Phishing Campaigns Abuse Legitimate Monitoring and Remote-Access Tools for Stealthy Takeover
Security researchers reported multiple phishing campaigns that impersonate trusted brands to trick users into installing legitimate enterprise software repurposed for surveillance and remote control. One campaign uses fake Zoom and Google Meet “meeting room” pages that simulate a waiting room experience (participant names, audio cues, and a persistent “network issue” message) and then pressure victims with a forced “update required” download via a countdown timer. After execution, a modified Teramind agent is installed in stealth mode (no visible icons/notifications), enabling extensive monitoring such as keystroke capture, screenshots, browsing history, and clipboard collection.
A separate campaign targets cryptocurrency users by impersonating the Yoroi Desktop Wallet and advertising a “security upgrade” via a polished landing page hosted on a recently registered domain (hxxps://download[.]v1desktop-yoroiwallet[.]com/). The download chain redirects to a file-sharing service and delivers an MSI (YoroiDesktop-installer.msi) that does not install a wallet; instead it installs GoTo Resolve (LogMeIn) in unattended mode for silent remote access. Reported artifacts include YoroiDesktop-installer.msi (hash 8634AD3C6488D6A27719C5341E91EEB9) and unattended-updater.exe (hash 2A2D9B03AA6185F434568F5F4C42BF49), along with configuration values indicating enrollment into a preconfigured remote-access fleet (e.g., CompanyId: 5504330483880245799, FleetTemplateName: syn-prd-ava-unattended).
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Sublime reports fake interactive Zoom call delivering ScreenConnect
Sublime disclosed a Zoom-themed phishing campaign in which victims received fake meeting invitations and were led through a realistic spoofed Zoom experience ending in a bogus update download. The MSI installer deployed a legitimate ScreenConnect instance configured for attacker access, providing remote control of the victim device.
Researchers document Zoom and Google Meet phishing using Teramind
Security researchers reported a phishing campaign impersonating Zoom and Google Meet meeting pages on Windows systems. The fake meeting sites pushed a modified Teramind monitoring agent disguised as a required update, enabling stealthy surveillance through attacker-controlled infrastructure.
Yoroi wallet phishing campaign deploys GoTo Resolve and ScreenConnect
Attackers launched a phishing campaign impersonating the Yoroi Desktop Wallet and directing victims to lookalike domains offering a fake wallet "upgrade." The downloaded MSI installers instead deployed legitimate remote management tools, including GoTo Resolve in unattended mode and a ScreenConnect-based payload, to give attackers persistent remote access.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
New Fake Zoom Meeting Invite Scam Spreads Malware on Windows PCs
hackread.com
Open sourceFake interactive Zoom call leads to malicious ScreenConnect download | news | SC Media
scworld.com
Open sourcePhishing Pages for Zoom and Google Meet Install Teramind Monitoring Tool
hackread.com
Open sourceYoroi Wallet Phishing Abuses GoTo Resolve and ScreenConnect for Device Takeover - Malware Analysis, Phishing, and Email Scams
malwr-analysis.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing and software impersonation campaigns delivering malware via trusted services
Microsoft reported ongoing **OAuth abuse** campaigns targeting government and public-sector organizations, where phishing emails lure users into clicking links that leverage legitimate identity-provider redirect behavior (e.g., **Microsoft Entra ID** and other OAuth providers) to send victims to attacker-controlled pages for malware delivery and potential device takeover. Lures included e-signature requests, Teams meeting recordings, Microsoft 365 password resets, and political themes; Microsoft said it disabled identified malicious OAuth applications but warned related activity persists and requires continued monitoring. Separately, researchers described multiple **deception-based malware delivery** operations that rely on impersonation of trusted brands and software rather than exploiting product vulnerabilities. One campaign spoofed **Zoom** and **Google Meet** to install the legitimate *Teramind* monitoring agent for covert surveillance, using fake landing pages and a Microsoft Store lookalike, persistence via services (including `tsvchst` and `pmon`), and traffic masking via built-in SOCKS5 proxy support; defenders were advised to check for related drivers (e.g., `tm_filter.sys`, `tmfsdrv2.sys`) and artifacts under *ProgramData*. Another campaign used a lookalike domain (`filezilla-project[.]live`) to distribute a trojanized portable **FileZilla 3.69.5** bundle that adds a malicious DLL for DLL search-order hijacking, enabling credential theft (including saved FTP credentials) and C2 activity—highlighting a broader trend of **trusted software impersonation** and search/SEO poisoning as an initial access vector.
Mar 21, 2026
Phishing Campaigns Weaponize Legitimate RMM Tools for Remote Access and Credential Theft
Threat researchers reported multiple phishing-driven intrusions in which attackers impersonate trusted brands and agencies to trick victims into installing legitimate remote monitoring and management (RMM) software for persistent access. In **Operation DoppelBrand**, financially motivated actor **GS7** spoofed Fortune 500 financial and technology brands (including **Wells Fargo** and **USAA**) using more than **150** lookalike domains to harvest credentials and exfiltrate data via attacker-controlled **Telegram bots**; researchers also identified nearly **200** additional domains with short registration terms, automated SSL, wildcard DNS, and brand-specific subdomains supporting the campaign. Separately, Forcepoint X-Labs described a wave of emails impersonating the **U.S. Social Security Administration** that delivers an attached `.cmd` script to weaken Windows defenses and enable silent installation of **ConnectWise ScreenConnect**. The script checks/elevates privileges, disables **Windows SmartScreen** via registry changes, removes **Mark-of-the-Web**, and uses **Alternate Data Streams (ADS)** for stealth before installing an MSI and configuring ScreenConnect (via `System.config`) to beacon to an attacker-controlled server (reported as `dof-connecttop` on port `8041`). Both activity sets highlight a recurring tradecraft pattern: **brand impersonation + scripted defense evasion + abuse of legitimate RMM tooling** (e.g., *LogMeIn Resolve*, *ScreenConnect*) to gain remote control and facilitate follow-on theft or persistence.
Mar 21, 2026
Phishing Campaigns Delivering Malware via Disguised, Signed Installers and Malicious Attachments
Security researchers reported active phishing activity targeting enterprise users by impersonating routine workplace workflows (e.g., meeting invites, invoices, and document notifications) to trick recipients into running malware. One campaign used executables masquerading as *Microsoft Teams*, *Zoom*, and *Adobe Acrobat Reader* installers (e.g., `msteams.exe`, `zoomworkspace.clientsetup.exe`, `adobereader.exe`, `invite.exe`) that appeared trustworthy because they were **digitally signed** with an Extended Validation (EV) certificate issued to **TrustConnect Software PTY LTD**. Microsoft Defender telemetry attributed the activity to an unknown threat actor and assessed the approach as a deliberate, multi-wave effort designed to bypass user suspicion and basic security controls. After execution, the signed malware deployed **remote monitoring and management (RMM)** tooling—reported examples include **ScreenConnect**, **Tactical RMM**, and **Mesh Agent**—to establish persistent remote access and enable follow-on actions across affected environments. Separately, reporting also highlighted phishing lures distributing **malicious ISO attachments** embedded in job application/resumé-themed emails, reinforcing that attackers continue to rely on socially engineered business processes (recruiting and HR workflows in particular) to deliver initial payloads and gain a foothold.
Mar 21, 2026