This threat involves a phishing campaign that exploits user trust in the Zoom video conferencing platform by sending deceptive emails containing fake Zoom meeting invitations. The email includes a 'join' button that redirects recipients to a malicious website prompting them to download and install a purported Zoom client update. The executable file offered, named 'Session.ClientSetup.exe', is malicious software designed to install an MSI package that deploys ScreenConnect, a legitimate remote access tool (RAT) often abused by attackers to gain unauthorized remote access to victim machines. Once installed, the malware establishes persistence by installing itself as a Windows service, ensuring it remains active even after system reboots. It then connects to a command and control (C2) server at tqtw21aa.anondns.net on port 8041, enabling attackers to remotely control the infected system. The attack chain leverages multiple tactics and techniques, including phishing (T1566), user execution of malicious files (T1204), use of remote access tools (T1219), establishing persistence via services (T1547.001), and command and control over network protocols (T1071). The campaign targets users indiscriminately without specific affected Zoom versions, relying on social engineering to trick victims into executing the malware. Indicators of compromise include the malware hash (f5e467939f8367d084154e1fefc87203e26ec711dbfa83217308e4f2be9d58be) and the C2 domain (tqtw21aa.anondns.net). The use of ScreenConnect allows attackers to perform a wide range of malicious activities such as data exfiltration, credential theft, lateral movement within networks, and potentially deploying further malware or ransomware. No known exploits beyond this phishing vector have been identified in the wild at this time.

For European organizations, this threat poses significant risks primarily through unauthorized remote access to corporate endpoints. Successful infection can lead to compromise of sensitive data, intellectual property theft, and disruption of business operations. The use of ScreenConnect as a remote access tool enables attackers to move laterally within corporate networks, escalate privileges, and access critical systems, increasing the risk of widespread compromise. Given the widespread adoption of Zoom across European enterprises—especially in sectors such as finance, healthcare, government, and professional services—the potential for data breaches and operational disruption is considerable. The persistence mechanism complicates detection and remediation, allowing attackers long-term access. Additionally, the phishing vector exploits human factors, making it a persistent threat despite technical controls. Organizations may face regulatory consequences under GDPR if personal or sensitive data is compromised. The threat also raises the risk of follow-on attacks, including ransomware deployment or further malware infections after initial access. Overall, the impact spans confidentiality breaches, integrity violations through unauthorized changes, and availability risks if attackers disrupt systems or services.

1. Deploy advanced email filtering solutions with capabilities to detect phishing emails, malicious URLs, and fake meeting invitations, specifically tuned to identify spoofed Zoom invites. 2. Conduct regular, targeted user awareness training emphasizing verification of meeting invitations and caution with unsolicited update prompts, especially those received via email links. 3. Implement application whitelisting to prevent execution of unauthorized software such as 'Session.ClientSetup.exe'. 4. Utilize endpoint detection and response (EDR) tools capable of detecting suspicious service installations, unusual process behaviors, and anomalous network connections, particularly to unknown or suspicious domains like tqtw21aa.anondns.net. 5. Monitor and block network traffic to known malicious domains and IP addresses at the firewall and DNS levels to disrupt command and control communications. 6. Enforce multi-factor authentication (MFA) on remote access tools and critical systems to reduce the impact of compromised credentials. 7. Regularly audit installed services and software on endpoints to detect unauthorized persistence mechanisms and remove malicious services promptly. 8. Maintain comprehensive, tested backups and incident response plans to enable recovery from potential ransomware or destructive attacks following compromise. 9. Encourage users to update Zoom clients only through official application channels or verified internal IT communications, avoiding email-based update prompts. 10. Participate in threat intelligence sharing platforms to stay informed about emerging phishing campaigns, indicators of compromise, and attacker tactics related to this threat.