Impersonated Zoom & Google Meet Phishing Campaigns Deploy Stealthy Surveillance Software
March 6th, 2026
High
Our Cyber Threat Intelligence Unit is monitoring a widespread phishing campaign leveraging spoofed invitations to virtual meetings hosted on popular platforms such as Zoom and Google Meet. First observed in early 2026, threat actors send deceptive meeting invitations containing malicious links that redirect victims to lookalike login pages or payload delivery websites. The campaign is notable for delivering Teramind, a legitimate employee monitoring software leveraged in abuse scenarios to capture credentials and maintain persistence. These incidents highlight an ongoing risk where social engineering combined with malicious software delivers persistent access beyond typical credential theft. Because Zoom and Google Meet are widely used for enterprise communications, users are more likely to trust such invitations, increasing the risk of credential compromise and malware infection. Organizations should prioritize awareness, detection, and response mechanisms to mitigate impact.
Technical Details
Severity: High
Threat Type: Phishing, Credential Harvesting / Malware Deployment
Deliveries Observed: Fake meeting links, HTML redirectors, scripted payload execution
Malware Observed: Teramind (legitimate monitoring software misused)
Attack Vector:
Phishing Emails: Threat actors send spoofed meeting invites appearing to originate from trusted calendars or services (Zoom/Google).
URL Redirection: Embedded URLs redirect to attacker-controlled domains with login harvesters or malware download triggers.
Exploitation Mechanics:
The initial lure entices recipients to click meeting links that:
Redirect to Fake Update/Software Download prompts to capture credentials.
Trigger a staged download of a payload disguised as a meeting component.
Payloads subsequently install Teramind or related monitoring software to:
Capture keystrokes
Monitor sessions
Exfiltrate credentials to attacker infrastructure
Post-Compromise Actions:
Credential Abuse: Harvested credentials are used for unauthorized access to corporate resources.
Persistence: Installed monitoring software may persist beyond initial execution and evade simple removal.
Lateral Movement: Access gained through legitimate session tokens or credentials can enable pivoting into internal systems
Impact
Credential Exposure: Stolen usernames and passwords can facilitate account takeover across email, cloud services, and internal portals.
Unauthorized Access: Compromised credentials allow attackers to infiltrate corporate networks and sensitive systems.
Monitoring Software Abuse: Installation of Teramind or similar tools can enable prolonged surveillance of infected hosts.
Persistent Malware: Malware may resist removal and provide ongoing access, complicating incident response.
Operational Disruption: Incident recovery efforts may require credential resets, account audits, and endpoint remediation.
Reputation & Compliance: Credential breaches may result in regulatory scrutiny, customer trust erosion, and legal obligations.
Detection Method
Alert on inbound emails containing:
Meeting platform keywords (e.g., “Zoom”, “Google Meet”) with IP/domain mismatches.
Unverified domains that mimic legitimate services via slight character substitutions.
Detect URLs with:
Redirect chains to non-legitimate hosts
Login harvesters embedded in query strings
Monitor for access to suspicious meeting domains impersonating video conferencing services.
Detect execution of unexpected MSI installers associated with meeting updates or conferencing applications.
Investigate systems for unusual installation of monitoring agents or unauthorized endpoint management tools.
Analyze network traffic for outbound connections to monitoring infrastructure such as rt.teramind.co.
Check Windows services for unknown processes such as newly installed monitoring services running in stealth mode.
Review endpoint logs for unexpected application downloads triggered from meeting invitation links.
Indicators of Compromise
Type | Indicator |
SHA-256 Hash | 644ef9f5eea1d6a2bc39a62627ee3c7114a14e7050bafab8a76b9aa8069425fa |
MD5 Hash | AD0A22E393E9289DEAC0D8D95D8118B5 |
Zoom Phishing Domain | uswebzoomus[.]com |
Google Meet Phishing Domain | googlemeetinterview[.]click |
Recommendations
User Awareness Training: Educate employees to verify meeting links before joining and avoid installing updates from unknown sources.
Email Security Controls: Implement phishing filtering to block suspicious meeting invitation links.
Restrict Software Installation: Enforce application allowlisting to prevent unauthorized MSI installers from executing.
Endpoint Monitoring: Monitor endpoints for unauthorized monitoring tools or suspicious background services.
Network Security Monitoring: Block known malicious domains associated with fake meeting campaigns.
Incident Response Readiness: Conduct security assessments and threat hunting to detect unauthorized monitoring agents within enterprise environments.
Conclusion
The ongoing phishing campaign abusing fake Zoom and Google Meet invitations exemplifies how social engineering continues to be an effective initial access vector, particularly when combined with misused legitimate software like Teramind. Because credential theft and persistence have far-reaching enterprise impact, organizations should prioritize awareness, detection tooling, and rapid response to reduce the risk of compromise and downstream exploitation. Continuous monitoring, layered defenses, and proactive user education are essential to mitigate this evolving threat.
References
https://cyberpress.org/phishing-attacks-impersonate-zoom-and-google-meet/
https://www.malwarebytes.com/blog/threat-intel/2026/02/fake-zoom-and-google-meet-scams-install-teramind-a-technical-deep-dive
https://thearabianpost.com/phishing-scams-abuse-teramind-via-fake-meetings/
https://gbhackers.com/fake-zoom-and-google-meet-phishing-campaigns/#google_vignette