Weaponized Zoom Installer Used by Hackers to Gain RDP Access and Deploy BlackSuit Ransomware

Cybersecurity researchers have uncovered a sophisticated attack campaign where threat actors utilized a trojanized Zoom installer to infiltrate systems, gain remote desktop protocol (RDP) access, and ultimately deploy the BlackSuit ransomware.

The operation demonstrates a highly coordinated, multi-stage malware delivery chain designed to evade detection and maximize impact.

Multi-Stage Malware Deployment

The attack began with a fake Zoom installer hosted on a cloned website resembling the legitimate Zoom application page.

Users downloading the installer unknowingly executed a malicious program embedded with the “d3f@ckloader” downloader.

This loader initiated a series of steps, including disabling security measures, connecting to command-and-control (C2) servers via Pastebin, and downloading additional payloads.

Among these was SectopRAT malware, which was injected into legitimate processes like MSBuild.exe to establish persistence and facilitate further stages of the attack.

After an eight-day dwell period, SectopRAT deployed Brute Ratel and Cobalt Strike payloads ...