A deceptive website masquerading as a Zoom meeting platform has been discovered to be surreptitiously installing surveillance software on Windows devices. Users who believe they are joining a video call are instead met with a convincing replica of a Zoom interface, which initiates an automatic download of malicious software without any user consent.
The software in question is a covert version of Teramind, a commercial monitoring tool utilized by companies to track employee activities on work computers. In this particular scheme, it is being stealthily deployed onto the devices of unsuspecting individuals who thought they were simply participating in a meeting.
You clicked a Zoom link but there was no meeting
The operation commences at the URL uswebzoomus[.]com/zoom/, which presents itself as a Zoom waiting room. Upon loading, the site discreetly notifies the attackers of the visitor’s presence.
Three scripted participants—“Matthew Karlsson,” “James Whitmore,” and “Sarah Chen”—are designed to join the call sequentially, each accompanied by a realistic Zoom join chime. A looped audio conversation plays in the background, enhancing the illusion of a genuine meeting.
If a visitor does not interact with the page, the audio and meeting sequence remain dormant. This clever tactic allows automated security tools to scan the page without detecting any anomalies.
A persistent “Network Issue” warning overlays the main video tile, a deliberate feature of the site. The glitchy audio and lagging video serve a psychological purpose; visitors experiencing a faulty call are likely to believe there is an issue with the application. Consequently, when an “Update Available” prompt appears shortly after, it seems like a timely solution.
The countdown nobody asked for
Just ten seconds after the meeting screen loads, a pop-up emerges, declaring: “Update Available — A new version is available for download.” With a spinner in motion and a countdown from five to zero, there is no option to close the window.
Having already endured a frustrating call, the visitor is primed to accept the software update as a remedy. When the countdown reaches zero, the browser is instructed to download a file silently. Simultaneously, the page transitions to a display resembling the Microsoft Store, showing “Zoom Workplace” mid-installation. While the visitor observes what appears to be a legitimate installation, the actual malicious installer has already been downloaded without consent.
A Zoom update with Teramind inside
The downloaded file is named zoomagentx64s-i(_941afee582cc71135202939296679e229dd7cced) (1).msi, adhering to the standard Windows installer format. Its unique digital fingerprint is 644ef9f5eea1d6a2bc39a62627ee3c7114a14e7050bafab8a76b9aa8069425fa.
The filename itself reveals much: the string s-i() indicates Teramind’s stealth instance installer, with the accompanying hash identifying the specific attacker-controlled Teramind account to which the agent will report.
Security analysis of the file has uncovered two significant pieces of information embedded within: Agent version 26.3.3403 and a field labeled Server IP or host name. These details confirm that the installer is preconfigured to connect to an attacker-controlled Teramind server.
Built to be invisible
Within the internal files of the installer, remnants from the development process reveal a folder named out_stealth. This is intentional, as Teramind offers a dedicated “stealth mode” deployment option, ensuring the agent operates without a visible presence—no taskbar icon, no system tray entry, and no trace in the list of installed programs.
This version of the Windows agent defaults to naming the agent binary dwm.exe and installs it under a ProgramData{GUID} directory. Such behavior is documented by the vendor and can be modified using the TMAGENTEXE installer parameter.
During installation, the software assembles itself in stages, unpacking several Teramind components into temporary directories. These intermediate files lack individual signatures, which can sometimes trigger security tools during analysis. The installation process first checks for existing Teramind installations, then collects the computer’s name, current user account, keyboard language, and system locale—information necessary for identifying the device and reporting activity back to the attacker.
Designed to evade analysis, the installer incorporates runtime flags that detect debug and environment conditions. It is programmed to alter its behavior when it identifies that it is running in a controlled environment, such as a sandbox.
Upon completion of the installation, the installer deletes its temporary files and staging folders, leaving minimal traces behind. However, the monitoring agent continues to operate in the background.
Why Teramind makes this campaign unusually dangerous
Teramind is a legitimate product used by businesses to monitor employees on company-owned devices, logging keystrokes, taking screenshots, tracking website visits, and more. While this is legal in a corporate context where employees are informed, the same capabilities installed covertly on personal devices cross ethical boundaries.
The attackers have not created custom malware; instead, they have deployed a professionally developed commercial product designed for reliability and persistence. This makes it more resilient than many traditional malware variants.
Because the files are associated with legitimate software, standard antivirus tools that only identify known malicious code may not flag them. Context is crucial—when monitoring software is installed without consent, it becomes what is often referred to as stalkerware.
What to do if you may have been affected
If you have visited uswebzoomus[.]com/zoom/ and a file with the aforementioned name was downloaded:
- Do not open the file.
If you have already executed it, treat your device as compromised.
To check for the installation folder:
- Open File Explorer.
- Navigate to
C:ProgramData. - Look for a folder named
{4CEC2908-5CE4-48F0-A717-8FC833D8017A}.
Note that ProgramData is hidden by default. In File Explorer, select View and enable “Hidden items.”
To check whether the service is running:
- Open Command Prompt as an administrator.
- Type: sc query tsvchst.
- Press Enter.
If it shows STATE: 4 RUNNING, the agent is active. If the service does not exist, it was not installed using the default configuration.
Change passwords for important accounts—email, banking, and work—from a different, clean device.
If this incident occurred on a work computer, it is advisable to contact your IT or security team immediately.
To prevent similar attacks in the future:
- Open Zoom directly from the app on your device.
- Type zoom.us into your browser rather than clicking on unexpected links.
- Exercise caution with meeting links that you did not specifically expect.
Indicators of Compromise (IOCs)
File Hashes (SHA-256)
644ef9f5eea1d6a2bc39a62627ee3c7114a14e7050bafab8a76b9aa8069425fa
Domains
uswebzoomus[.]com
Teramind Instance ID
941afee582cc71135202939296679e229dd7cced
