A highly sophisticated phishing campaign is impersonating Zoom and Google Meet to install Teramind, a legitimate enterprise monitoring tool, onto Windows machines without user consent. Researchers from Malwarebytes and multiple security outlets have confirmed the rapid spread and technical depth of these campaigns, which weaponize Teramind’s stealth capabilities for unauthorized surveillance.
These attacks highlight a growing trend: the misuse of legitimate commercial software as covert spyware, allowing threat actors to bypass antivirus detection and gain persistent monitoring capabilities on victim systems.
How the Infection Chain Works
1. Fake Video‑Conferencing Landing Pages
Threat actors create highly convincing spoofed Zoom and Google Meet sites:
- uswebzoomus[.]com – Fake Zoom update/waiting room (now offline)
- googlemeetinterview[.]click – Active Google Meet phishing site mimicking Microsoft Store pages
Victims are typically driven to these sites through phishing emails or fake meeting invites, often with urgent subject lines. In prior observed campaigns, fraudulent meeting invites auto‑added themselves to user calendars to increase the likelihood of clicks.
2. Fake Microsoft Store Trick
The active Google Meet variant presents a fake Microsoft Store interface, showing a large “Download” button. Clicking it silently triggers the download of a malicious MSI file, while the page continues to display a fake progress screen.
3. Use of an Unmodified Teramind Binary
Attackers surprisingly use the official Teramind installer, not a modified variant. They exploit its internal ReadPropertiesFromMsiName .NET custom action to configure implants dynamically.
4. Instance ID Encoded in the Filename
The MSI filename contains a 40‑character hex string, which the installer decodes at runtime into the attacker’s unique Teramind instance ID. This allows:
- A single MSI file to serve many attackers
- A simple filename change to redirect the spyware to a different command‑and‑control account
5. C2 Connectivity Check (CheckHosts)
Before installation, the MSI performs a connectivity test to:
C2: rt.teramind.co
If unreachable, installation aborts, preventing sandbox analysis.
If the server responds, Teramind installs in Hidden Agent mode (TMSTEALTH = 1):
- No taskbar icon
- No Start Menu entry
- Not visible in Add/Remove Programs
This stealth mode is normally used for insider‑threat monitoring—now repurposed for cyber espionage.
6. Proxy Support for Evasion
The MSI includes built‑in SOCKS5 proxy functionality, enabling attackers to hide or reroute their traffic to evade detection.
7. Persistence via Auto‑Restarting Services
Two resilient services maintain persistence and auto‑restart if terminated:
| Service Name | Display Name | Executable | Privilege |
|---|---|---|---|
| tsvchst | Service Host | svc.exe -service | LocalSystem |
| pmon | Performance Monitor | pmon.exe | LocalSystem |
Technical Stealth Enhancements
- Teramind’s covert mode hides its presence completely
- Installer deletes temporary artifacts post‑installation
- Antivirus tools often fail to detect it because the software is legitimate enterprise monitoring software
- The software records keystrokes, browser activity, clipboard content, screenshots, and file operations once active
This makes the attack extremely dangerous for both corporate and personal systems.
Indicators of Compromise (IOCs)
| Type | Indicator | Notes |
|---|---|---|
| SHA‑256 | 644ef9f5eea1d6a2bc39a62627ee3c7114a14e7050bafab8a76b9aa8069425fa | Malicious MSI installer |
| MD5 | AD0A22E393E9289DEAC0D8D95D8118B5 | Malicious MSI installer |
| Domain | googlemeetinterview[.]click | Active Google Meet lure |
| Domain | uswebzoomus[.]com | Offline Zoom lure |
| C2 Server | rt.teramind.co | Default callback endpoint |
| ProgramData Path | {4CEC2908-5CE4-48F0-A717-8FC833D8017A} | Presence of hidden agent installation |
How to Detect an Active Infection
Security teams should:
1. Check for Persistence Services
Look for tsvchst and pmon running as LocalSystem.
These should not appear on standard corporate endpoints.
2. Inspect ProgramData for GUID
Search for the GUID directory:
C:\ProgramData\{4CEC2908-5CE4-48F0-A717-8FC833D8017A}
Its presence is a strong indicator of compromise.
3. Look for Kernel Drivers
Unauthorized loading of:
tm_filter.systmfsdrv2.sys
signals a hidden Teramind agent.
4. Monitor Outbound Traffic
Especially connections to:
rt.teramind.co(C2)- Suspicious MSI downloads from non‑corporate domains
Mitigation & Removal
1. Block MSI Executions from Download Folders
Browser and endpoint policies should prevent MSI execution by default.
2. Restrict Access to Unknown Domains
Enforce Safe Browsing, DNS filtering, and domain age restrictions.
3. Remove Unauthorized Installation
Run from an elevated terminal:
msiexec /x {4600BEDB-F484-411C-9861-1B4DD6070A23} /qb
Then manually delete the ProgramData directory and reboot to unload kernel drivers.
Conclusion
The abuse of legitimate enterprise surveillance software marks a dangerous evolution in phishing operations. By weaponizing real tools instead of custom malware, attackers gain:
- Built‑in stealth
- Reliable persistence
- High‑integrity data collection
- Lower detection risk
Organizations must strengthen browser policies, restrict MSI behavior, monitor for hidden services, and educate users to verify every Zoom or Google Meet link.
