A deceptive website mimicking a real Zoom meeting is being used to install surveillance software on Windows computers without user consent. Victims are tricked into watching what looks like a legitimate meeting, then a bogus “Update Available” prompt triggers an automatic download of a malicious installer.
How the Scam Begins
The scheme starts when someone visits a fraudulent URL — uswebzoomus[.]com/zoom/ — which displays what appears to be a Zoom waiting room. As soon as the page loads, it notifies the attackers that a person has landed there. On the screen, three fake participants (“Matthew Karlsson,” “James Whitmore,” and “Sarah Chen”) seemingly join the call one after another, accompanied by typical Zoom join sounds and looped audio.
The site behaves normally only when interacted with; automated tools that don’t click or type may not detect anything suspicious. A permanent “Network Issue” message is shown on the main video — deliberately programmed, not a real failure — to make users think the call is malfunctioning.
The Fake Update Countdown
About ten seconds after the fake meeting screen appears, a popup appears stating, “Update Available — A new version is available for download”. A countdown ticks from five to zero with no option to close it. Since users have already sat through confusing audio and visuals, the update prompt seems like a plausible solution.
When the countdown finishes, the browser automatically downloads a file. At the same time, the page switches to a fake Microsoft Store-like interface showing “Zoom Workplace” being installed. Meanwhile, the real installer lands in the user’s Downloads folder — all without asking for permission.
Inside the Malicious Installer
The file that gets downloaded is named:
zoom_agent_x64_s-i(__941afee582cc71135202939296679e229dd7cced) (1).msi
Its SHA-256 hash is:
644ef9f5eea1d6a2bc39a62627ee3c7114a14e7050bafab8a76b9aa8069425fa
The “s-i(__)” part of the name follows the naming pattern used by Teramind — a legitimate employee monitoring product — and the long hash corresponds to an attacker’s Teramind account. Inside the installer, text strings show Agent version 26.3.3403 and fields for “Server IP or host name,” proving it was preconfigured to connect to a server controlled by the attackers.
This file runs through Windows Installer with no visible consumer installation interface, meaning the surveillance tool gets installed quietly.
Stealthy Deployment
The installer was compiled with references to a folder named out_stealth, which aligns with Teramind’s stealth mode feature — designed to hide its presence on a device. In this build, the agent runs as a file named dwm.exe and is placed under ProgramData\{GUID}, with no visible icons, no system tray entry, and no listing in installed programs.
During setup, the installer unpacks components into temporary folders that aren’t individually signed — which can sometimes trigger detection by security tools. It checks for existing Teramind installations, then collects system details like the computer name, active user, keyboard layout, and language settings before reporting back to the remote server.
Evasion Techniques
To make analysis harder, the installer includes logic that detects whether it’s running in a sandbox or debugging environment. If such environments are present, it may change its behavior. After installation completes, temporary files are removed, leaving fewer obvious traces. The monitoring agent, however, continues running unseen.
Why This Is Particularly Dangerous
Teramind itself is not malware — it’s commercially sold to businesses to monitor employees. It can log keystrokes, capture screenshots, record visited websites and applications, track clipboard contents, and monitor emails and files. In a corporate setting with consent and policies, this is legal. But secretly installing it on personal machines turns it into stalkerware — covert surveillance software used without permission.
Because the files are part of legitimate software, traditional antivirus tools may not flag them. Detecting misuse depends on context.
What to Do If You Encountered This
If you visited that fake Zoom URL and saw this file downloaded:
Do not open it.
If you already ran it, treat your device as compromised:
To check for installation:
- Open File Explorer.
- Go to
C:\ProgramData. - Look for a folder named
{4CEC2908-5CE4-48F0-A717-8FC833D8017A}.
(You may need to enable “Hidden items” in the View options to see it.)
To see if the service is running:
- Open Command Prompt as administrator.
- Run: sc query tsvchst If the output shows
STATE: 4 RUNNING, it’s active. If the service isn’t found, it may not be installed.
If compromised:
- Change passwords (email, banking, work) from a clean device.
- If this happened on a work computer, notify your IT/security team immediately.
How to Avoid Similar Scams
- Always open Zoom from the official app.
- Instead of clicking meeting links, type
zoom.usin your browser. - Be cautious with unexpected meeting links.
Final Thoughts
Attackers are increasingly using legitimate commercial software instead of custom malware. Products like Teramind have credibility, which helps them run reliably — but when deployed without consent, they become serious privacy threats. This scam only requires a convincing fake page and an automatic download timer — from clicking to install can take less than 30 seconds. A quick check on where a link really leads can prevent this type of compromise.
