then collects the computer’s name, the current user account, the keyboard language, and the system locale. These are the details Teramind needs to identify the device and begin reporting activity back to whoever deployed it.
The agent is configured to communicate with a remote Teramind server instance, consistent with enterprise monitoring deployments.
Designed to fool the tools that would catch it
One of the most deliberate aspects of this installer is how hard it works to avoid being analyzed. Security researchers examine suspicious software in controlled “sandbox” environments (essentially isolated virtual machines where the software can run safely while being watched). This installer is built to detect exactly that situation and behave differently.
Runtime analysis flags indicate the presence of debug and environment detection logic (DETECT_DEBUG_ENVIRONMENT). The installer performs checks consistent with identifying analysis or sandbox environments and may alter its behavior under those conditions.
Once installation completes, the installer removes its temporary files and staging folders. That means by the time someone checks the machine, obvious traces of the installer may already be gone. The monitoring agent itself, however, continues running in the background.
What makes this cybercriminal campaign unusually dangerous
Teramind is a legitimate software vendor whose purpose serves a function. Businesses pay for it to monitor staff on company-owned devices: it logs every keystroke, takes screenshots at regular intervals, records which websites were visited and which applications were opened, captures clipboard contents, and tracks email and file activity.
In a corporate context—where employees are informed and policies are in place—this is legal. But here, cybercriminals misuse the Teramind tool and secretly installing the software on personal machines without authorization.
The attackers did not write custom malware. They deployed a professionally developed commercial product that is designed to run reliably and persist through restarts. That makes it more durable than many traditional scams.
Because the files themselves belong to legitimate software, there is no malicious code for traditional antivirus tools to detect. Rather, this is a situation where context matters. Here the scammers are misusing Teramind’s legitimate monitoring software by installing it without consent on a personal device of a victim without their knowledge.
What to do if you may have been affected
If you visited uswebzoomus[.]com/zoom/ and a file with the name above was downloaded:
Do not open it.
If you already ran it, treat your device as compromised.
Check for the installation folder:
- Open File Explorer.
- Navigate to
C:\ProgramData.
[...]