Be Careful With Fake Zoom Client Downloads

June 5, 2025, 5:16 p.m.

Description

A deceptive email containing a fake Zoom meeting invitation has been identified. Clicking the 'join' button leads to a website prompting users to install a purported Zoom client update. The downloaded executable, 'Session.ClientSetup.exe', is actually malware that installs an MSI package. This package deploys ScreenConnect, a remote access tool, allowing attackers to gain unauthorized access to the victim's computer. The malware establishes persistence by installing itself as a service and connects to a command and control server at tqtw21aa.anondns.net on port 8041. Users are advised to exercise caution when receiving unexpected Zoom invitations or update prompts.

External References

https://isc.sans.edu/diary/rss/32014
https://otx.alienvault.com/pulse/6841b92a2822d337bdf7bf39
Tags
screenconnect
phishing
downloader
fake update
remote access tool
zoom
2025-06-05

Date

  • Created: June 5, 2025, 3:35 p.m.
  • Published: June 5, 2025, 3:35 p.m.
  • Modified: June 5, 2025, 5:16 p.m.

Indicators

  • f5e467939f8367d084154e1fefc87203e26ec711dbfa83217308e4f2be9d58be
  • tqtw21aa.anondns.net
Download all indicators here!

Attack Patterns

  • ScreenConnect