Activate subscription >
Add devices or upgrade >
Renew subscription >
Secure Hub >
Don’t have an account?
Sign up >
< Products
Have a current computer infection?
Worried it’s a scam?
Try our antivirus with a free, full-featured 14-day trial
Get your free digital security toolkit
Find the right cyberprotection for you
< Business
< Pricing
Protect your personal devices and data
Protect your team’s devices and data – no IT skills needed
Explore award-winning endpoint security for your business
< Resources
< Support
Malwarebytes and Teams Customers
Nebula and Oneview Customers
UPDATE (February 27, 2026): We have added more clarity around the abuse of legitimate commercial products.
UPDATE (February 25, 2026): Teramind has stated that it is not affiliated with the threat actors described and did not authorize the deployment of the software referenced. Further updates have been made throughout for clarification.
A fake Zoom meeting website is silently pushing surveillance software onto Windows machines. Visitors land on a convincing imitation of a Zoom video call. Moments later, an automatic “Update Available” countdown downloads a malicious installer—without asking for permission.
The scam campaign pushes a Teramind installer, which is a legitimate product and commercial workforce monitoring solution companies use to record what employees do on work computers, to unsuspecting victims. In this cybercriminal campaign, however, which Teramind has no affiliation with, the abused and altered program is being quietly dropped onto the machines of ordinary people who thought they were joining a meeting.
The whole operation starts at uswebzoomus[.]com/zoom/, a website that opens as a Zoom waiting room. The moment it loads, it quietly sends a message back to the attackers letting them know someone has arrived.
Three scripted fake participants—“Matthew Karlsson,” “James Whitmore,” and “Sarah Chen”—appear to join the call one by one, each announced by a genuine-sounding Zoom join chime. Their conversation audio loops on repeat in the background.
The page behaves differently if no one interacts with it. The audio and meeting sequence only begin once a real person clicks or types. Automated security tools that scan suspicious pages without interacting may see nothing unusual.
A permanent “Network Issue” warning is displayed over the main video tile. This is not a glitch: the page is hardcoded to always show it. The choppy audio and lagging video are entirely deliberate, and they serve a specific psychological purpose. A visitor sitting through a broken call will naturally assume something is wrong with the app. When an “Update Available” prompt appears moments later, it feels like the fix.
Ten seconds after the meeting screen appears, a pop-up takes over: “Update Available — A new version is available for download.” A spinner turns and a counter ticks from five to zero. There is no close button.
By this point the visitor has already sat through a frustrating, glitchy call—and a software update is exactly what they have been primed to want. The pop-up arrives not as a surprise, but as an answer.
When the counter hits zero, the browser is instructed to silently download a file. At the exact same moment, the page switches to what looks like the Microsoft Store showing “Zoom Workplace” mid-installation, spinning and all. While the visitor watches what appears to be a legitimate install resolving the problem, the real installer has already landed in their Downloads folder— and it didn’t ask for permission at any point.
The downloaded file is called zoom_agent_x64_s-i(__941afee582cc71135202939296679e229dd7cced) (1).msi. It’s a standard Windows installer format. Its unique digital fingerprint is 644ef9f5eea1d6a2bc39a62627ee3c7114a14e7050bafab8a76b9aa8069425fa.
The filename itself is telling: the string s-i(__) copies Teramind’s own naming convention for a stealth instance installer, with the hash after it identifying the specific attacker-controlled Teramind account the agent will report back to.
Security analysis of the file’s contents revealed two particularly telling pieces of text hidden inside it: Agent version 26.3.3403 and a field labelled Server IP or host name. These fields confirm the installer was preconfigured to connect to an attacker-controlled Teramind server.
The installer executes through Windows Installer without presenting a typical interactive consumer installation interface. The target being set up as a surveillance target has no idea it is happening.
Inside the installer’s internal build files—notes left over from the development process that are normally only seen by the software’s authors—the folder name out stealth appears in the build path. This indicates the attackers configured the installer using Teramind’s “stealth mode” deployment option, a legitimate enterprise feature designed for authorized IT deployments where an invisible agent is required. However, in this criminal campaign, that feature is being misused to avoid detection on victims’ personal devices.
In this version of the Windows agent, Teramind’s MSI defaults to naming the agent binary dwm.exe and installs it under a ProgramData{GUID} directory. This behavior is documented by the vendor and can be changed using the TMAGENTEXE installer parameter.
During installation, the software assembles itself in stages. Several Teramind components are unpacked into temporary directories during installation. These intermediate files are not individually signed, which can sometimes trigger security tooling during analysis. The installation chain first confirms whether Teramind is already on the machine, then collects the computer’s name, the current user account, the keyboard language, and the system locale. These are the details Teramind needs to identify the device and begin reporting activity back to whoever deployed it.
The agent is configured to communicate with a remote Teramind server instance, consistent with enterprise monitoring deployments.
One of the most deliberate aspects of this installer is how hard it works to avoid being analyzed. Security researchers examine suspicious software in controlled “sandbox” environments (essentially isolated virtual machines where the software can run safely while being watched). This installer is built to detect exactly that situation and behave differently.
Runtime analysis flags indicate the presence of debug and environment detection logic (DETECT_DEBUG_ENVIRONMENT). The installer performs checks consistent with identifying analysis or sandbox environments and may alter its behavior under those conditions.
Once installation completes, the installer removes its temporary files and staging folders. That means by the time someone checks the machine, obvious traces of the installer may already be gone. The monitoring agent itself, however, continues running in the background.
Teramind is a legitimate software vendor whose purpose serves a function. Businesses pay for it to monitor staff on company-owned devices: it logs every keystroke, takes screenshots at regular intervals, records which websites were visited and which applications were opened, captures clipboard contents, and tracks email and file activity.
In a corporate context—where employees are informed and policies are in place—this is legal. But here, cybercriminals misuse the Teramind tool and secretly installing the software on personal machines without authorization.
The attackers did not write custom malware. They deployed a professionally developed commercial product that is designed to run reliably and persist through restarts. That makes it more durable than many traditional scams.
Because the files themselves belong to legitimate software, there is no malicious code for traditional antivirus tools to detect. Rather, this is a situation where context matters. Here the scammers are misusing Teramind’s legitimate monitoring software by installing it without consent on a personal device of a victim without their knowledge.
If you visited uswebzoomus[.]com/zoom/ and a file with the name above was downloaded:
Do not open it.
If you already ran it, treat your device as compromised.
Check for the installation folder:
ProgramData is hidden by default. In File Explorer, select View and enable “Hidden items.”
Check whether the service is running:
If it shows STATE: 4 RUNNING, the agent is active. If the service does not exist, it was not installed using the default configuration.
Change passwords for important accounts—email, banking, and work—from a different, clean device.
If this happened on a work computer, contact your IT or security team immediately.
To avoid similar attacks in the future:
There is a quiet but growing trend of attackers abusing and misusing legitimate commercial software. Tools like Teramind arrive on a machine and avoid detection by traditional antivirus tools because such tools are legitimate and credible, and that credibility is exactly what makes them useful to a bad actor deploying them without permission.
This cybercriminal campaign does not rely on technical sophistication. No new hacking technique was used. The attacker built a convincing fake Zoom page, set an automatic download to fire before any visitor has a reason to be suspicious, and used a fake Microsoft Store screen to explain it all away. From click to install takes less than thirty seconds. Someone who was expecting a Zoom invite and saw what looked like a Microsoft installation in progress could easily walk away believing nothing unusual had happened.
Zoom is frequently impersonated because people receive meeting links through email, text, Slack, and calendar invites—and click quickly. Taking five seconds to confirm a link really leads to zoom.us is a simple habit that can prevent a serious problem.
File Hashes (SHA-256)
Domains
Teramind Instance ID
SHARE THIS ARTICLE
Stefan Dasic
Passionate about antivirus solutions, Stefan has been involved in malware testing and AV product QA from an early age. As part of the Malwarebytes team, Stefan is dedicated to protecting customers and ensuring their security.
Cybercriminals are impersonating Signal Support to steal backup recovery keys, giving them access to victims' entire message archives.
Cruise giant Carnival has suffered yet another data breach, with ShinyHunters claiming to have stolen personal data affecting nearly 6 million people.
Searching for ChatGPT? This fake download site serves malware to both Windows and Mac users, using separate payloads tailored to each platform.
Signal users targeted in backup-stealing phishing attacks
Fake ChatGPT download site infects Windows and Mac users with malware
Kali365 phishing kit bypasses MFA and steals Microsoft logins
By submitting this form, you consent to Malwarebytes contacting you regarding products and services and using your personal data as described in our Terms of Service and Privacy Policy.
Contributors
Threat Center
Podcast
Glossary
Scams
Malwarebytes – all-in-one cybersecurity protection always by your side.
COMPUTER SECURITY
MOBILE SECURITY
PRIVACY PROTECTION
IDENTITY PROTECTION
LEARN ABOUT CYBERSECURITY
PARTNER WITH MALWAREBYTES
ADDRESS
One Albert Quay
2nd Floor
Cork T12 X8N6
Ireland
2445 Augustine Drive
Suite 550
Santa Clara, CA
USA, 95054
ABOUT MALWAREBYTES
WHY US
GET HELP
Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.
By submitting this form, you consent to Malwarebytes contacting you regarding products and services and using your personal data as described in our Terms of Service and Privacy Policy.
© 2026 All Rights Reserved
Leave a Reply