Threat actors are executing sophisticated phishing campaigns that impersonate Zoom and Google Meet to silently deploy Teramind onto Windows devices.
While Teramind is a legitimate enterprise endpoint monitoring product, scammers are abusing its stealth features to conduct unauthorized surveillance.
The Infection Chain and Delivery Mechanism
The attack relies on fabricated landing pages that mimic official video communication tools. A now-defunct Zoom campaign utilized the domain uswebzoomus[.]com, while an active Google Meet variant operates from googlemeetinterview[.]click.
The active site displays a fake Microsoft Store page, quietly installing a malicious MSI installer on the victim’s device while showing a fake download button.
Interestingly, the attackers use an unmodified Teramind binary. The installer relies on a built-in .NET custom action called ReadPropertiesFromMsiName.
By embedding a 40-character hex string in the filename, the installer extracts the attacker’s specific instance ID.
This clever technique allows a single binary to serve multiple threat actor accounts simply by altering the filename.
Once executed, the installer runs a pre-flight connectivity check, termed CheckHosts, against the hardcoded Command and Control (C2) server, rt.teramind.co. If the machine cannot reach the server, the installation process aborts.
If the connection is successful, the software installs in “Hidden Agent” mode (TMSTEALTH = 1).
According to Malwarebytes, this stealth deployment hides all taskbar icons and program list entries, leaving the victim with no visual indication of the ongoing surveillance.
Furthermore, the MSI exposes built-in SOCKS5 proxy support, which could allow attackers to disguise C2 traffic to evade network-level detection.
To maintain persistence, the campaign deploys two highly resilient services that automatically restart if terminated.
Malicious Services Deployed
| Service Name | Display Name | Executable | Privilege Level |
|---|---|---|---|
tsvchst | Service Host | svc.exe -service | LocalSystem |
pmon | Performance Monitor | pmon.exe | LocalSystem |
Indicators of Compromise (IOCs)
Security teams should monitor their networks for the following indicators associated with this campaign.
| Type | Indicator | Description |
|---|---|---|
| SHA-256 | 644ef9f5eea1d6a2bc39a62627ee3c7114a14e7050bafab8a76b9aa8069425fa | Malicious MSI Installer |
| MD5 | AD0A22E393E9289DEAC0D8D95D8118B5 | Malicious MSI Installer |
| Domain | googlemeetinterview[.]click | Active Google Meet Lure |
| Domain | uswebzoomus[.]com | Offline Zoom Lure |
| C2 Server | rt.teramind.co | Default C2 Callback |
Mitigation and Remediation
Defenders can identify compromised devices by searching for the ProgramData directory GUID {4CEC2908-5CE4-48F0-A717-8FC833D8017A}.
Additionally, security teams should alert on the tsvchst and pmon services running on non-corporate machines, or the unexpected loading of the tm_filter.sys and tmfsdrv2.sys kernel drivers.
msiexec /x {4600BEDB-F484-411C-9861-1B4DD6070A23} /qb, manually delete the associated ProgramData directory, and reboot the system to fully unload the kernel drivers from memory.
