Attackers used a fake, interactive Zoom call as a lure to convince targets to install a “Zoom update” that actually deployed remote monitoring and management (RMM) software, Sublime reported Wednesday.Though the attackers did not use an AI video deepfake in this attack, they used AI-generated JavaScript to create the illusion of a real Zoom call experiencing glitches. The imitation includes a spoofed Zoom video call interface and control panel with choppy audio playing in the background.
Fake interactive Zoom call leads to malicious 'update' download. (Video Credit: Sublime)
Unlike a prerecorded video, this webpage allows the user to interact with buttons in the interface, strengthening the illusion of a real Zoom call. Sublime researchers examined the JavaScript and noted that the attacker could easily replace call participants’ names and audio files to tailor the attack to specific victims.Victims are brought to this fake Zoom page from a fake Zoom meeting invitation email, which the researchers also believe to be AI generated. If the victim clicks the “Start Meeting” button, they are brought to a page on the domain “zoom-meeting[.]yourco-invite[.]live” and prompted to perform a “security check.”This check is designed to determine whether the victim is using Windows and displays an error stating “Device not supported. Please use Windows.,” if a different operating system is detected. If the victim is using Windows, they are then directed to a fake Zoom waiting room and prompted to start their microphone and video after clicking “Joining Meeting.”Once the victim is on the fake Zoom call page, a pop up appears after a few seconds saying an update is available, and the victim is then redirected to a fake Microsoft Store page to download the “Zoom Workspace update.” While not a traditional ClickFix attack, the illusion of an error-ridden Zoom call may prompt the victim to install the “update” to “fix” the glitchy audio.The file “ZoomUpdateInstaller.msi” automatically begins to download once the victim is redirected to the fake Microsoft Store page, but it can also be downloaded by manually clicking the “Install” button. Once the file is installed, instructions are displayed telling the user to double click the .msi file to update Zoom.The researchers found that the file actually installs an instance of the legitimate RMM software ScreenConnect, configured to give the attacker control over the victim’s device.Sublime notes a few giveaways that the initial email is malicious, including the fact that the sender uses a free Gmail account rather than an official Zoom or corporate account, and the fact that zoom-meeting[.]yourco-invite[.]live is not an official Zoom domain. Additionally, the researchers note that Zoom is compatible with operating systems other than Windows, making the “security check” an additional red flag.Zoom impersonation is a common phishing tactic, with another recent campaign using both Zoom and Google Meet video call lures to facilitate the installation of Teramind endpoint monitoring software. According to KnowBe4, Zoom was the fifth-most impersonated brand in real reported phishing emails in Q4 2025.
