Security experts have issued an alert over a new social engineering campaign using Zoom’s remote control features to take over victim devices.
In a report from Trail of Bits, researchers attributed the campaign to a cyber criminal group known as ‘Elusive Comet’, which attempted to target the company’s CEO on social media.
The campaign in question centers around abusing the video conferencing software’s remote control feature, which allows participants to take control of another users’ computer.
In a blog post detailing the CEO’s exchange with the group, the firm said the attack started with an invitation to appear on ‘Bloomberg Crypto’ as part of an interview.
These invitations were sent via social media or email, using phony email addresses mimicking official Bloomberg accounts belonging to journalists. Notably, invitations were sent via Calendly links, the company said, which are intended to lure the victim under the guise of authenticity.
“Two separate Twitter accounts approached our CEO with invitations to participate in a “Bloomberg Crypto” series—a scenario that immediately raised red flags,” the firm said in a blog post.
“The attackers refused to communicate via email and directed scheduling through Calendly pages that clearly weren’t official Bloomberg properties. These operational anomalies, rather than technical indicators, revealed the attack for what it was.”
Trail of Bits identified a number of accounts linked to the campaign and warned organizations to update monitoring systems to include these new indicators.
These included:
- X: @KOanhHa
- X: @EditorStacy
- Email: bloombergconferences[@]gmail.com
- Zoom URL: https://us06web[.]zoom[.]us/j/84525670750
- Calendly URL: calendly[.]com/bloombergseries
- Calendly URL: calendly[.]com/cryptobloomberg
Zoom attack relies on user trust
Trail of Bits warned that with the campaign relying on a feature in a legitimate service, it could pose a serious risk to unwitting users.
Upon entering a call with the threat actors, they change display names to ‘Zoom’ to make the request “appear as a system notification”. If granted access, the attacker can assume control of the victim’s device to install malware, exfiltrate data, or steal cryptocurrency.
“What makes this attack particularly dangerous is the permission dialog’s similarity to other harmless Zoom notifications,” the firm said. “Users habituated to clicking “Approve” on Zoom prompts may grant complete control of their computer without realizing the implications.”
Max Gannon, Intelligence Manager at Cofense, echoed Trail of Bits’ comments on the campaign, noting that the use of legitimate software by cyber criminals has become a serious problem for enterprises.
“The malicious use of legitimate software is a growing trend we've continued to see in 2025,” he said.
“In this case, threat actors are leveraging legitimate Zoom and Calendly links to bypass security controls. As trusted domains, their use in this attack makes it more difficult to detect and block."
Analysis from Mimecast earlier this year highlighted the growing threat posed by cyber criminals using legitimate services in attack chains. In its most recent threat intelligence report, the firm flagged more than 5 billion threats in the second half of 2024 alone, with ‘living off trusted services’ (LOTS) attacks a key cause for concern.
Also known as malware-free attacks, this approach is useful in helping cyber criminals circumvent authentication practices at target organizations, the study noted.
MORE FROM ITPRO
- Infostealer malware: What’s the threat to businesses?
- Forget MFA fatigue, attackers are exploiting ‘click tolerance’ to trick users into infecting themselves with malware
- Zoom-themed cyber attacks fuel rapid malware growth
-
Why are many men in tech blind to the gender divide?In-depth From bias to better recognition, male allies in tech must challenge the status quo to advance gender equality
-
BenQ PD3226G monitor reviewReviews This 32-inch monitor aims to provide the best of all possible worlds – 4K resolution, 144Hz refresh rate and pro-class color accuracy – and it mostly succeeds
-
State-sponsored cyber groups are flocking to the 'ClickFix' social engineering techniqueNews State-sponsored hackers from North Korea, Iran, and Russia are exploiting the ‘ClickFix’ social engineering technique for the first time – and to great success.
-
Hackers are duping developers with malware-laden coding challengesNews A North Korean state-sponsored group has been targeting crypto developers through fake coding challenges given as part of the recruitment process.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Seized database helps Europol snare botnet customers in ‘Operation Endgame’ follow-up stingNews Europol has detained several people believed to be involved in a botnet operation as part of a follow-up to a major takedown last year.
-
This potent malware variant can hijack your Windows PC, steal passwords, and more: Neptune RAT is spreading on GitHub, Telegram, and even YouTube – and experts warn 'anyone could use it to launch attacks'News Neptune RAT can hijack Windows PCs and steal passwords – and it's spreading fast
-
Warning issued over ‘fast flux’ techniques used to obscure malicious signals on compromised networksNews Cybersecurity agencies have issued a stark message that too little is being done to sniff out malware hiding in corporate networks
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attackTroy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
-
Fake file converter tools are on the rise – here’s what you need to knowNews The FBI has issued an alert over the rise of fake file converter tools available online after observing a spate of scams and ransomware attacks.
