SOC Prime Bias: High

19 May 2026 13:30 UTC
newspaper icon cofense.com

Click, Install, Compromised: The New Wave of Zoom-Themed Attacks

Author Photo
SOC Prime Team linkedin icon Follow
Click, Install, Compromised: The New Wave of Zoom-Themed Attacks
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

Threat actors are exploiting fake Zoom meeting invitations to deliver a malicious VBS downloader that installs ConnectWise ScreenConnect, a legitimate remote access application. The VBS payload downloads the ScreenConnect MSI from attacker-controlled infrastructure and launches it from the victim’s TEMP directory. After the remote access tool is installed, the attackers gain persistent access to the system, enabling credential theft, reconnaissance, and delivery of follow-on malware such as ransomware.

Investigation

Cofense identified phishing emails that directed victims to a counterfeit Zoom page prompting them to install a fake update. That update delivered a VBS file named _zoommeeting_Zoom_Installer_64_bit.exe.vbs, which contained a hard-coded URL pointing to a malicious IP address hosting the ScreenConnect.ClientSetup.msi installer. The script then executed the MSI through Windows Script Host in a hidden window to avoid drawing attention.

Mitigation

Organizations should deploy email security controls that can detect and block Zoom-themed phishing lures, require multi-factor authentication for remote access tools, and restrict execution of VBS scripts from user-writable directories. Defenders should also monitor network traffic for communication with known malicious domains and IPs and apply application allow-listing to control legitimate remote administration software.

Response

If this activity is detected, isolate the affected endpoint immediately, remove the malicious VBS file and any installed ScreenConnect components, and reset compromised credentials. Investigators should then perform forensic analysis to determine whether additional malware was deployed or whether data was exfiltrated. Remote access policies should also be reviewed and hardened, and detection content should be updated with the observed indicators of compromise.

"graph TB %% Class definitions section classDef action fill:#99ccff classDef tool fill:#cccccc classDef process fill:#ffcc99 %% Nodes u2013 actions action_email_spoof["<b>Action</b> – <b>T1672 Email Spoofing</b><br/><b>Description</b>: Adversary sends an email that appears to come from a legitimate Zoom address."] class action_email_spoof action action_phishing["<b>Action</b> – <b>T1566 Phishing</b><br/><b>Description</b>: Email contains a malicious link to a spoofed Zoom meeting page."] class action_phishing action action_user_exec_link["<b>Action</b> – <b>T1204.001 User Execution: Malicious Link</b><br/><b>Description</b>: Victim clicks the link and is taken to a cloned Zoom landing page."] class action_user_exec_link action action_masquerade_file["<b>Action</b> – <b>T1036.008 Masquerading: Masquerade File Type</b><br/><b>Description</b>: Page prompts the user to download a VBS script disguised as a Zoom installer."] class action_masquerade_file action action_user_exec_vbs["<b>Action</b> – <b>T1204 User Execution</b><br/><b>Description</b>: Victim runs the VBS file which acts as a downloader."] class action_user_exec_vbs action action_download_rat["<b>Action</b> – <b>T1219 Remote Access Tools</b><br/><b>Description</b>: VBS retrieves and installs ConnectWise ScreenConnect client."] class action_download_rat action action_persistence["<b>Action</b> – <b>T1133 External Remote Services</b><br/><b>Description</b>: Installed ScreenConnect registers a Windows service, providing persistent remote access."] class action_persistence action %% Nodes u2013 tools and process tool_vbs["<b>Tool</b> – <b>Name</b>: Zoom_Installer_64_bit.exe.vbs<br/><b>Description</b>: VBS script used to download additional payload."] class tool_vbs tool tool_screenconnect["<b>Tool</b> – <b>Name</b>: ConnectWise ScreenConnect Client<br/><b>Description</b>: Remote support software that enables remote access."] class tool_screenconnect tool process_download["<b>Process</b> – <b>Name</b>: Download of ScreenConnect MSI<br/><b>Description</b>: Retrieval of ScreenConnect.ClientSetup.msi file."] class process_download process %% Connections u2013 attack flow action_email_spoof –>|leads_to| action_phishing action_phishing –>|leads_to| action_user_exec_link action_user_exec_link –>|leads_to| action_masquerade_file action_masquerade_file –>|leads_to| action_user_exec_vbs action_user_exec_vbs –>|uses| tool_vbs tool_vbs –>|downloads| process_download process_download –>|installs| tool_screenconnect tool_screenconnect –>|enables| action_download_rat action_download_rat –>|provides| action_persistence "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

Attack Narrative & Commands

  1. Initial Delivery: The victim receives a phishing email titled “Zoom Meeting – Install Update”. The attachment is a VBS script named _zoommeeting_Zoom_installer_64_bit.exe.vbs.
  2. Execution: The user double‑clicks the VBS file, which invokes cscript.exe to run the script. The script drops two payloads in %TEMP%:
    • ScreenConnect.ClientSetup.msi – the malicious Remote Access Tool installer.
    • A secondary PowerShell back‑door (not part of this rule).
  3. Installation: The VBS script silently launches msiexec.exe to install the ScreenConnect.ClientSetup.msi with /quiet. This creates a new process creation event whose Image ends with ScreenConnect.ClientSetup.msi, satisfying the rule condition.

Regression Test Script

# --------------------------------------------------------------
#  Simulation Script – Triggers "ScreenConnect.ClientSetup.msi"
#  and "_zoommeeting_Zoom_installer_64_bit.exe.vbs" detections
# --------------------------------------------------------------

# 1. Prepare payloads (in a real test these would be the malicious files)
$payloadDir = "$env:TEMPZoomPhish"
New-Item -Path $payloadDir -ItemType Directory -Force | Out-Null

# Dummy files to emulate the malicious names (hashes can be added later)
$msiPath   = Join-Path $payloadDir "ScreenConnect.ClientSetup.msi"
$vbscript  = Join-Path $payloadDir "_zoommeeting_Zoom_installer_64_bit.exe.vbs"

# Create empty placeholder files (replace with real payloads for live test)
New-Item -Path $msiPath -ItemType File -Force | Out-Null
Set-Content -Path $vbscript -Value @"
' VBS dropper – writes the MSI to disk and launches it
Set objFSO = CreateObject("Scripting.FileSystemObject")
strTemp = objFSO.GetSpecialFolder(2) ' %TEMP%
objFSO.CopyFile "%~dp0ScreenConnect.ClientSetup.msi", strTemp & "ScreenConnect.ClientSetup.msi"
Set objShell = CreateObject("WScript.Shell")
objShell.Run "msiexec /i """ & strTemp & "ScreenConnect.ClientSetup.msi"" /quiet", 0, False
"@ -Encoding ASCII

# 2. Execute the VBS dropper (this will in turn launch msiexec)
cscript.exe //B //Nologo $vbscript

Write-Host "`n[+] Simulation executed – detection should fire now." -ForegroundColor Green

Cleanup Commands

# --------------------------------------------------------------
#  Cleanup – removes artifacts created by the simulation
# --------------------------------------------------------------

$payloadDir = "$env:TEMPZoomPhish"

# Stop any lingering msiexec processes started by the test
Get-Process -Name msiexec -ErrorAction SilentlyContinue | Stop-Process -Force

# Remove temporary files and directory
Remove-Item -Path $payloadDir -Recurse -Force -ErrorAction SilentlyContinue

Write-Host "`n[+] Cleanup complete." -ForegroundColor Yellow

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free