Remote Access Delivered Through Fake Zoom and Google Meet Calls
Essential information
- Published
- 06/03/2026 15:21
- Modified
- 09/03/2026 10:00
- Tags
- 2026-03-06 clickfix connectwise control google meet phishing social engineering teramind zoom
- Related entities
- 14 observables, 1 intrusion sets (apt), 4 techniques (mitre), 2 malware, 9 others
Description
A campaign using fake Zoom and Google Meet pages to lure victims into fraudulent video calls has been identified. The attackers use these pages to deliver remote-access software. Multiple domains hosting identical fake meeting pages were discovered, with one domain previously linked to a ClickFix campaign. The fake interfaces show an active meeting with expected participants. When victims join, they are prompted to download a file disguised as a Zoom update. Various payloads were identified, including executables masquerading as meeting updates, MSI installers deploying legitimate remote support software, and commercial monitoring software configured for covert remote access. The campaign's goal appears to be establishing remote access using whichever tool is most effective.