Analyzing the Operation Chain and Defense Points of Zoom and Calendly Phishing Attacks
TechFlow Selected TechFlow Selected
Analyzing the Operation Chain and Defense Points of Zoom and Calendly Phishing Attacks
Fake conference, real crisis.
Navigating Web3 tides with focused insightsAuthor: Dr. Awesome Doge
Recently, the cryptocurrency community has seen frequent security disasters. Attackers use Calendly to schedule meetings and send seemingly normal "Zoom links" to lure victims into installing disguised Trojan programs, even gaining remote control over their computers during the meeting. In an instant, wallets and Telegram accounts are completely compromised.
This article provides a comprehensive analysis of such attacks' operation chains and defense points, along with full reference materials for community sharing, internal training, or self-auditing purposes.
Dual Objectives of the Attacker
-
Digital Asset Theft
Using malware such as Lumma Stealer, RedLine, or IcedID, attackers directly steal private keys and seed phrases from browsers or desktop wallets, quickly transferring out cryptocurrencies like TON and BTC.
References:
Microsoft Official Blog
Flare Threat Intelligence
https://flare.io/learn/resources/blog/redline-stealer-malware/
-
Credential Theft
Stealing Telegram and Google session cookies to impersonate victims, continuously contacting more targets and creating a snowball effect of spreading infections.
References:
d01a Analysis Report
https://d01a.github.io/redline/
Four Steps of the Attack Chain
① Establishing Trust
Impersonating investors, media, or podcast hosts, attackers send formal meeting invitations via Calendly. For example, in the "ELUSIVE COMET" case, attackers posed as Bloomberg Crypto pages to conduct fraud.
References:
Trail of Bits Blog
https://blog.trailofbits.com/2025/04/17/mitigating-elusive-comet-zoom-remote-control-attacks/
② Deploying the Trojan
Using fake Zoom URLs (not .zoom.us) to trick users into downloading malicious versions of ZoomInstaller.exe. This method has been used in multiple incidents between 2023 and 2025 to deploy IcedID or Lumma.
References:
Bitdefender
https://www.bitdefender.com/en-us/blog/hotforsecurity/hackers-used-modified-zoom-installer-and-phishing-campaign-to-deploy-trojan-banker-2, Microsoft
③ Gaining Control During the Meeting
Hackers change their Zoom nickname to "Zoom," ask victims to "test screen sharing," and simultaneously send a remote control request. Once the victim clicks "Allow," their system is fully compromised.
References:
Help Net Security
https://www.helpnetsecurity.com/2025/04/18/zoom-remote-control-attack/
DarkReading
https://www.darkreading.com/remote-workforce/elusive-comet-zoom-victims
④ Spreading and Cashing Out
The malware uploads private keys to immediately withdraw funds or lies dormant for days before using stolen Telegram identities to phish others. RedLine specifically targets Telegram's tdata directory.
References:
d01a Analysis Report
https://d01a.github.io/redline/
Three Emergency Response Steps After Compromise
-
Isolate the Device Immediately
Disconnect Ethernet, turn off Wi-Fi, boot from a clean USB drive and scan; if RedLine/Lumma is detected, full disk formatting and OS reinstallation are recommended.
-
Terminate All Sessions
Transfer cryptocurrency assets to a new hardware wallet; log out all devices on Telegram and enable two-step verification; change passwords for email and exchanges.
-
Monitor Blockchain and Exchanges Simultaneously
If suspicious transactions are detected, immediately contact exchanges to freeze suspicious addresses.
Six Ironclad Rules for Long-Term Defense
-
Dedicated Meeting Device: Use only backup laptops or phones without private keys for unknown meetings.
-
Download Only from Official Sources: Software such as Zoom and AnyDesk must come from official websites; macOS users should disable "Open 'Safe' Files After Downloading."
-
Verify URLs Strictly: Meeting links must end in .zoom.us; Zoom Vanity URLs also follow this rule (official guideline https://support.zoom.us/hc/en-us/articles/215062646-Guidelines-for-Vanity-URL-requests).
-
Three No's Principle: Do not install plugins, do not grant remote access, do not display seed phrases or private keys.
-
Separate Cold and Hot Wallets: Store main assets in cold wallets with PIN + Passphrase; keep only small amounts in hot wallets.
-
Enable 2FA on All Accounts: Fully activate two-factor authentication for Telegram, Email, GitHub, and exchanges.
Conclusion: The Real Danger Behind Fake Meetings
Modern hackers don't rely on zero-day vulnerabilities but on excellent acting skills. They design Zoom meetings that "look perfectly normal," waiting for your mistake.
As long as you develop habits of using isolated devices, downloading only from official sources, and applying multi-layer verification, these tactics will no longer work. May every on-chain user stay away from social engineering traps and protect their treasury and identity.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
@drawesomedoge
