Security experts have issued an alert over a new social engineering campaign using Zoom’s remote control features to take over victim devices.
In a report from Trail of Bits, researchers attributed the campaign to a cyber criminal group known as ‘Elusive Comet’, which attempted to target the company’s CEO on social media.
The campaign in question centers around abusing the video conferencing software’s remote control feature, which allows participants to take control of another users’ computer.
In a blog post detailing the CEO’s exchange with the group, the firm said the attack started with an invitation to appear on ‘Bloomberg Crypto’ as part of an interview.
These invitations were sent via social media or email, using phony email addresses mimicking official Bloomberg accounts belonging to journalists. Notably, invitations were sent via Calendly links, the company said, which are intended to lure the victim under the guise of authenticity.
“Two separate Twitter accounts approached our CEO with invitations to participate in a “Bloomberg Crypto” series—a scenario that immediately raised red flags,” the firm said in a blog post.
“The attackers refused to communicate via email and directed scheduling through Calendly pages that clearly weren’t official Bloomberg properties. These operational anomalies, rather than technical indicators, revealed the attack for what it was.”
Trail of Bits identified a number of accounts linked to the campaign and warned organizations to update monitoring systems to include these new indicators.
These included:
- X: @KOanhHa
- X: @EditorStacy
- Email: bloombergconferences[@]gmail.com
- Zoom URL: https://us06web[.]zoom[.]us/j/84525670750
- Calendly URL: calendly[.]com/bloombergseries
- Calendly URL: calendly[.]com/cryptobloomberg
Zoom attack relies on user trust
Trail of Bits warned that with the campaign relying on a feature in a legitimate service, it could pose a serious risk to unwitting users.
Upon entering a call with the threat actors, they change display names to ‘Zoom’ to make the request “appear as a system notification”. If granted access, the attacker can assume control of the victim’s device to install malware, exfiltrate data, or steal cryptocurrency.
“What makes this attack particularly dangerous is the permission dialog’s similarity to other harmless Zoom notifications,” the firm said. “Users habituated to clicking “Approve” on Zoom prompts may grant complete control of their computer without realizing the implications.”
Max Gannon, Intelligence Manager at Cofense, echoed Trail of Bits’ comments on the campaign, noting that the use of legitimate software by cyber criminals has become a serious problem for enterprises.
“The malicious use of legitimate software is a growing trend we've continued to see in 2025,” he said.
“In this case, threat actors are leveraging legitimate Zoom and Calendly links to bypass security controls. As trusted domains, their use in this attack makes it more difficult to detect and block."
Analysis from Mimecast earlier this year highlighted the growing threat posed by cyber criminals using legitimate services in attack chains. In its most recent threat intelligence report, the firm flagged more than 5 billion threats in the second half of 2024 alone, with ‘living off trusted services’ (LOTS) attacks a key cause for concern.
Also known as malware-free attacks, this approach is useful in helping cyber criminals circumvent authentication practices at target organizations, the study noted.
MORE FROM ITPRO
- Infostealer malware: What’s the threat to businesses?
- Forget MFA fatigue, attackers are exploiting ‘click tolerance’ to trick users into infecting themselves with malware
- Zoom-themed cyber attacks fuel rapid malware growth
-
European financial firms are battling a huge rise in third-party breachesNews Growing vendor dependency has contributed to a marked rise in third-party breaches
-
‘We’ve got some fabulous conditions’: Salesforce UK chief exec Zahra Bahrololoumi touts the country's tech industry potentialNews The UK remains a “priority market” for Salesforce, according to its regional CEO
-
OpenAI is clamping down on ChatGPT accounts used to spread malwareNews Tools like ChatGPT are being used by threat actors to automate and amplify campaigns
-
It's been a bad week for ransomware operatorsNews A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
The FBI says hackers are using AI voice clones to impersonate US government officialsNews The campaign uses AI voice generation to send messages pretending to be from high-ranking figures
-
Employee phishing training is working – but don’t get complacentNews Educating staff on how to avoid phishing attacks can cut the rate by 80%
-
Russian hackers tried to lure diplomats with wine tasting – sound familiar? It’s an update to a previous campaign by the notorious Midnight Blizzard groupNews The Midnight Blizzard threat group has been targeting European diplomats with malicious emails offering an invite to wine tasting events, according to Check Point.
-
This hacker group is posing as IT helpdesk workers to target enterprises – and researchers warn its social engineering techniques are exceptionally hard to spotNews The Luna Moth hacker group is ramping up attacks on firms across a range of industries with its 'callback phishing' campaign, according to security researchers.
-
State-sponsored cyber groups are flocking to the 'ClickFix' social engineering techniqueNews State-sponsored hackers from North Korea, Iran, and Russia are exploiting the ‘ClickFix’ social engineering technique for the first time – and to great success.
-
Hackers are duping developers with malware-laden coding challengesNews A North Korean state-sponsored group has been targeting crypto developers through fake coding challenges given as part of the recruitment process.
