Mitigating ELUSIVE COMET Zoom Remote Control Attacks
Summary:
Researchers at Trail of Bits have uncovered details of a sophisticated social engineering campaign orchestrated by the threat actor known as ELUSIVE COMET, notorious for stealing millions in cryptocurrency. In this latest campaign, high-profile individuals are being targeted for fake interviews conducted via Zoom. The attackers initiate contact on Twitter, using fraudulent accounts that impersonate reputable figures within the cryptocurrency space. Victims are invited to participate in a “Bloomberg Crypto” series and are directed to seemingly legitimate Calendly pages to schedule the call.
Notably, the attackers avoid email communication entirely, opting instead for these professional-looking scheduling platforms to maintain credibility. During the Zoom session, the threat actors request victims to share their screens using Zoom’s remote control feature. Ordinarily, such a prompt would read “$PARTICIPANT is requesting remote control of your screen.” However, in this campaign, the attackers rename themselves to “Zoom,” making the prompt appear as a benign system notification. If the victim grants access, the attackers can deploy malware, exfiltrate sensitive data, or carry out cryptocurrency theft.
Security Officer Comments:
This campaign is reminiscent of the $1.5 billion Bybit hack from February, where attackers exploited legitimate workflows rather than software vulnerabilities, underscoring the growing dominance of operational security failures in the blockchain industry. As technical systems become more robust, researchers note that human-centric attacks are emerging as the bigger threat. The ELUSIVE COMET operation exemplifies this shift, leveraging a sophisticated combination of social proof, time pressure, and interface manipulation to compromise victims. The attack unfolds within the context of a seemingly routine business interaction, using ambiguous Zoom permission prompts that obscure the security risks. It exploits habitual user behavior, such as automatically approving prompts, and capitalizes on the victim’s divided attention during what appears to be a professional engagement, reducing their likelihood of detecting the deception.
Suggested Corrections:
Recommendations from Trail of Bits:
https://blog.trailofbits.com/2025/04/17/mitigating-elusive-comet-zoom-remote-control-attacks/
Researchers at Trail of Bits have uncovered details of a sophisticated social engineering campaign orchestrated by the threat actor known as ELUSIVE COMET, notorious for stealing millions in cryptocurrency. In this latest campaign, high-profile individuals are being targeted for fake interviews conducted via Zoom. The attackers initiate contact on Twitter, using fraudulent accounts that impersonate reputable figures within the cryptocurrency space. Victims are invited to participate in a “Bloomberg Crypto” series and are directed to seemingly legitimate Calendly pages to schedule the call.
Notably, the attackers avoid email communication entirely, opting instead for these professional-looking scheduling platforms to maintain credibility. During the Zoom session, the threat actors request victims to share their screens using Zoom’s remote control feature. Ordinarily, such a prompt would read “$PARTICIPANT is requesting remote control of your screen.” However, in this campaign, the attackers rename themselves to “Zoom,” making the prompt appear as a benign system notification. If the victim grants access, the attackers can deploy malware, exfiltrate sensitive data, or carry out cryptocurrency theft.
Security Officer Comments:
This campaign is reminiscent of the $1.5 billion Bybit hack from February, where attackers exploited legitimate workflows rather than software vulnerabilities, underscoring the growing dominance of operational security failures in the blockchain industry. As technical systems become more robust, researchers note that human-centric attacks are emerging as the bigger threat. The ELUSIVE COMET operation exemplifies this shift, leveraging a sophisticated combination of social proof, time pressure, and interface manipulation to compromise victims. The attack unfolds within the context of a seemingly routine business interaction, using ambiguous Zoom permission prompts that obscure the security risks. It exploits habitual user behavior, such as automatically approving prompts, and capitalizes on the victim’s divided attention during what appears to be a professional engagement, reducing their likelihood of detecting the deception.
Suggested Corrections:
Recommendations from Trail of Bits:
- Endpoint protection: CrowdStrike Falcon Complete with 24/7 managed hunting and response, configured in the “Active” security posture with aggressive cloud and sensor-based ML prevention settings. This configuration enables real-time behavioral detection of suspicious process activities—particularly unauthorized attempts to access system accessibility features—even when the malware is previously unknown or fileless.
- OS security: Mandatory company-wide upgrades to the latest major macOS version once its .1 release becomes available. Apple consistently narrows attack surfaces with each major OS release, introducing features that mitigate classes of vulnerabilities rather than just patching individual bugs. This zero-tolerance approach to legacy macOS versions strengthens our security baseline.
- Authentication hardening: Mandatory security key authentication for all Google Workspace accounts. Every employee receives a YubiKey during onboarding with zero exceptions granted for weaker authentication methods (TOTP, SMS, etc.). Google SSO serves as our primary authentication provider, extending this hardware-based phishing resistance to all supported services. This implementation creates a hard security boundary that even sophisticated social engineering can’t bypass.
- Password management: 1Password deployed company-wide with preinstalled browser extensions for all employees. The extension’s domain-matching logic prevents credential autofill on mismatched domains (e.g., g00gle.com vs google.com), creating deliberate friction when employees encounter potential phishing sites. This forces a conscious copy-paste action for credentials on suspicious domains—a simple but effective cognitive interrupt that triggers security awareness.
- Communication platform choices: Primary use of Google Meet over Zoom due to its browser-based security model. Browser-based communication tools inherit the security model of the browser itself, limiting their access to system resources. Chrome’s sandbox prevents web applications from accessing local system resources without explicit permission, creating a more controlled execution environment than installed applications can provide.
- Restrictive application controls: When Zoom is required, it’s wrapped with additional security controls and routinely removed from systems. Through threat intelligence and our own security research, we identify high-risk applications that are frequently abused in attacks. We apply additional controls to these “tallest blades of grass” to limit their access to system resources and regularly remove them when not actively needed.
https://blog.trailofbits.com/2025/04/17/mitigating-elusive-comet-zoom-remote-control-attacks/