Zoom Invite Scam Deploys Fake Meeting to Install Remote‑Control Malware on Windows PCs

In today’s hyper‑connected world, video conferencing has become a staple of both personal and professional life. With Zoom, Microsoft Teams, and other platforms handling millions of daily meetings, cybercriminals are constantly looking for new ways to exploit the trust users place in these services. A recent campaign uncovered by Sublime Security demonstrates a sophisticated phishing technique that masquerades as a legitimate Zoom invitation, lures victims into a counterfeit meeting, and then delivers a remote‑control malware payload to Windows computers.

How the Scam Operates

The attack chain begins with a seemingly innocuous email that looks just like a standard Zoom invite. The message contains a large “Join Meeting” button that, when clicked, opens a web page rather than the official Zoom client. The page then presents a series of spoofed security checks that mimic the familiar Zoom interface. Once the user passes these checks, a waiting room screen appears, complete with a countdown timer, participant list, and the usual “You’re in a Zoom meeting” banner.

At this point, the victim believes they have joined a real call. However, the page is actually running a JavaScript‑based simulation that creates a live, interactive meeting environment. The script populates the room with fictitious participants—names like Matthew Karlsson and Sarah Chen are displayed, and the audio feed is intentionally choppy to simulate a real network glitch. The simulation even shows a “Network Issue” warning, prompting users to update their Zoom client. This is a deliberate psychological trick: most people will click the update link without questioning its legitimacy.

When the user clicks the “Update Available” prompt, they are redirected to a counterfeit Microsoft Store page. The download that follows is not the official Zoom update but a malicious executable named ScreenConnect. While ScreenConnect is a legitimate remote‑support tool used by IT departments, the version distributed in this scam is tampered with to grant attackers full remote control over the victim’s machine.

Recognizing the Red Flags

Although the scam is designed to look convincing, there are several telltale signs that the invitation is fake. Below is a list of indicators that should raise suspicion:

• Sender’s Email Address: The email often originates from a public or generic domain (e.g., @gmail.com, @yahoo.com) rather than a corporate Zoom address.
• URL in the Join Link: Instead of a Zoom domain (zoom.us or zoom.com), the link points to a random or suspicious domain that redirects to a fake site.
• Security Check Screens: Real Zoom invites do not require a separate security verification step before joining a meeting.
• Waiting Room Simulation: The waiting room appears in a web browser rather than the Zoom client, and the layout is slightly off.
• Update Prompt: A pop‑up asking to update Zoom during a meeting is unusual; Zoom typically prompts for updates outside of an active session.
• Download Source: The “update” leads to a Microsoft Store page that is not the official store or is hosted on a different domain.
• System Compatibility: The scam only proceeds on Windows; Mac users see a message that the attack is not supported.

Being aware of these red flags can help users avoid falling victim to the malware.

Protecting Yourself and Your Devices

Cybersecurity experts recommend a layered approach to defend against this type of phishing attack:

1. Verify the Sender: Check the email address and cross‑reference it with the organization’s official contacts. If in doubt, contact the sender directly using a known phone number or email.
2. Hover Over Links: Before clicking, hover over the “Join Meeting” button to see the actual URL. Legitimate Zoom links will contain zoom.us or zoom.com.
3. Use the Official App: Instead