A sophisticated attack campaign by threat actor ELUSIVE COMET that exploits Zoom’s legitimate remote control feature to gain unauthorized access to victims’ computers.
The attackers have successfully targeted cryptocurrency professionals using a combination of social engineering and interface manipulation techniques, resulting in millions in cryptocurrency theft.
Multi-Stage Attack Leveraging Social Media and Zoom Vulnerabilities
The ELUSIVE COMET operation begins with attackers masquerading as legitimate media organizations, specifically “Bloomberg Crypto,” to invite high-profile targets for interviews.
.png
)
These invitations arrive via social media platforms like Twitter (X), using carefully crafted sock puppet accounts that mimic legitimate industry professionals.
The attackers refuse standard email communication, instead directing victims to suspicious Calendly booking pages that appear professional at first glance.
Once the target joins the Zoom call, the attack leverages a critical vulnerability in Zoom’s user experience design.
During screen sharing, attackers request remote control access—a legitimate Zoom feature—while simultaneously changing their display name to “Zoom” to make the request appear as a system notification.
The permission dialog simply states “$PARTICIPANT is requesting remote control of your screen,” creating dangerous ambiguity.
“This attack exploits the permission dialog’s similarity to other harmless Zoom notifications,” notes the Trail of Bits report.
“Users habituated to clicking ‘Approve’ on Zoom prompts may grant complete control of their computer without realizing the implications.”
If permission is granted, attackers gain comprehensive control over the victim’s system, allowing them to install malware, exfiltrate sensitive data, or execute cryptocurrency theft transactions.
This methodology mirrors techniques used in February’s devastating $1.5 billion Bybit hack, indicating a shift toward operational security failures rather than technical exploits.
Technical Indicators and Protection Measures
Security researchers have identified several indicators of compromise (IoCs) associated with ELUSIVE COMET, including:
Organizations can implement technical controls to prevent exploitation of this vulnerability.
It is recommended deploying Privacy Preferences Policy Control (PPPC) profiles that prevent Zoom from requesting or receiving accessibility permissions at the macOS system level.
The script create_zoom_pppc_profile.bash creates system-wide profiles that block this attack vector entirely.
For active defense, the disable_zoom_accessibility.bash script interfaces with macOS’s Transparency, Consent and Control (TCC) framework to continuously monitor and reset any permissions granted to Zoom.
Organizations handling particularly sensitive information should consider completely removing Zoom using the uninstall_zoom.bash script and transitioning to browser-based alternatives that inherit stronger security models.
“As we’ve entered the era of operational security failures, organizations must evolve their defensive posture to address these human-centric attack vectors,” reads the report.
For cryptocurrency organizations in particular, implementing a multi-layered defense combining technical controls, user training, and operational security awareness has become essential to preventing these increasingly sophisticated attacks.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
