Phishing Campaigns Abuse Legitimate Monitoring and Remote-Access Tools for Stealthy Takeover
Security researchers reported multiple phishing campaigns that impersonate trusted brands to trick users into installing legitimate enterprise software repurposed for surveillance and remote control. One campaign uses fake Zoom and Google Meet “meeting room” pages that simulate a waiting room experience (participant names, audio cues, and a persistent “network issue” message) and then pressure victims with a forced “update required” download via a countdown timer. After execution, a modified Teramind agent is installed in stealth mode (no visible icons/notifications), enabling extensive monitoring such as keystroke capture, screenshots, browsing history, and clipboard collection.
A separate campaign targets cryptocurrency users by impersonating the Yoroi Desktop Wallet and advertising a “security upgrade” via a polished landing page hosted on a recently registered domain (hxxps://download[.]v1desktop-yoroiwallet[.]com/). The download chain redirects to a file-sharing service and delivers an MSI (YoroiDesktop-installer.msi) that does not install a wallet; instead it installs GoTo Resolve (LogMeIn) in unattended mode for silent remote access. Reported artifacts include YoroiDesktop-installer.msi (hash 8634AD3C6488D6A27719C5341E91EEB9) and unattended-updater.exe (hash 2A2D9B03AA6185F434568F5F4C42BF49), along with configuration values indicating enrollment into a preconfigured remote-access fleet (e.g., CompanyId: 5504330483880245799, FleetTemplateName: syn-prd-ava-unattended).
Timeline
Mar 20, 2026
Sublime reports fake interactive Zoom call delivering ScreenConnect
Sublime disclosed a Zoom-themed phishing campaign in which victims received fake meeting invitations and were led through a realistic spoofed Zoom experience ending in a bogus update download. The MSI installer deployed a legitimate ScreenConnect instance configured for attacker access, providing remote control of the victim device.
Mar 2, 2026
Researchers document Zoom and Google Meet phishing using Teramind
Security researchers reported a phishing campaign impersonating Zoom and Google Meet meeting pages on Windows systems. The fake meeting sites pushed a modified Teramind monitoring agent disguised as a required update, enabling stealthy surveillance through attacker-controlled infrastructure.
Mar 1, 2026
Yoroi wallet phishing campaign deploys GoTo Resolve and ScreenConnect
Attackers launched a phishing campaign impersonating the Yoroi Desktop Wallet and directing victims to lookalike domains offering a fake wallet "upgrade." The downloaded MSI installers instead deployed legitimate remote management tools, including GoTo Resolve in unattended mode and a ScreenConnect-based payload, to give attackers persistent remote access.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Phishing and software impersonation campaigns delivering malware via trusted services
Microsoft reported ongoing **OAuth abuse** campaigns targeting government and public-sector organizations, where phishing emails lure users into clicking links that leverage legitimate identity-provider redirect behavior (e.g., **Microsoft Entra ID** and other OAuth providers) to send victims to attacker-controlled pages for malware delivery and potential device takeover. Lures included e-signature requests, Teams meeting recordings, Microsoft 365 password resets, and political themes; Microsoft said it disabled identified malicious OAuth applications but warned related activity persists and requires continued monitoring. Separately, researchers described multiple **deception-based malware delivery** operations that rely on impersonation of trusted brands and software rather than exploiting product vulnerabilities. One campaign spoofed **Zoom** and **Google Meet** to install the legitimate *Teramind* monitoring agent for covert surveillance, using fake landing pages and a Microsoft Store lookalike, persistence via services (including `tsvchst` and `pmon`), and traffic masking via built-in SOCKS5 proxy support; defenders were advised to check for related drivers (e.g., `tm_filter.sys`, `tmfsdrv2.sys`) and artifacts under *ProgramData*. Another campaign used a lookalike domain (`filezilla-project[.]live`) to distribute a trojanized portable **FileZilla 3.69.5** bundle that adds a malicious DLL for DLL search-order hijacking, enabling credential theft (including saved FTP credentials) and C2 activity—highlighting a broader trend of **trusted software impersonation** and search/SEO poisoning as an initial access vector.
1 months ago
Phishing Campaigns Weaponize Legitimate RMM Tools for Remote Access and Credential Theft
Threat researchers reported multiple phishing-driven intrusions in which attackers impersonate trusted brands and agencies to trick victims into installing legitimate remote monitoring and management (RMM) software for persistent access. In **Operation DoppelBrand**, financially motivated actor **GS7** spoofed Fortune 500 financial and technology brands (including **Wells Fargo** and **USAA**) using more than **150** lookalike domains to harvest credentials and exfiltrate data via attacker-controlled **Telegram bots**; researchers also identified nearly **200** additional domains with short registration terms, automated SSL, wildcard DNS, and brand-specific subdomains supporting the campaign. Separately, Forcepoint X-Labs described a wave of emails impersonating the **U.S. Social Security Administration** that delivers an attached `.cmd` script to weaken Windows defenses and enable silent installation of **ConnectWise ScreenConnect**. The script checks/elevates privileges, disables **Windows SmartScreen** via registry changes, removes **Mark-of-the-Web**, and uses **Alternate Data Streams (ADS)** for stealth before installing an MSI and configuring ScreenConnect (via `System.config`) to beacon to an attacker-controlled server (reported as `dof-connecttop` on port `8041`). Both activity sets highlight a recurring tradecraft pattern: **brand impersonation + scripted defense evasion + abuse of legitimate RMM tooling** (e.g., *LogMeIn Resolve*, *ScreenConnect*) to gain remote control and facilitate follow-on theft or persistence.
1 months ago
Phishing Campaigns Delivering Malware via Disguised, Signed Installers and Malicious Attachments
Security researchers reported active phishing activity targeting enterprise users by impersonating routine workplace workflows (e.g., meeting invites, invoices, and document notifications) to trick recipients into running malware. One campaign used executables masquerading as *Microsoft Teams*, *Zoom*, and *Adobe Acrobat Reader* installers (e.g., `msteams.exe`, `zoomworkspace.clientsetup.exe`, `adobereader.exe`, `invite.exe`) that appeared trustworthy because they were **digitally signed** with an Extended Validation (EV) certificate issued to **TrustConnect Software PTY LTD**. Microsoft Defender telemetry attributed the activity to an unknown threat actor and assessed the approach as a deliberate, multi-wave effort designed to bypass user suspicion and basic security controls. After execution, the signed malware deployed **remote monitoring and management (RMM)** tooling—reported examples include **ScreenConnect**, **Tactical RMM**, and **Mesh Agent**—to establish persistent remote access and enable follow-on actions across affected environments. Separately, reporting also highlighted phishing lures distributing **malicious ISO attachments** embedded in job application/resumé-themed emails, reinforcing that attackers continue to rely on socially engineered business processes (recruiting and HR workflows in particular) to deliver initial payloads and gain a foothold.
1 months ago