Hackers Used Weaponized Zoom Installer to Gain RDP Access & Deploy BlackSuit Ransomware

The attack began when an unsuspecting victim visited a malicious website mimicking Zoom’s official download page (zoommanager[.]com), where they downloaded what appeared to be a legitimate teleconferencing application installer. This tunneling technique allowed the threat actors to establish remote desktop connections through the compromised domain controller to access file servers, where they deployed WinRAR to archive sensitive data. The DFIR Report researchers noted that after downloading two ZIP archives from the command-and-control server, the malware executed both the legitimate Zoom installer (to maintain the illusion of normality) and the malicious payload. The sophisticated multi-stage attack chain, combined with the nine-day dwell time, demonstrates the threat actors’ patience and methodical approach to maximizing both data theft and encryption impact. After nine days of dwell time, the attack escalated when SectopRAT deployed both Brute Ratel (known as “Badgers”) and Cobalt Strike beacons across the network. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The weaponized installer, created using Inno Setup, contained a malicious downloader known as “d3f@ckloader” built on Pascal scripting language. The attackers then exfiltrated approximately 934 MB of data using the cloud storage service Bublup before deploying BlackSuit ransomware using PsExec for remote execution. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. These tools facilitated credential harvesting from LSASS memory and lateral movement using Windows remote service creation. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. Cybercriminals recently leveraged a fake Zoom installer to deploy BlackSuit ransomware across an enterprise network. This initial stage established persistence by adding the installation directory to Windows Defender exclusions and marking files as hidden.

This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 31 Mar 2025 08:05:14 +0000

Cyber News related to Hackers Used Weaponized Zoom Installer to Gain RDP Access & Deploy BlackSuit Ransomware

BlackSuit ransomware - what you need to know - What's going on? A cybercriminal group calling itself BlackSuit has claimed responsibility for a series of ransomware attacks, including breaches at schools in central Georgia. And earlier in the year, a zoo in Tampa Bay was targeted by the same ...
1 year ago Tripwire.com Blacksuit

10 Best Ransomware Protection Tools - 2025 - It protects devices from ransomware and other cyber threats using advanced threat intelligence, behavioral analysis, and cloud-based technology. It monitors and prevents ransomware assaults on personal files and automatically restores encrypted ...
1 month ago Cybersecuritynews.com

Zoom flaw enabled hijacking of accounts with access to meetings, team chat - A Zoom flaw that enabled the hijacking of service accounts with access to potentially confidential information was disclosed by bug hunters this week. The vulnerability in the Zoom Rooms feature mostly affected Zoom tenants using email addresses from ...
1 year ago Packetstormsecurity.com Rocke Hunters

How To Protect RDP From Ransomware Attacks - RDP is common across businesses now that roughly half of all Americans can work at least part time from home. Employees can keep their work computers in the office but use them from their home devices through RDP. How Cybercriminals Target RDP As ...
1 year ago Feeds.dzone.com

10 Best Ransomware File Decryptor Tools in 2025 - Kaspersky Rakhni Decryptor contains different decryption tools based on various versions of Rakhni ransomware and helps you decrypt encrypted files on your system. PyLocky Ransomware Decryption Tool is a free and open source developed and released by ...
2 weeks ago Cybersecuritynews.com

CVE-2021-34424 - A vulnerability was discovered in the Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.8.4, Zoom Client for Meetings for Blackberry (for Android and iOS) before version 5.8.1, Zoom Client for Meetings for intune ...
2 years ago

CVE-2021-34423 - A buffer overflow vulnerability was discovered in Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.8.4, Zoom Client for Meetings for Blackberry (for Android and iOS) before version 5.8.1, Zoom Client for ...
2 years ago

Hackers Used Weaponized Zoom Installer to Gain RDP Access & Deploy BlackSuit Ransomware - The attack began when an unsuspecting victim visited a malicious website mimicking Zoom’s official download page (zoommanager[.]com), where they downloaded what appeared to be a legitimate teleconferencing application installer. This tunneling ...
3 weeks ago Cybersecuritynews.com Blacksuit

CVE-2021-36845 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities in YITH Maintenance Mode (WordPress plugin) versions < 1.3.8, there are 46 vulnerable parameters that were missed by the vendor while patching the 1.3.7 version to 1.3.8. ...
3 years ago

BlackSuit ransomware gang claims attack on KADOKAWA corporation - The BlackSuit ransomware gang claimed a recent cyberattack on KADOKAWA corporation and is now threatening to publish stolen data if a ransom is not paid. KADOKAWA is a Japanese media conglomerate that operates numerous companies in film, publishing, ...
9 months ago Bleepingcomputer.com Blacksuit

Royal ransomware may soon rebrand, BlackSuit links confirmed The Register - The FBI and the US govt's Cybersecurity and Infrastructure Security Agency have released fresh guidance on the Royal ransomware operation, saying that evidence suggests it may soon undergo a long-speculated rebrand. The agencies didn't specify a ...
1 year ago Theregister.com Blacksuit

FBI: Royal ransomware asked 350 victims to pay $275 million - The FBI and CISA revealed in a joint advisory that the Royal ransomware gang has breached the networks of at least 350 organizations worldwide since September 2022. In an update to the original advisory published in March with additional information ...
1 year ago Bleepingcomputer.com Blacksuit

Zoom Mobile & Desktop App Flaw Let Attackers Escalate Privileges - The popular video conferencing software Zoom has security issues with its desktop and mobile apps that could allow for privilege escalation. An attacker may be able to obtain elevated privileges within the application or the operating system by ...
1 year ago Cybersecuritynews.com CVE-2023-43583 CVE-2023-43585 CVE-2023-43586 CVE-2023-36540 CVE-2023-36541 CVE-2023-36534 CVE-2023-39216 CVE-2023-39213

CDK Global says all dealers will be back online by Thursday - CDK Global says that its dealer management system, impacted by a massive IT outage following a June 18th ransomware attack, will be back online by Thursday for all car dealerships. The company is also working on restoring access to other affected ...
9 months ago Bleepingcomputer.com Blacksuit

Global Zoom Outage Caused by Server Block Imposed from GoDaddy Registry - The disruption, which began at 11:25 AM PDT and was resolved by 1:12 PM PDT, was traced not to a cyberattack or internal technical failure, but to a server block imposed by GoDaddy Registry the manager of the .us top-level domain after a ...
4 days ago Cybersecuritynews.com

Zoom Launches AI Companion, Available at No Additional Cost - Zoom has pledged to provide artificial intelligence functions on its video-conferencing platform at no additional cost to paid clients. The tech firm believes that including these extra features as part of its paid platform service will provide a ...
1 year ago Cysecurity.news

Medusa Ransomware Turning Your Files into Stone - Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. The Unit 42 ...
1 year ago Unit42.paloaltonetworks.com Medusa

Hive Ransomware: A Detailed Analysis - This past week, on January 26th, to be exact, the FBI successfully shut down the Hive ransomware group and saved victims over a hundred million dollars in ransom payments and remediation costs. As ransomware continues to be a national security threat ...
2 years ago Heimdalsecurity.com LockBit

BlackSuit Claims Dozens of Victims With Ransomware - The BlackSuit ransomware gang has leaked stolen data from attacks against 53 organizations spanning a year. Researchers from ReliaQuest analyzed in-depth an attack that took place in April from the ransomware group, which has been active since May ...
10 months ago Darkreading.com Blacksuit

The Top 10 Ransomware Groups of 2023 - This article takes an in-depth look at the rise in ransomware attacks over the past year and the criminal groups driving the surge in cyber extortion. LockBit has established itself as one of the most notorious ransomware operations since emerging on ...
1 year ago Securityboulevard.com TA505 8base LockBit BianLian Medusa Noescape Black Basta

Ransomware Roundup - The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This edition of the Ransomware Roundup covers the 8base ransomware. 8base ...
1 year ago Feeds.fortinet.com 8base

CVE-2024-56547 - In the Linux kernel, the following vulnerability has been resolved: rcu/nocb: Fix missed RCU barrier on deoffloading Currently, running rcutorture test with torture_type=rcu fwd_progress=8 n_barrier_cbs=8 nocbs_nthreads=8 nocbs_toggle=100 ...
3 months ago Tenable.com

Researchers link 3AM ransomware to Conti, Royal cybercrime gangs - Security researchers analyzing the activity of the recently emerged 3AM ransomware operation uncovered close connections with infamous groups, such as the Conti syndicate and the Royal ransomware gang. The 3AM ransomware gang's activity was first ...
1 year ago Bleepingcomputer.com Blacksuit LockBit Threeam

Hackers Exploiting Domain Controller to Deploy Ransomware Using RDP - Attackers likely breached the network via a vulnerable VPN, using Mimikatz to steal credentials (caught by Microsoft Defender for Endpoint, which blocked the initial account, User 1). Microsoft has recently uncovered a sharp rise in ransomware ...
1 week ago Cybersecuritynews.com CVE-2019-0708