Fake Zoom, Teams Meeting Invites Use Compromised Certificates to Drop Malware

The surge in remote work has turned meeting platforms into prime phishing vectors, but the latest twist goes beyond deceptive links. By hijacking legitimate Extended Validation certificates, threat actors can present malicious installers as authentic software updates. This visual trust, combined with the urgency of "required" updates, compels users to click, effectively turning everyday collaboration tools into covert entry points for attackers. The misuse of a compromised TrustConnect certificate demonstrates how even high‑assurance signing authorities can be weaponized, eroding the foundational trust that operating systems place in signed binaries.

Technically, the campaign employs a layered approach. Initial payloads masquerade as Zoom, Teams, or Adobe Reader executables, but they are merely shells that deploy Remote Monitoring and Management (RMM) utilities. These tools grant attackers persistent, privileged footholds and enable lateral movement. Encoded PowerShell scripts then pull additional agents such as ScreenConnect and MeshAgent, creating redundancy so that removal of one component does not eradicate the intrusion. Even certificates that have been revoked can still function if the malicious file is already trusted on the target machine, highlighting gaps in revocation checking and endpoint protection.

Defending against this evolving threat requires moving beyond signature verification toward a zero‑trust model that incorporates behavioral analytics. Security teams should monitor for anomalous code‑signing usage, cross‑reference signer reputation, and correlate runtime telemetry with known software baselines. User education remains critical: employees must verify update sources through official app stores and ignore unsolicited "update required" prompts. Deploying application control solutions that enforce whitelisting, combined with continuous monitoring of PowerShell activity, can significantly reduce the attack surface and mitigate the risk posed by compromised digital certificates.