Researchers are tracking a campaign distributing trojanized Zoom and WebEx installers to steal credentials and other sensitive data. The culprit, not that it matters, are Russians. This serves as a reminder that attackers are increasingly weaponizing trusted business software instead of relying on traditional phishing lures.
You get get more info here: https://www.bleepingcomputer.com/news/security/russian-hackers-trojanize-webex-zoom-apps-to-push-starland-malware/
Donald McFarlane, Advisory Board Member, Xcape, Inc.
“Trust is part of the attack surface: attackers do not need to invent unfamiliar lures when they can impersonate the applications, people and workflows that employees already trust.
“AI continues to raise the quality and scale of such attacks. Adversaries can produce more convincing phishing, deepfakes, counterfeit interfaces and customized malware far faster than before, and security programs must therefore assume that even careful users will sometimes be deceived. The answer is not more training alone, but stronger controls around software provenance, managed installation, application execution, identity, endpoint behavior and unusual network activity.
“Organizations should design systems so that a convincing fake cannot easily become a compromise, and so that blast radii are limited.”
Kevin Surace, CEO, Token (https://www.linkedin.com/in/ksurace)
“Attackers impersonate applications such as Zoom and Webex because employees already recognize, trust, and routinely install them. A familiar product removes much of the hesitation that an unknown application would create and makes the malicious download appear to be part of normal business activity.
“The attackers do not need to invent a compelling new story. They simply borrow the reputation, branding, and expected behavior of software the victim already uses.
“User trust has become one of the attacker’s most effective tools. The victim is not persuaded to run something that looks malicious, but rather something that appears necessary and legitimate. This is why employee awareness alone cannot solve the problem. Attackers only need one employee to trust the wrong installer once, and increasingly convincing websites, messages, and software packages make that mistake difficult to eliminate completely.
“Organizations should prevent employees from installing unauthorized software and distribute approved applications through controlled enterprise software portals. Application allowlisting, code signing verification, endpoint detection, restricted scripting tools, browser download controls, network segmentation, and automatic isolation of suspicious systems can help stop the malware before it becomes established.
“Organizations must also protect the identities and accounts the malware is designed to steal. Hardware based biometric assured identity makes stolen passwords and authentication codes useless because access still requires the registered physical device, the authorized user’s fingerprint, proximity to the computer, and a cryptographic request from the legitimate domain.
“Biometric assured identity does not replace endpoint security or prevent someone from downloading malware. It ensures that even when malware captures credentials, attackers cannot simply reuse them from another device to enter protected applications, cloud services, or corporate networks.”
Jacob Krell, Sr. Director, Secure AI Solutions & Cybersecurity, Suzu Labs (https://www.linkedin.com/in/jacob-krell)
“The shift to hybrid work changed how business software gets installed. Five years ago, IT deployed conferencing and collaboration tools through managed packages. Now employees download Zoom, WebEx, and remote administration tools themselves five minutes before a meeting or a support session, with no oversight and no verification beyond ‘does the website look right.’
UAT-11795 is exploiting that behavioral shift across multiple categories, from conferencing platforms to database clients to developer utilities. A trojanized installer works because the real software actually installs and runs. The user joins their meeting, opens their database, never suspects a thing. Meanwhile, endpoint security has improved at catching novel binaries, so attackers wrapped their payload inside software the endpoint already expects to see.
“User trust has become just the first domino in these attacks. The security stack trusts these applications too. EDR tools baseline their behavior and suppress alerts on their process activity. Firewalls allow their traffic patterns. Allowlists include their binary names.
“When attackers wrap malware inside a WebEx or Zoom installer, they inherit trust at every layer simultaneously, from the human, the endpoint agent, the network policy, and the application control rules. Enterprise business software sits at the intersection of human trust and automated trust. Attackers are picking targets where those compound.
“Organizations should restrict where software installs come from. If users can only install applications through a managed catalog like Intune or SCCM, a trojanized installer from a random URL never executes. That’s the prevention layer most orgs skip because it creates friction with end users.
“For detection, publisher code signature verification on installers is the first check. UAT-11795 used NSIS to package their payload, so the installer carries no legitimate vendor signature. Most orgs enforce signature checks on running executables but not on the installers that put them there.
“Process lineage monitoring is the backstop. Conferencing software spawning Python interpreters, database tools creating scheduled tasks with random suffixes, those are process tree anomalies that EDR can catch if the detection rules exist. I’ve seen environments where broad filename matching on the allowlist lets anything that looks like a business app sail through unchecked.”‘
This should serve as a warning that only trusted apps, as in trusted from your organization, are the only ones that need to be installed. All others should be discarded like the garbage that they are.
Trojanized Zoom/WebEx installers expose a growing trust problem
Posted in Commentary with tags WebEx, Zoom on July 17, 2026 by itnerdResearchers are tracking a campaign distributing trojanized Zoom and WebEx installers to steal credentials and other sensitive data. The culprit, not that it matters, are Russians. This serves as a reminder that attackers are increasingly weaponizing trusted business software instead of relying on traditional phishing lures.
You get get more info here: https://www.bleepingcomputer.com/news/security/russian-hackers-trojanize-webex-zoom-apps-to-push-starland-malware/
Donald McFarlane, Advisory Board Member, Xcape, Inc.
“Trust is part of the attack surface: attackers do not need to invent unfamiliar lures when they can impersonate the applications, people and workflows that employees already trust.
“AI continues to raise the quality and scale of such attacks. Adversaries can produce more convincing phishing, deepfakes, counterfeit interfaces and customized malware far faster than before, and security programs must therefore assume that even careful users will sometimes be deceived. The answer is not more training alone, but stronger controls around software provenance, managed installation, application execution, identity, endpoint behavior and unusual network activity.
“Organizations should design systems so that a convincing fake cannot easily become a compromise, and so that blast radii are limited.”
Kevin Surace, CEO, Token (https://www.linkedin.com/in/ksurace)
“Attackers impersonate applications such as Zoom and Webex because employees already recognize, trust, and routinely install them. A familiar product removes much of the hesitation that an unknown application would create and makes the malicious download appear to be part of normal business activity.
“The attackers do not need to invent a compelling new story. They simply borrow the reputation, branding, and expected behavior of software the victim already uses.
“User trust has become one of the attacker’s most effective tools. The victim is not persuaded to run something that looks malicious, but rather something that appears necessary and legitimate. This is why employee awareness alone cannot solve the problem. Attackers only need one employee to trust the wrong installer once, and increasingly convincing websites, messages, and software packages make that mistake difficult to eliminate completely.
“Organizations should prevent employees from installing unauthorized software and distribute approved applications through controlled enterprise software portals. Application allowlisting, code signing verification, endpoint detection, restricted scripting tools, browser download controls, network segmentation, and automatic isolation of suspicious systems can help stop the malware before it becomes established.
“Organizations must also protect the identities and accounts the malware is designed to steal. Hardware based biometric assured identity makes stolen passwords and authentication codes useless because access still requires the registered physical device, the authorized user’s fingerprint, proximity to the computer, and a cryptographic request from the legitimate domain.
“Biometric assured identity does not replace endpoint security or prevent someone from downloading malware. It ensures that even when malware captures credentials, attackers cannot simply reuse them from another device to enter protected applications, cloud services, or corporate networks.”
Jacob Krell, Sr. Director, Secure AI Solutions & Cybersecurity, Suzu Labs (https://www.linkedin.com/in/jacob-krell)
“The shift to hybrid work changed how business software gets installed. Five years ago, IT deployed conferencing and collaboration tools through managed packages. Now employees download Zoom, WebEx, and remote administration tools themselves five minutes before a meeting or a support session, with no oversight and no verification beyond ‘does the website look right.’
UAT-11795 is exploiting that behavioral shift across multiple categories, from conferencing platforms to database clients to developer utilities. A trojanized installer works because the real software actually installs and runs. The user joins their meeting, opens their database, never suspects a thing. Meanwhile, endpoint security has improved at catching novel binaries, so attackers wrapped their payload inside software the endpoint already expects to see.
“User trust has become just the first domino in these attacks. The security stack trusts these applications too. EDR tools baseline their behavior and suppress alerts on their process activity. Firewalls allow their traffic patterns. Allowlists include their binary names.
“When attackers wrap malware inside a WebEx or Zoom installer, they inherit trust at every layer simultaneously, from the human, the endpoint agent, the network policy, and the application control rules. Enterprise business software sits at the intersection of human trust and automated trust. Attackers are picking targets where those compound.
“Organizations should restrict where software installs come from. If users can only install applications through a managed catalog like Intune or SCCM, a trojanized installer from a random URL never executes. That’s the prevention layer most orgs skip because it creates friction with end users.
“For detection, publisher code signature verification on installers is the first check. UAT-11795 used NSIS to package their payload, so the installer carries no legitimate vendor signature. Most orgs enforce signature checks on running executables but not on the installers that put them there.
“Process lineage monitoring is the backstop. Conferencing software spawning Python interpreters, database tools creating scheduled tasks with random suffixes, those are process tree anomalies that EDR can catch if the detection rules exist. I’ve seen environments where broad filename matching on the allowlist lets anything that looks like a business app sail through unchecked.”‘
This should serve as a warning that only trusted apps, as in trusted from your organization, are the only ones that need to be installed. All others should be discarded like the garbage that they are.
Leave a comment »