{"id":12272,"date":"2026-02-28T23:31:31","date_gmt":"2026-02-28T23:31:31","guid":{"rendered":"https:\/\/techtrendfeed.com\/?p=12272"},"modified":"2026-02-28T23:31:31","modified_gmt":"2026-02-28T23:31:31","slug":"pretend-zoom-and-google-meet-phishing-campaigns-deploy-teramind-surveillance-software-program","status":"publish","type":"post","link":"https:\/\/techtrendfeed.com\/?p=12272","title":{"rendered":"Pretend Zoom and Google Meet Phishing Campaigns Deploy Teramind Surveillance Software program"},"content":{"rendered":"


\n<\/p>\n

\n

Menace actors are executing subtle phishing campaigns that impersonate Zoom and Google Meet to silently deploy Teramind onto Home windows units<\/a>. <\/p>\n

Whereas Teramind is a professional enterprise endpoint monitoring product, scammers are abusing its stealth options to conduct unauthorized surveillance.<\/p>\n

The An infection Chain and Supply Mechanism<\/strong><\/h2>\n

The assault depends on fabricated touchdown pages that mimic official video communication instruments. A now-defunct Zoom marketing campaign utilized the area\u00a0uswebzoomus[.]com<\/code>, whereas an lively Google Meet variant operates from\u00a0googlemeetinterview[.]click on<\/code>. <\/p>\n

The lively web site shows a <\/a>faux Microsoft Retailer web page<\/a>, quietly putting in a malicious MSI installer on the sufferer\u2019s gadget whereas displaying a faux obtain button.\u200b<\/p>\n

Curiously, the attackers use an unmodified Teramind binary. The installer depends on a built-in .NET customized motion referred to as\u00a0ReadPropertiesFromMsiName<\/code>. <\/p>\n

By embedding a 40-character hex string within the filename, the installer extracts the attacker\u2019s particular occasion ID. <\/p>\n

This intelligent method permits a single binary to serve a number of risk actor accounts just by altering the filename.\u200b<\/p>\n

As soon as executed, the installer runs a pre-flight connectivity verify, termed\u00a0CheckHosts<\/code>, towards the hardcoded Command and Management (C2) server<\/a>,\u00a0rt.teramind.co<\/code>. If the machine can not attain the server, the set up course of aborts.\u200b<\/p>\n

If the connection is profitable, the software program installs in \u201cHidden Agent\u201d mode (TMSTEALTH = 1<\/code>). <\/p>\n

Based on Malwarebytes<\/a>, this stealth deployment hides all taskbar icons and program record entries, leaving the sufferer with no visible indication of the continued surveillance. <\/p>\n

Moreover, the MSI exposes built-in SOCKS5 proxy help, which may enable attackers to disguise C2 site visitors to evade network-level detection.<\/p>\n

To keep up persistence, the marketing campaign deploys two extremely resilient companies that robotically restart if terminated.\u200b<\/p>\n

Malicious Companies Deployed<\/strong><\/p>\n

\n\n\n\n\n\n\n
Service Identify<\/th>\nShow Identify<\/th>\nExecutable<\/th>\nPrivilege Stage<\/th>\n<\/tr>\n<\/thead>\n
tsvchst<\/code><\/td>\nService Host<\/td>\nsvc.exe -service<\/code><\/td>\nLocalSystem<\/td>\n<\/tr>\n
pmon<\/code><\/td>\nEfficiency Monitor<\/td>\npmon.exe<\/code><\/td>\nLocalSystem<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Indicators of Compromise (IOCs)<\/strong><\/h2>\n

Safety groups ought to monitor their networks for the next indicators related to this marketing campaign.\u200b<\/p>\n

\n\n\n\n\n\n\n\n\n\n
Kind<\/th>\nIndicator<\/th>\nDescription<\/th>\n<\/tr>\n<\/thead>\n
SHA-256<\/td>\n644ef9f5eea1d6a2bc39a62627ee3c7114a14e7050bafab8a76b9aa8069425fa<\/code><\/td>\nMalicious MSI Installer<\/td>\n<\/tr>\n
MD5<\/td>\nAD0A22E393E9289DEAC0D8D95D8118B5<\/code><\/td>\nMalicious MSI Installer<\/td>\n<\/tr>\n
Area<\/td>\ngooglemeetinterview[.]click on<\/code><\/td>\nLively Google Meet Lure<\/td>\n<\/tr>\n
Area<\/td>\nuswebzoomus[.]com<\/code><\/td>\nOffline Zoom Lure<\/td>\n<\/tr>\n
C2 Server<\/td>\nrt.teramind.co<\/code><\/td>\nDefault C2 Callback<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Defenders can establish compromised units by trying to find the\u00a0ProgramData<\/code>\u00a0listing GUID\u00a0{4CEC2908-5CE4-48F0-A717-8FC833D8017A}<\/code>. <\/p>\n

Moreover, safety groups ought to alert on the\u00a0tsvchst<\/code>\u00a0and\u00a0pmon<\/code>\u00a0companies working on non-corporate machines, or the surprising loading of the\u00a0tm_filter.sys<\/code>\u00a0and\u00a0tmfsdrv2.sys<\/code>\u00a0kernel drivers.\u200b<\/p>\n

Organizations ought to proactively block MSI executions from person obtain directories and implement browser insurance policies <\/a>that warn towards unrecognized domains. <\/p>\n

To take away the unauthorized software program, directors should run\u00a0msiexec \/x {4600BEDB-F484-411C-9861-1B4DD6070A23} \/qb<\/code>, manually delete the related\u00a0ProgramData<\/code>\u00a0listing, and reboot the system to completely unload the kernel drivers from reminiscence.<\/p>\n

Observe us on\u00a0Google Information<\/a>,\u00a0LinkedIn<\/a>, and\u00a0X<\/a>\u00a0to Get Instantaneous Updates and Set GBH as a Most popular Supply in\u00a0Google<\/a>.<\/strong><\/p>\n

\u200b<\/p>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"

Menace actors are executing subtle phishing campaigns that impersonate Zoom and Google Meet to silently deploy Teramind onto Home windows units. Whereas Teramind is a professional enterprise endpoint monitoring product, scammers are abusing its stealth options to conduct unauthorized surveillance. The An infection Chain and Supply Mechanism The assault depends on fabricated touchdown pages that […]<\/p>\n","protected":false},"author":2,"featured_media":12274,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[58],"tags":[3995,2309,67,81,2072,261,802,3868,8032,6129],"class_list":["post-12272","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-campaigns","tag-deploy","tag-fake","tag-google","tag-meet","tag-phishing","tag-software","tag-surveillance","tag-teramind","tag-zoom"],"_links":{"self":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/12272","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=12272"}],"version-history":[{"count":1,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/12272\/revisions"}],"predecessor-version":[{"id":12273,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/12272\/revisions\/12273"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/media\/12274"}],"wp:attachment":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=12272"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=12272"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=12272"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}