{
  "name": "Be Careful With Fake Zoom Client Downloads",
  "slug": "be-careful-with-fake-zoom-client-downloads",
  "description": "A deceptive email containing a fake Zoom meeting invitation has been identified. Clicking the 'join' button leads to a website prompting users to install a purported Zoom client update. The downloaded executable, 'Session.ClientSetup.exe', is actually malware that installs an MSI package. This package deploys ScreenConnect, a remote access tool, allowing attackers to gain unauthorized access to the victim's computer. The malware establishes persistence by installing itself as a service and connects to a command and control server at tqtw21aa.anondns.net on port 8041. Users are advised to exercise caution when receiving unexpected Zoom invitations or update prompts.",
  "published": "2025-06-05T13:35:06+00:00",
  "created_at": "2025-06-05T13:35:06+00:00",
  "modified_at": "2025-06-05T15:16:52+00:00",
  "created_at_opencti": "2025-06-05T13:35:06+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-06-05",
    "downloader",
    "fake update",
    "phishing",
    "remote access tool",
    "screenconnect",
    "zoom"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "tqtw21aa.anondns.net"
      },
      {
        "id": "",
        "name": "f5e467939f8367d084154e1fefc87203e26ec711dbfa83217308e4f2be9d58be"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:1e181522bb980dc7",
        "name": "ScreenConnect",
        "slug": "screenconnect"
      }
    ],
    "attack_patterns": [
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e",
        "name": "T1071"
      },
      {
        "id": "c12e0e03-aab0-4646-a929-e921a3d27f02",
        "name": "T1219"
      },
      {
        "id": "50514c04-b3a2-4abf-a855-e3a434200c87",
        "name": "T1204"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ]
  },
  "external_refs": [
    "https://isc.sans.edu/diary/rss/32014",
    "https://otx.alienvault.com/pulse/6841b92a2822d337bdf7bf39"
  ]
}