Security experts have issued an alert over a new social engineering campaign using Zoom’s remote control features to take over victim devices.
In a report from Trail of Bits, researchers attributed the campaign to a cyber criminal group known as ‘Elusive Comet’, which attempted to target the company’s CEO on social media.
The campaign in question centers around abusing the video conferencing software’s remote control feature, which allows participants to take control of another users’ computer.
In a blog post detailing the CEO’s exchange with the group, the firm said the attack started with an invitation to appear on ‘Bloomberg Crypto’ as part of an interview.
These invitations were sent via social media or email, using phony email addresses mimicking official Bloomberg accounts belonging to journalists. Notably, invitations were sent via Calendly links, the company said, which are intended to lure the victim under the guise of authenticity.
“Two separate Twitter accounts approached our CEO with invitations to participate in a “Bloomberg Crypto” series—a scenario that immediately raised red flags,” the firm said in a blog post.
“The attackers refused to communicate via email and directed scheduling through Calendly pages that clearly weren’t official Bloomberg properties. These operational anomalies, rather than technical indicators, revealed the attack for what it was.”
Trail of Bits identified a number of accounts linked to the campaign and warned organizations to update monitoring systems to include these new indicators.
These included:
- X: @KOanhHa
- X: @EditorStacy
- Email: bloombergconferences[@]gmail.com
- Zoom URL: https://us06web[.]zoom[.]us/j/84525670750
- Calendly URL: calendly[.]com/bloombergseries
- Calendly URL: calendly[.]com/cryptobloomberg
Zoom attack relies on user trust
Trail of Bits warned that with the campaign relying on a feature in a legitimate service, it could pose a serious risk to unwitting users.
Upon entering a call with the threat actors, they change display names to ‘Zoom’ to make the request “appear as a system notification”. If granted access, the attacker can assume control of the victim’s device to install malware, exfiltrate data, or steal cryptocurrency.
“What makes this attack particularly dangerous is the permission dialog’s similarity to other harmless Zoom notifications,” the firm said. “Users habituated to clicking “Approve” on Zoom prompts may grant complete control of their computer without realizing the implications.”
Max Gannon, Intelligence Manager at Cofense, echoed Trail of Bits’ comments on the campaign, noting that the use of legitimate software by cyber criminals has become a serious problem for enterprises.
“The malicious use of legitimate software is a growing trend we've continued to see in 2025,” he said.
“In this case, threat actors are leveraging legitimate Zoom and Calendly links to bypass security controls. As trusted domains, their use in this attack makes it more difficult to detect and block."
Analysis from Mimecast earlier this year highlighted the growing threat posed by cyber criminals using legitimate services in attack chains. In its most recent threat intelligence report, the firm flagged more than 5 billion threats in the second half of 2024 alone, with ‘living off trusted services’ (LOTS) attacks a key cause for concern.
Also known as malware-free attacks, this approach is useful in helping cyber criminals circumvent authentication practices at target organizations, the study noted.
MORE FROM ITPRO
- Infostealer malware: What’s the threat to businesses?
- Forget MFA fatigue, attackers are exploiting ‘click tolerance’ to trick users into infecting themselves with malware
- Zoom-themed cyber attacks fuel rapid malware growth
-
Manufacturers report millions in losses as downtime wreaks havoc on operationsNews UK manufacturers are losing up to £736 million every week due to downtime, according to new research, with outages lasting for several days on end.
-
Microsoft gives OpenAI restructuring plans the green lightNews The deal removes fundraising constraints and modifies Microsoft's rights to use OpenAI models and products
-
Cisco ASA customers urged to take immediate action as NCSC, CISA issue critical vulnerability warningsNews Cisco customers are urged to upgrade and secure systems immediately
-
Hackers are disguising malware as ChatGPT, Microsoft Office, and Google Drive to dupe workersNews Beware of downloading applications like ChatGPT, Microsoft Office applications, and Google Drive through search engines
-
Cybersecurity experts issue urgent warning amid surge in Stealerium malware attacksNews Proofpoint said Stealerium has flown under the radar for some time now, but researchers have observed a huge spike in activity between May and August this year.
-
Hackers are using AI to dissect threat intelligence reports and ‘vibe code’ malwareNews TrendMicro has called for caution on how much detail is disclosed in security advisories
-
Hackers are abusing ConnectWise ScreenConnect, againNews A new spear phishing campaign has targeted more than 900 organizations with fake invitations from platforms like Zoom and Microsoft Teams.
-
Microsoft quietly launched an AI agent that can detect and reverse engineer malwareNews Researchers say the tool is already achieving the “gold standard” in malware classification
-
The Allianz Life data breach just took a huge turn for the worseNews Around 1.1 million Allianz Life customers are believed to have been impacted in a recent data breach, making up the vast majority of the insurer's North American customers.
-
Malicious URLs overtake email attachments as the biggest malware threatNews With malware threats surging, research from Proofpoint highlights the increasing use of off-the-shelf 'phish kits' like CoGUI and Darcula
