New Malware Campaign Targets Zoom Users

Fake Zoom Sites Spreading Vidar Stealer

During a routine threat hunting exercise, Cyble Research and Intelligence Labs (CRIL) came across a tweet where a researcher mentioned the creation of multiple fake Zoom sites. All these sites have the same user interface. These sites are created with the express intent of spreading malware disguised as the legitimate Zoom application.

During further investigation, we discovered that these sites were spreading Vidar Stealer. Vidar is an Information Stealing malware that steals the victim’s banking information, saved passwords, IP addresses, browser history, login credentials, and crypto-wallets. This stealer has links to the Arkei stealer. The figure below shows the Fake Zoom Site.

Figure 1 – Fake Zoom Site


The fake Zoom sites which are currently in use include:

  • zoom-download[.]host
  • zoom-download[.]space
  • zoom-download[.]fun
  • zoomus[.]host
  • zoomus[.]tech
  • zoomus[.]website

The site redirects to the following GitHub URL in the backend to download the malicious application.

https[:]//github[.]com/sgrfbnfhgrhthr/csdvmghfmgfd/raw/main/ The figure below shows the redirects that occurred in the backend.

Figure 2 – Backend Site Redirects

Upon execution, the malicious application drops two binaries in the temporary folder :

  • Decoder.exe

Decoder.exe is a malicious .NET binary that injects the malicious stealer code into MSBuild.exe. Microsoft Build Engine (MSBuild) is a platform used to build applications. ZOOMIN~1.EXE is a clean file that launches the legitimate Zoom installer.

Figure 3 – Execution Flow

The figure below shows the Process Tree of the malicious application.

Figure 4 – Process Tree

After being injected into MSBuild.exe, the malware extracts the IP addresses that host the DLLs and configuration data. The malware uses the below mentioned URLs to extract the IP addresses if anyone of them are online.

  • https[:]//t[.]me/karacakahve
  • https[:]//ieji[.]de/@tiagoa96

The figure below shows the malware’s network activity.

Figure 5 – Network Activity

Threat Actors (TA) have used this technique to hide Command and Control (C&C) IP addresses. The figure below shows the IP present on the profile description of Telegram user “@karacakahve” and user ID “@tiagoa96” on

Figure 6 – Hiding the C&C IP in description

The malware receives the configuration data and DLLs from the C&C servers at this stage. The figure below displays the network activity with the C&C server.

Figure 7 – C&C Communication

We found that this malware had overlapping Tactics, Techniques, and Procedures (TTPs) with Vidar Stealer. In comparison with our previous analysis of Vidar Stealer, this malware Payload hides the C&C IP address in the Telegram description. The rest of the infection techniques appear to be similar.

The figure below shows the Hardcoded stealer strings.

Figure 8 – Hardcoded Vidar Stealer Strings

Upon successful execution, the malware uses the following commands to uninstall itself from the victim’s device.

“C:\Windows\System32\cmd.exe” /c taskkill /im MSBuild.exe /f & timeout /t 6 & del /f /q

“C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe” & del C:\PrograData\*.dll & exit


Based on our recent observations, TAs actively run multiple campaigns to spread information stealers. Stealer Logs can provide access to compromised endpoints, which are sold on cybercrime marketplaces. We have seen multiple breaches where stealer logs have provided the necessary initial access to the victim’s network. This campaign appears to target Zoom users. We suggest identifying the legitimacy of the source before downloading any executables.

Our Recommendations 

​We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below: ​ 

  • Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., contains such malware.  
  • Use strong passwords and enforce multi-factor authentication wherever possible.   
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices.  
  • Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.  
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.   
  • Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.  
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez.  
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.

MITRE ATT&CK® Techniques 


​Tactic ​Technique ID ​Technique Name 
​Initial Access T1566 ​Phishing 
​Execution T1204 ​User Execution 
​Credential Access T1555 
​Credentials from Password Stores 
Steal Web Session Cookie 
Unsecured Credentials 
​Collection T1113 ​Screen Capture 
​Discovery T1087 
T1518  ​
T1007  ​
​Account Discovery  ​
Software Discovery 
​Process Discovery  ​
System Service Discovery  ​
System Location Discovery 
​Command and Control T1095 ​Non-Application Layer Protocol 
​Exfiltration T1041 ​Exfiltration Over C&C Channel   


Indicators of Compromise (IoCs):   


​Indicators ​Indicator type ​Description 
Malicious Zoom Application
Loader File
79[.]124.78.206IPC&C IP
116[.]202.179.139IPC&C IP
193[.]106.191.223IPMalicious IP

Comments are closed.

Scroll to Top