Instead of creating custom malware, attackers are abusing Teramind, a legitimate enterprise monitoring tool. This strategy allows hackers to spy on victims without triggering standard security alerts.
The campaign relies on fake websites that look exactly like official Microsoft Store pages for Zoom and Google Meet.
When a victim clicks the download button, a malicious MSI installer file is silently delivered to their computer.
Researchers found that the attackers use a single, identical Windows installer file across multiple campaigns.
To tell their attacks apart, the software reads its own filename when it runs. The filename includes a 40-character code that links the installed software back to the attacker’s specific account.
Because of this clever design, a single file can be used for thousands of attacks simply by renaming it.
When the user runs the installer, it performs a quick network check against its Command and Control (C2) server. If the machine cannot connect to the server, the installation stops immediately with error code 1603.
If the connection is successful, the software installs using a “Hidden Agent” stealth mode. This deployment option runs completely silently in the background.
According to Malwarebytes, the victim will not see a taskbar icon, a system tray entry, or a visible listing in the Windows Add/Remove Programs menu.
Furthermore, the installer supports a built-in proxy tunnel. This allows the agent to hide its data theft by blending malicious traffic with legitimate network traffic.
To keep the surveillance software running, the installer creates two hidden services with aggressive restart rules.
If a user or security tool stops the service, it will automatically restart itself within minutes.
Observed Persistence Mechanisms
| Service Name | Display Name | Executable | Privilege Level |
|---|---|---|---|
| tsvchst | Service Host | svc.exe –service | LocalSystem |
| pmon | Performance Monitor | pmon.exe | LocalSystem |
Security teams should actively monitor for the fixed GUID folder in the ProgramData directory. Administrators can also query systems for the tsvchst and pmon services.
To stop this attack chain early, IT departments should block MSI execution from standard user download folders.
Removal Steps:
msiexec /x {4600BEDB-F484-411C-9861-1B4DD6070A23} /qb.rmdir /s /q "C:ProgramData{4CEC2908-5CE4-48F0-A717-8FC833D8017A}".Follow us on Google News, LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Phishing Attacks Impersonate Zoom and Google Meet to Distribute Teramind Spyware appeared first on Cyber Security News.
CALLAHAN COUNTY, Texas (KTAB/KRBC) - A Dallas man was killed early Friday morning following a…
The weekend is finally here, and new deals have popped up! There are quite a…
LEGO Batman: Legacy of the Dark Knight, a new take on the classic LEGO game…
It might be World War III, but at least I won $20. | Image: Polymarket…
President Donald Trump in a video posted by the White House on social media announces…
We’ve somehow already made our way to March, which hopefully brings some spring weather, but…
This website uses cookies.