A new cyberattack campaign is targeting Zoom users by disguising ransomware as the popular video conferencing tool, according to Cybernews. Researchers from DFIR have uncovered a scheme by the BlackSuit ransomware gang, which uses deceptive websites to distribute malicious software.
Instead of downloading Zoom from the official site, unsuspecting users are being lured to fraudulent platforms that closely mimic the real thing. One such site, zoommanager[.]com, tricks users into installing malware. Once downloaded, the BlackSuit ransomware remains dormant for several days before launching its full attack.
The malware first scrapes and encrypts sensitive personal and financial data. Then, victims are presented with a ransom demand to regain access to their files.
BlackSuit has a history of targeting critical infrastructure, including schools, hospitals, law enforcement, and public service systems. The ransomware begins by downloading a malicious loader, which can bypass security tools and even disable Windows Defender.
Researchers found that the malware connects to a Steam Community page to fetch the next-stage server, downloading both the legitimate Zoom installer and malicious payload. It then injects itself into a MSBuild executable, staying inactive for eight days before initiating further actions.
On day nine, it executes Windows Commands to collect system data and deploys Cobalt Strike, a common hacker tool for lateral movement across networks. The malware also installs QDoor, allowing remote access through a domain controller. The final phase involves compressing and downloading key data before spreading the ransomware across all connected Windows systems. Victims’ files are locked with a password, and a ransom note is left behind.
Cybersecurity experts stress the importance of downloading software only from official sources. The genuine Zoom download page is located at zoom[.]us/download, which is significantly different from the deceptive site mentioned earlier.
"Zoom isn't nearly as popular with hackers now as it was a few years ago but given how widely used the service is, it's an easy way to target unsuspecting users online."
To protect against these kinds of attacks, users should remain vigilant about phishing tactics, use reputable antivirus software, and ensure it stays updated. Many modern antivirus tools now offer VPNs, password managers, and multi-device protection, adding extra layers of security.
"As well as making sure you're always downloading software from the correct source, make sure you are aware of common phishing techniques and tricks so you can recognize them when you see them."
It’s also recommended to manually navigate to software websites instead of clicking links in emails or search results, reducing the risk of accidentally landing on malicious clones.
