Zoom Remote Control Feature Weaponized in Social Engineering Malware Campaign

Cybercriminals are exploiting Zoom’s remote control feature in a sophisticated social engineering campaign to take over victims’ computers and install malware, with a primary focus on cryptocurrency traders and investors. The threat actor group behind this campaign, known as Elusive Comet, uses deceptive tactics to lure targets into Zoom calls under false pretenses, such as invitations to participate in fake media interviews like a “Bloomberg Crypto” series.

The attack begins with the perpetrators contacting victims via social media or email, often using fake Bloomberg journalist accounts and sending scheduling links through unofficial Calendly pages. These operational anomalies, rather than technical flaws, help reveal the scam. Once the victim joins the Zoom call, the attacker requests remote control access-a legitimate Zoom feature that allows one participant to control another’s computer with permission. To trick victims, the attacker changes their Zoom display name to “Zoom,” making the remote control request appear as a system notification. Many users, accustomed to approving Zoom prompts, may unwittingly grant full control of their device.

With remote access granted, the attacker can install malware, steal sensitive data such as cryptocurrency wallet keys, exfiltrate information, or maintain persistent access for further exploitation. This technique mirrors tactics seen in major hacks like the $1.5 billion Bybit cryptocurrency breach, where attackers exploited trusted workflows rather than software vulnerabilities.

Security experts warn that the attack’s success relies heavily on exploiting user trust and operational security failures rather than technical vulnerabilities. The permission dialog’s similarity to routine Zoom notifications makes it particularly dangerous, as users often approve requests without realizing the consequences. Organizations handling sensitive data, especially in the crypto sector, are advised to disable Zoom’s remote control feature or remove Zoom entirely to mitigate this risk.

Trail of Bits and other cybersecurity firms have identified specific social media accounts, email addresses, and URLs linked to the campaign to help organizations update monitoring systems and detect related activity. The campaign exemplifies a growing trend of “living off trusted services” attacks, where cyber criminals leverage legitimate platforms like Zoom and Calendly to bypass security controls and evade detection.