The Attack Vector

The campaign begins with impersonation. Threat actors pose as legitimate professionals — venture capitalists, recruiters, journalists, or potential partners — and reach out requesting discovery meetings or investment discussions.

The lure is simple: a request to download a “custom high-security AI Video Conferencing tool” for the call. The downloaded file is actually a Remote Access Trojan (RAT).

Primary Targets

• Software developers with access to sensitive codebases
• Venture capitalists and investment professionals
• C-suite executives and founders
• Cryptocurrency holders with significant assets

The “No Sound” Psychological Tactic

The attack exploits a common frustration — technical difficulties during video calls. Here’s how it unfolds:

• The victim joins what appears to be a legitimate call interface
• Audio mysteriously fails — they can see the other “participants” but hear nothing
• “Support staff” in the chat direct users to download an “SDK Update” or “Sound Fixer”
• This download delivers the malware payload

The psychological manipulation is effective because audio issues are common and the “fix” seems reasonable.

Technical Compromise

Once executed, the RAT achieves:

• System persistence — Survives reboots and maintains access
• Credential harvesting — Captures passwords and cryptocurrency seed phrases
• Clipboard interception — Monitors for wallet addresses to redirect transactions
• Screen capture — Records sensitive information displayed on screen
• Keylogging — Captures all keystrokes including authentication codes

Indicators of Compromise

Watch for these suspicious domains impersonating legitimate video services:

• zoom-download[.]id
• zoom-meeting[.]top
• zoomov-incoming-call[.]pages[.]dev
• Any non-official domain claiming to be a video platform

Five Warning Signs

• Proprietary platforms — Requests to use custom tools instead of industry standards like Zoom, Google Meet, or Microsoft Teams
• Required downloads — Legitimate browser-based video calls don’t require software installation
• Suspicious domains — URLs that mimic but don’t match official service domains
• Artificial urgency — Pressure to quickly resolve “technical problems”
• Unsolicited outreach — Initial contact through secondary messaging platforms like Telegram or Discord

Protection Measures

Defend against these attacks by:

• Verifying identities — Confirm meeting requests through official channels
• Using established platforms — Refuse to download custom video software
• Checking domains carefully — Hover over links before clicking
• Maintaining skepticism — Question unexpected meeting requests, especially from unknown contacts
• Separating environments — Use dedicated devices for high-value cryptocurrency operations

Organizational Response

Organizations should train employees to recognize these tactics and establish verification procedures for external meeting requests. Security awareness is the first line of defense against social engineering.

PhishFort helps organizations protect against phishing and social engineering campaigns. Contact us to learn how we can help secure your team.