Zoom

The likely Russian-aligned GreyVibe group is targeting Ukrainian organizations with AI-generated lures delivered via spear-phishing and malicious websites, deploying custom malware such as PhantomRelay, LegionRelay, and FallSpy to exfiltrate sensitive data.

A phishing campaign impersonates Zoom to trick users into downloading and installing ConnectWise ScreenConnect, a legitimate remote monitoring and management tool, allowing attackers to gain persistent remote access, harvest credentials, and deploy secondary malware such as ransomware.

The detection rule identifies suspicious child processes spawned from communication applications on Windows systems, potentially indicating masquerading or exploitation of vulnerabilities within these applications.

Attackers may attempt to evade defenses by masquerading malicious processes as legitimate communication applications such as Slack, WebEx, Teams, Discord, RocketChat, Mattermost, WhatsApp, Zoom, Outlook and Thunderbird.

Attackers masquerade malicious executables as legitimate business application installers to trick users into downloading and executing malware, leveraging defense evasion and initial access techniques.