A new cyber campaign is exploiting Zoom’s remote control feature to install malware, exfiltrate data, and hijack victim devices, researchers have warned.

The attack, linked to a threat group called Elusive Comet, tricks users into granting remote access during fake Zoom interviews arranged via bogus Calendly links and spoofed Bloomberg emails. Once on the call, attackers rename themselves “Zoom” to make their remote control request look like a harmless system notification.

Trail of Bits, who uncovered the attack, warned that “users habituated to clicking ‘Approve’ on Zoom prompts may grant complete control of their computer without realising the implications.” This method bypasses technical vulnerabilities and instead relies on exploiting normal user behaviour and trust in legitimate platforms.

Security experts say the incident highlights the growing threat of ‘living off trusted services’ (LOTS) attacks, with Mimecast noting over five billion such threats were flagged in late 2024 alone. Using Zoom and Calendly links makes these attacks harder to detect and block.

Businesses can protect themselves by blocking Zoom’s remote control permissions, encouraging browser-based meeting tools like Google Meet, hardening authentication with security keys, and training staff to spot suspicious activity during video calls.