Hackers are using Zoom’s remote control feature to infect devices with malware

Security experts have issued an alert over a new social engineering campaign using Zoom’s remote control features to take over victim devices.

In a report from Trail of Bits, researchers attributed the campaign to a cyber criminal group known as ‘Elusive Comet’, which attempted to target the company’s CEO on social media.

The campaign in question centers around abusing the video conferencing software’s remote control feature, which allows participants to take control of another users’ computer.

In a blog post detailing the CEO’s exchange with the group, the firm said the attack started with an invitation to appear on ‘Bloomberg Crypto’ as part of an interview.

These invitations were sent via social media or email, using phony email addresses mimicking official Bloomberg accounts belonging to journalists. Notably, invitations were sent via Calendly links, the company said, which are intended to lure the victim under the guise of authenticity.

“Two separate Twitter accounts approached our CEO with invitations to participate in a “Bloomberg Crypto” series—a scenario that immediately raised red flags,” the firm said in a blog post.

“The attackers refused to communicate via email and directed scheduling through Calendly pages that clearly weren’t official Bloomberg properties. These operational anomalies, rather than technical indicators, revealed the attack for what it was.”

Trail of Bits identified a number of accounts linked to the campaign and warned organizations to update monitoring systems to include these new indicators.

These included:

• X: @KOanhHa
• X: @EditorStacy
• Email: bloombergconferences[@]gmail.com
• Zoom URL: https://us06web[.]zoom[.]us/j/84525670750
• Calendly URL: calendly[.]com/bloombergseries
• Calendly URL: calendly[.]com/cryptobloomberg

Zoom attack relies on user trust

Trail of Bits warned that with the campaign relying on a feature in a legitimate service, it could pose a serious risk to unwitting users.

Upon entering a call with the threat actors, they change display names to ‘Zoom’ to make the request “appear as a system notification”. If granted access, the attacker can assume control of the victim’s device to install malware, exfiltrate data, or steal cryptocurrency.

“What makes this attack particularly dangerous is the permission dialog’s similarity to other harmless Zoom notifications,” the firm said. “Users habituated to clicking “Approve” on Zoom prompts may grant complete control of their computer without realizing the implications.”

Max Gannon, Intelligence Manager at Cofense, echoed Trail of Bits’ comments on the campaign, noting that the use of legitimate software by cyber criminals has become a serious problem for enterprises.

“The malicious use of legitimate software is a growing trend we've continued to see in 2025,” he said.

“In this case, threat actors are leveraging legitimate Zoom and Calendly links to bypass security controls. As trusted domains, their use in this attack makes it more difficult to detect and block."

Analysis from Mimecast earlier this year highlighted the growing threat posed by cyber criminals using legitimate services in attack chains. In its most recent threat intelligence report, the firm flagged more than 5 billion threats in the second half of 2024 alone, with ‘living off trusted services’ (LOTS) attacks a key cause for concern.

Also known as malware-free attacks, this approach is useful in helping cyber criminals circumvent authentication practices at target organizations, the study noted.

MORE FROM ITPRO

• Infostealer malware: What’s the threat to businesses?
• Forget MFA fatigue, attackers are exploiting ‘click tolerance’ to trick users into infecting themselves with malware
• Zoom-themed cyber attacks fuel rapid malware growth