Security experts have issued an alert over a new social engineering campaign using Zoom’s remote control features to take over victim devices.
In a report from Trail of Bits, researchers attributed the campaign to a cyber criminal group known as ‘Elusive Comet’, which attempted to target the company’s CEO on social media.
The campaign in question centers around abusing the video conferencing software’s remote control feature, which allows participants to take control of another users’ computer.
In a blog post detailing the CEO’s exchange with the group, the firm said the attack started with an invitation to appear on ‘Bloomberg Crypto’ as part of an interview.
These invitations were sent via social media or email, using phony email addresses mimicking official Bloomberg accounts belonging to journalists. Notably, invitations were sent via Calendly links, the company said, which are intended to lure the victim under the guise of authenticity.
“Two separate Twitter accounts approached our CEO with invitations to participate in a “Bloomberg Crypto” series—a scenario that immediately raised red flags,” the firm said in a blog post.
“The attackers refused to communicate via email and directed scheduling through Calendly pages that clearly weren’t official Bloomberg properties. These operational anomalies, rather than technical indicators, revealed the attack for what it was.”
Trail of Bits identified a number of accounts linked to the campaign and warned organizations to update monitoring systems to include these new indicators.
These included:
- X: @KOanhHa
- X: @EditorStacy
- Email: bloombergconferences[@]gmail.com
- Zoom URL: https://us06web[.]zoom[.]us/j/84525670750
- Calendly URL: calendly[.]com/bloombergseries
- Calendly URL: calendly[.]com/cryptobloomberg
Zoom attack relies on user trust
Trail of Bits warned that with the campaign relying on a feature in a legitimate service, it could pose a serious risk to unwitting users.
Upon entering a call with the threat actors, they change display names to ‘Zoom’ to make the request “appear as a system notification”. If granted access, the attacker can assume control of the victim’s device to install malware, exfiltrate data, or steal cryptocurrency.
“What makes this attack particularly dangerous is the permission dialog’s similarity to other harmless Zoom notifications,” the firm said. “Users habituated to clicking “Approve” on Zoom prompts may grant complete control of their computer without realizing the implications.”
Max Gannon, Intelligence Manager at Cofense, echoed Trail of Bits’ comments on the campaign, noting that the use of legitimate software by cyber criminals has become a serious problem for enterprises.
“The malicious use of legitimate software is a growing trend we've continued to see in 2025,” he said.
“In this case, threat actors are leveraging legitimate Zoom and Calendly links to bypass security controls. As trusted domains, their use in this attack makes it more difficult to detect and block."
Analysis from Mimecast earlier this year highlighted the growing threat posed by cyber criminals using legitimate services in attack chains. In its most recent threat intelligence report, the firm flagged more than 5 billion threats in the second half of 2024 alone, with ‘living off trusted services’ (LOTS) attacks a key cause for concern.
Also known as malware-free attacks, this approach is useful in helping cyber criminals circumvent authentication practices at target organizations, the study noted.
MORE FROM ITPRO
- Infostealer malware: What’s the threat to businesses?
- Forget MFA fatigue, attackers are exploiting ‘click tolerance’ to trick users into infecting themselves with malware
- Zoom-themed cyber attacks fuel rapid malware growth
-
RSAC Conference 2025: The front line of cyber innovationITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
Anthropic CEO Dario Amodei thinks we're burying our heads in the sand on AI job lossesNews With AI set to hit entry-level jobs especially, some industry execs say clear warning signs are being ignored
-
OpenAI is clamping down on ChatGPT accounts used to spread malwareNews Tools like ChatGPT are being used by threat actors to automate and amplify campaigns
-
It's been a bad week for ransomware operatorsNews A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
The FBI says hackers are using AI voice clones to impersonate US government officialsNews The campaign uses AI voice generation to send messages pretending to be from high-ranking figures
-
Employee phishing training is working – but don’t get complacentNews Educating staff on how to avoid phishing attacks can cut the rate by 80%
-
Russian hackers tried to lure diplomats with wine tasting – sound familiar? It’s an update to a previous campaign by the notorious Midnight Blizzard groupNews The Midnight Blizzard threat group has been targeting European diplomats with malicious emails offering an invite to wine tasting events, according to Check Point.
-
This hacker group is posing as IT helpdesk workers to target enterprises – and researchers warn its social engineering techniques are exceptionally hard to spotNews The Luna Moth hacker group is ramping up attacks on firms across a range of industries with its 'callback phishing' campaign, according to security researchers.
-
State-sponsored cyber groups are flocking to the 'ClickFix' social engineering techniqueNews State-sponsored hackers from North Korea, Iran, and Russia are exploiting the ‘ClickFix’ social engineering technique for the first time – and to great success.
-
Hackers are duping developers with malware-laden coding challengesNews A North Korean state-sponsored group has been targeting crypto developers through fake coding challenges given as part of the recruitment process.
