Critical Zoom Attack: Protect Yourself from Remote Access Scams

TL;DR

A new Zoom-based attack by the ELUSIVE COMET cybercriminal group targets victims by exploiting Zoom’s remote control feature. The attackers lure victims into video calls, change their screen names to ‘Zoom,’ and request remote control access, leading to malware installation and asset theft. Stay safe by avoiding Zoom app installations and being cautious about who you grant control to during meetings.

Critical Zoom Attack: Protect Yourself from Remote Access Scams

Be cautious when engaging with unfamiliar individuals on the Zoom video conferencing platform; you might unintentionally expose yourself to significant risks. Recently, two CEOs were targeted in a sophisticated Zoom-based attack. One detected the threat in time, but sadly, the other did not.

The ELUSIVE COMET Threat

The attack is orchestrated by a criminal group known as ELUSIVE COMET, as outlined in a warning issued by the Security Alliance last month. ELUSIVE COMET targets victims by enticing them into a Zoom video call and then seizing control of their PC to install malware, infiltrate their accounts, and steal their assets¹.

Modus Operandi

The group typically initiates contact with victims under the guise of a media opportunity. Once interested, the victims are scheduled for an introductory Zoom call. During this video meeting, the attacker keeps their screen off but sends a remote control request to the victim¹.

Remote control is a legitimate feature in the Zoom app that allows another user to take control of your PC. While useful in scenarios such as remote tech support, it becomes dangerous when agreed to by someone unfamiliar, especially if the victim is unaware of the action¹.

During the fraudulent call, the attacker changes their screen name to ‘Zoom’ before sending the remote control request. This deception makes it appear as though the app itself is requesting control, tricking some victims into accepting¹.

Real-World Incidents

Attack on Trail of Bits CEO

ELUSIVE COMET attempted this scam on the CEO of cybersecurity consulting firm Trail of Bits but failed. The CEO became suspicious after receiving an invitation to appear on “Bloomberg Crypto.” The attackers approached him via the X social media network and refused to switch to email when requested. They used a third-party booking system called Calendly to arrange the call, but the lack of Bloomberg branding on the Calendly pages raised the CEO’s suspicions. After cross-referencing data from the Security Alliance advisory, the CEO realized the true nature of the attempt².

Attack on Emblem Vault Owner

Unfortunately, Jake Gallen, owner of the cryptocurrency company Emblem Vault, fell victim to the scam. He received a media invitation from an X account called @tacticalinvest_ to appear on a podcast. During the interview, the attacker downloaded malware known as goopdate onto Gallen’s computer, resulting in the theft of over $100,000 in digital assets from his Bitcoin and Ethereum wallets, as well as unauthorized access to his Twitter, Gmail, and other accounts³.

Gallen conducted due diligence before the meeting, finding that the account had a large following with consistent posts and videos, even a YouTube account. This highlights the sophistication of these attackers and the vulnerability of even tech-savvy individuals³.

Staying Safe on Zoom

While not everyone is a business owner or influencer seeking exposure, it’s crucial to be vigilant about who you allow into Zoom meetings and who you grant control to. Additionally, be aware of the ongoing trend of ‘Zoombombing,’ where uninvited individuals infiltrate meetings⁴.

Safety Tips

• Avoid Installing the Zoom App: Use Zoom in the browser where possible. Running Zoom in the browser limits its functionality, including disabling remote control of your system.
• Be Cautious of Remote Control Requests: Do not accept remote control requests from unfamiliar individuals.
• Verify Meeting Invitations: Ensure that meeting invitations are from legitimate sources. Check for branding and consistency in communication.

Conclusion

The ELUSIVE COMET attack underscores the importance of vigilance and caution when using video conferencing platforms like Zoom. By being aware of the tactics used by cybercriminals and taking proactive measures to protect yourself, you can safeguard your digital assets and personal information. Stay informed and stay safe.

Additional Resources

For further insights, check:

• Security Alliance Warning on ELUSIVE COMET
• Mitigating ELUSIVE COMET Zoom Remote Control Attacks
• Jake Gallen’s Postmortem Thread on X
• Recent Zoom Bombings Disrupt Meetings

References

1. Security Alliance (March 2025). “Warning on ELUSIVE COMET”. Security Alliance. Retrieved 2025-04-24. ↩︎ ↩︎² ↩︎³ ↩︎⁴

2. Trail of Bits (April 17, 2025). “Mitigating ELUSIVE COMET Zoom Remote Control Attacks”. Trail of Bits Blog. Retrieved 2025-04-24. ↩︎

3. Jake Gallen (April 2025). “Postmortem Thread on X”. X. Retrieved 2025-04-24. ↩︎ ↩︎²

4. Yahoo News (2025). “Recent Zoom Bombings Disrupt Meetings”. Yahoo News. Retrieved 2025-04-24. ↩︎