Fake Zoom and Google Meet Interview Scams Hijack Legitimate Teramind Software to Spy on Victims

CyberDefender 7 mins0

The company Teramind has confirmed that it is not involved with the attackers discussed in this report and did not authorize or deploy the monitoring software in the campaigns described. The software is a legitimate commercial monitoring product with lawful uses, but here it is being abused by threat actors.

On February 24, 2026, Malwarebytes published research about a scam that used a fake Zoom meeting page to quietly force a Windows user to download and install a legitimate Teramind installer preconfigured for unauthorized surveillance. After that initial report, the malicious domain used for the Zoom scam was reported and taken down by its registrar. However, the campaign has persisted and expanded — including a new fake Google Meet variant.

Campaign Growth: Google Meet Variant Appears

Although the original Zoom-themed site (uswebzoomus[.]com) has been disabled, a second phishing page impersonating Google Meet has gone active at googlemeetinterview[.]click. This new site uses the exact same technique and binary as the Zoom scam, demonstrating the attacker’s intent to broaden the operation.

On this Google Meet-themed page, victims are shown a counterfeit Microsoft Store listing claiming to be “Google Meet for Meetings,” allegedly published by “Google Meet Video Communications, Inc.” This publisher identity is false. The fake store interface shows a “Starting download…” message while silently sending a Windows MSI installer through a scripted download path.

Traffic analysis confirms that both the Zoom and Google Meet variants deliver the same underlying binary file — evidenced by identical cryptographic hashes — with only the installer filename changed.

Different Infrastructure, Same Payload

Although the Zoom and Google Meet sites are separate domains on different hosting stacks (e.g., Apache vs. LiteSpeed), each uses a PHP script to serve the malware disguised as an MSI installer and mimics a Microsoft Store experience. These infrastructure differences indicate the operators prepared fallback mechanisms in case one domain gets taken down.

How One Binary Becomes Many Attacker Accounts

Analysis shows that many installer filenames share the same exact binary (same SHA-256 hash). This raises the question: How can multiple distinct monitoring accounts use the same executable?

The answer lies in a custom .NET action inside the MSI that parses its own filename at install time. The embedded code extracts an attacker-unique identifier from the filename (the “instance ID”) and overwrites the installer’s default configuration with it. That way, the same compiled MSI can serve different attackers without modifying the binary itself.

Hands-On Detonation Reveals Behavior

Researchers detonated the MSI in a controlled Windows environment with verbose logging and network monitoring. Results showed:

Installation Stages

  1. ReadPropertiesFromMsiName – Reads and stores the instance ID from the file name.
  2. CheckAgent – Determines if a Teramind agent already exists.
  3. ValidateParams – Confirms parameters are valid.
  4. CheckHosts – Attempts to reach the configured server; if unreachable, the installer fails.

This check reveals that the binary must contact rt.teramind.co to install successfully — a fallback Teramind server address baked into the installer.

Stealth Mode Confirmed

The malware’s internal settings show that Teramind’s stealth mode (“Hidden Agent”) is enabled by default in actions triggered by these installs. With stealth enabled:

  • There are no taskbar icons
  • No visible program entries in Add/Remove Programs
  • Users are unaware the software is running

Services and Persistence

Two Windows services are created during installation:

Service NameDisplay NameBinaryStartup
tsvchstService Hostsvc.exeAutomatic
pmonPerformance Monitorpmon.exeManual

These services are configured with aggressive restart rules so they automatically respawn if terminated.

Network Activity

Immediately after installation, the agent begins resolving and contacting its command-and-control server, using intervals of about 11 seconds for DNS callbacks.

Indicators of Compromise (IOCs)

File Hashes

  • SHA-256: 644ef9f5eea1d6a2bc39a62627ee3c7114a14e7050bafab8a76b9aa8069425fa
  • MD5: AD0A22E393E9289DEAC0D8D95D8118B5

Known Domains

  • uswebzoomus[.]com (Zoom variant, now suspended)
  • googlemeetinterview[.]click (Google Meet variant, active)

Detection & Defense Tips

  • Monitor for specific ProgramData GUID directories tied to this campaign.
  • Look for both tsvchst and pmon services running unexpectedly.
  • Block MSI execution from untrusted browser download locations.
  • Educate users to never trust update prompts delivered through links or pages that aren’t from official sources.
  • Use policies preventing untrusted automatic file downloads.

Final Takeaway

This campaign highlights a growing trend: attackers increasingly abuse legitimate software rather than crafting new malware. By combining brand impersonation (Zoom, Google Meet) with an off-the-shelf commercial monitoring product, threat actors can achieve stealthy persistence without traditional malware signatures — making detection by standard antivirus tools difficult.

CyberDefender