{
	"id": "36a5562e-e08a-4727-abe6-3ecd08a7c571",
	"created_at": "2026-04-06T00:14:48.859879Z",
	"updated_at": "2026-04-10T03:30:41.44432Z",
	"deleted_at": null,
	"sha1_hash": "118c154c5e3d0ccfa0093055d8dcc54ff41bd9f7",
	"title": "\"Mitigating ELUSIVE COMET Zoom remote control attacks\"",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1294977,
	"plain_text": "\"Mitigating ELUSIVE COMET Zoom remote control attacks\"\r\nBy \"Dan Guido\"\r\nPublished: 2025-04-17 · Archived: 2026-04-05 16:04:44 UTC\r\nWhen our CEO received an invitation to appear on “Bloomberg Crypto,” he immediately recognized the\r\nhallmarks of a sophisticated social engineering campaign. What appeared to be a legitimate media opportunity\r\nwas, in fact, the latest operation by ELUSIVE COMET—a threat actor responsible for millions in cryptocurrency\r\ntheft through carefully constructed social engineering attacks.\r\nThis post details our encounter with ELUSIVE COMET, explains their attack methodology targeting the Zoom\r\nremote control feature, and provides concrete defensive measures organizations can implement to protect\r\nthemselves.\r\nOur encounter with ELUSIVE COMET\r\nTwo separate Twitter accounts approached our CEO with invitations to participate in a “Bloomberg Crypto” series\r\n—a scenario that immediately raised red flags. The attackers refused to communicate via email and directed\r\nscheduling through Calendly pages that clearly weren’t official Bloomberg properties. These operational\r\nanomalies, rather than technical indicators, revealed the attack for what it was.\r\nX DMs between Dan Guido (Trail of Bits CEO) and sockpuppet accounts from ELUSIVE COMET\r\nThe ELUSIVE COMET methodology mirrors the techniques behind the recent $1.5 billion Bybit hack in\r\nFebruary, where attackers manipulated legitimate workflows rather than exploiting code vulnerabilities. This\r\nreinforces our perspective that the blockchain industry has entered the era of operational security failures, where\r\nhuman-centric attacks now pose greater risks than technical vulnerabilities.\r\nhttps://blog.trailofbits.com/2025/04/17/mitigating-elusive-comet-zoom-remote-control-attacks/\r\nPage 1 of 8\n\nNew ELUSIVE COMET IoCs\r\nIn addition to the IoCs previously published in SEAL’s advisory on ELUSIVE COMET, we have identified new\r\naccounts associated with this threat actor’s infrastructure:\r\nX: @KOanhHa\r\nX: @EditorStacy\r\nEmail: bloombergconferences[@]gmail.com\r\nZoom URL: https://us06web[.]zoom[.]us/j/84525670750\r\nCalendly URL: calendly[.]com/bloombergseries\r\nCalendly URL: calendly[.]com/cryptobloomberg\r\nOrganizations should update their monitoring systems and blocklists to include these new indicators.\r\nUnderstanding Zoom’s remote control feature\r\nELUSIVE COMET’s primary attack vector leverages Zoom’s remote control feature—a legitimate function that\r\nallows meeting participants to control another user’s computer with permission. When a participant requests\r\nremote control, the dialog simply states “$PARTICIPANT is requesting remote control of your screen.”\r\nExample of the Zoom remote control request dialog showing a forged name 'Zoom' as the requester\r\nThe attack exploits this feature through a simple yet effective social engineering trick:\r\n1. The attacker schedules a seemingly legitimate business call.\r\n2. During screen sharing, they request remote control access.\r\n3. They change their display name to “Zoom” to make the request appear as a system notification.\r\n4. If granted access, they can install malware, exfiltrate data, or conduct cryptocurrency theft.\r\nhttps://blog.trailofbits.com/2025/04/17/mitigating-elusive-comet-zoom-remote-control-attacks/\r\nPage 2 of 8\n\nCalendly booking page used by the attackers to schedule fake Bloomberg interviews and meeting\r\ninvite from 'Bloomberg Crypto'\r\nWhat makes this attack particularly dangerous is the permission dialog’s similarity to other harmless Zoom\r\nnotifications. Users habituated to clicking “Approve” on Zoom prompts may grant complete control of their\r\ncomputer without realizing the implications.\r\nWhy this attack succeeds (even against security professionals)\r\nThe ELUSIVE COMET campaign succeeds through a sophisticated blend of social proof, time pressure, and\r\ninterface manipulation that exploits normal business workflows:\r\nLegitimate context: The attack occurs during what appears to be a normal business interaction.\r\nInterface ambiguity: The permission dialog doesn’t clearly communicate the security implications.\r\nHabit exploitation: Users accustomed to approving Zoom prompts may act automatically.\r\nAttention division: The victim is focused on a professional conversation, not security analysis.\r\nThis approach targets operational security boundaries rather than technical vulnerabilities.\r\nTrail of Bits’ defense posture\r\nOur encounter with ELUSIVE COMET reinforces our belief in defense-in-depth strategies that address both\r\ntechnical and operational security domains:\r\nEndpoint protection: CrowdStrike Falcon Complete with 24/7 managed hunting and response, configured\r\nin the “Active” security posture with aggressive cloud and sensor-based ML prevention settings. This\r\nconfiguration enables real-time behavioral detection of suspicious process activities—particularly\r\nhttps://blog.trailofbits.com/2025/04/17/mitigating-elusive-comet-zoom-remote-control-attacks/\r\nPage 3 of 8\n\nunauthorized attempts to access system accessibility features—even when the malware is previously\r\nunknown or fileless.\r\nOS security: Mandatory company-wide upgrades to the latest major macOS version once its .1 release\r\nbecomes available. Apple consistently narrows attack surfaces with each major OS release, introducing\r\nfeatures that mitigate classes of vulnerabilities rather than just patching individual bugs. This zero-tolerance approach to legacy macOS versions strengthens our security baseline.\r\nAuthentication hardening: Mandatory security key authentication for all Google Workspace accounts.\r\nEvery employee receives a YubiKey during onboarding with zero exceptions granted for weaker\r\nauthentication methods (TOTP, SMS, etc.). Google SSO serves as our primary authentication provider,\r\nextending this hardware-based phishing resistance to all supported services. This implementation creates a\r\nhard security boundary that even sophisticated social engineering can’t bypass.\r\nPassword management: 1Password deployed company-wide with preinstalled browser extensions for all\r\nemployees. The extension’s domain-matching logic prevents credential autofill on mismatched domains\r\n(e.g., g00gle.com vs google.com), creating deliberate friction when employees encounter potential phishing\r\nsites. This forces a conscious copy-paste action for credentials on suspicious domains—a simple but\r\neffective cognitive interrupt that triggers security awareness.\r\nCommunication platform choices: Primary use of Google Meet over Zoom due to its browser-based\r\nsecurity model. Browser-based communication tools inherit the security model of the browser itself,\r\nlimiting their access to system resources. Chrome’s sandbox prevents web applications from accessing\r\nlocal system resources without explicit permission, creating a more controlled execution environment than\r\ninstalled applications can provide.\r\nRestrictive application controls: When Zoom is required, it’s wrapped with additional security controls\r\nand routinely removed from systems. Through threat intelligence and our own security research, we\r\nidentify high-risk applications that are frequently abused in attacks. We apply additional controls to these\r\n“tallest blades of grass” to limit their access to system resources and regularly remove them when not\r\nactively needed.\r\nMost critically, our security team has identified the Zoom remote control feature as an unnecessary risk and\r\ndeployed technical controls to prevent it from functioning on our systems. By specifically targeting the\r\naccessibility permissions that enable remote control, we close the attack vector that ELUSIVE COMET exploits\r\nwithout disrupting legitimate videoconferencing functionality.\r\nA layered defense approach\r\nTo protect your organization from this attack vector, we recommend using our tools to implement multiple layers\r\nof protection:\r\nScript Purpose\r\nExecution\r\nFrequency\r\nTarget Scope\r\ncreate_zoom_pppc_profile.bash\r\nCreates system-wide PPPC\r\nprofiles that prevent\r\naccessibility access\r\nOnce per\r\ncomputer\r\nAll computers\r\nhttps://blog.trailofbits.com/2025/04/17/mitigating-elusive-comet-zoom-remote-control-attacks/\r\nPage 4 of 8\n\nScript Purpose\r\nExecution\r\nFrequency\r\nTarget Scope\r\ndisable_zoom_accessibility.bash\r\nActively checks and removes\r\nZoom accessibility\r\npermissions\r\nEvery 15\r\nminutes\r\nComputers with\r\nZoom installed\r\nuninstall_zoom.bash\r\nCompletely removes removal\r\nof Zoom from fleet\r\ncomputers\r\nWeekly\r\nComputers with\r\nZoom installed\r\nIndex of ELUSIVE COMET mitigation tools\r\nSystem-wide protection with PPPC profiles\r\nPrivacy Preferences Policy Control (PPPC) profiles provide the strongest protection by preventing Zoom from\r\nrequesting or receiving accessibility permissions at the macOS system level. This directly addresses the\r\nvulnerability because Zoom’s remote control feature requires accessibility permissions to function—without these\r\npermissions, the remote control capability is completely disabled, neutralizing ELUSIVE COMET’s primary\r\nattack vector.\r\nPPPC profiles offer several security advantages:\r\nApply to all users on a system, including new user accounts\r\nCannot be removed by regular users once installed\r\nEnforce organizational security controls regardless of user preferences\r\nSpecifically target only the official Zoom application using code signature verification\r\nThe profile works by explicitly denying accessibility permissions to Zoom at the system level, creating a\r\npermission boundary that users cannot override through normal means. This approach is particularly effective\r\nbecause it doesn’t rely on user vigilance or training—it simply makes the vulnerable functionality technically\r\nimpossible to enable.\r\nWhen deployed organization-wide, these profiles ensure consistent protection even when users are under pressure\r\nduring high-stakes business conversations. By focusing specifically on removing the accessibility permissions that\r\nthe remote control feature requires, this protection doesn’t interfere with legitimate Zoom videoconferencing\r\nfunctionality while still preventing the specific attack vector that ELUSIVE COMET exploits.\r\nActive defense with TCC database monitoring\r\nWhile PPPC profiles provide proactive protection for new permission requests, they don’t automatically revoke\r\npermissions that users have already granted to Zoom. This is where active TCC database monitoring becomes\r\ncritical - it functions as a “permission reset” mechanism that continuously cleans up existing accessibility\r\nauthorizations that could be exploited.\r\nhttps://blog.trailofbits.com/2025/04/17/mitigating-elusive-comet-zoom-remote-control-attacks/\r\nPage 5 of 8\n\nThe disable_zoom_accessibility.bash script works by directly interfacing with macOS’s Transparency,\r\nConsent and Control (TCC) framework to methodically:\r\nDetect existing accessibility permissions granted to Zoom\r\nReset those permissions, regardless of when or how they were granted\r\nCreate security telemetry through logging for detection of potential attack attempts\r\nThis approach offers unique security advantages beyond what PPPC profiles alone provide:\r\nRemoves permissions granted before your security posture was hardened\r\nEnsures that even users who previously authorized Zoom can’t be exploited\r\nWhen run every 15 minutes, creates an ongoing verification that no permissions exist\r\nSome organizations might prefer requiring users to explicitly re-authorize remote access for legitimate use\r\ncases, then having permissions automatically removed afterward\r\nFor security teams with diverse user populations, this represents a pragmatic middle ground. Rather than\r\ncompletely blocking remote control functionality (which might be occasionally necessary), the script allows\r\ntemporary, conscious use of the feature while preventing persistent access that could be exploited between uses.\r\nWhen permission removal events appear in your logs during normal operations, it’s a strong indicator that either a\r\nuser is attempting to use the remote control feature legitimately (requiring investigation and potential education)\r\nor that an attack attempt is underway. This visibility creates valuable security telemetry that helps identify both\r\npolicy violations and potential attack attempts before they succeed.\r\nMaximum protection by purging Zoom\r\nFor high-security environments or organizations handling cryptocurrency, the most direct approach is to\r\ncompletely remove Zoom from systems. This elimination strategy operates on a simple principle: software that\r\nisn’t installed can’t be exploited. For organizations handling particularly sensitive data or cryptocurrency\r\ntransactions, the risk reduction from eliminating the Zoom client entirely often outweighs the minor\r\ninconvenience of using browser-based alternatives:\r\nRemoves the application that ELUSIVE COMET relies on\r\nEnsures no remnant components remain that could be leveraged in an attack\r\nRemoves all potential persistence mechanisms including preferences and cached data\r\nGuarantees that users cannot accidentally expose themselves to this risk\r\nWhen combined with a policy encouraging browser-based meeting participation, purging zoom with\r\nuninstall_zoom.bash provides the strongest protection against ELUSIVE COMET’s attack methodology.\r\nAdditional security recommendations\r\nBeyond the specific Zoom mitigations, we recommend these additional defensive measures:\r\n1. Train users to recognize social engineering tactics in video calls: While this is primarily a technical\r\nissue with Zoom’s permissions model, user awareness still matters. Train staff to recognize unusual\r\nhttps://blog.trailofbits.com/2025/04/17/mitigating-elusive-comet-zoom-remote-control-attacks/\r\nPage 6 of 8\n\npermission requests during video calls—particularly those requesting system control. Create a simple\r\nmental model for employees: “No legitimate business process should ever require giving someone else\r\ncontrol of your computer.” Establish a protocol requiring secondary verification (like a phone call to IT)\r\nbefore granting remote control to anyone, even seemingly trusted contacts.\r\n2. Implement comprehensive IoC monitoring across communication channels: Deploy email security\r\ntools like Material Security or Sublime Security that enable searching your entire organization for\r\ncommunications from known threat actors. When new indicators are published (like those in this post),\r\nthese tools allow security teams to quickly identify if anyone in the organization has been targeted. Despite\r\nthese attacks primarily occurring on social media, the attackers eventually need to send calendar invites via\r\nemail—creating a detectable footprint if you have the right monitoring tools.\r\n3. Create explicit policies for media appearances and external communications: At Trail of Bits, all\r\nmedia appearances follow an established process involving multiple stakeholders to develop messaging\r\nand talking points. When our CEO was approached via Twitter DM, his immediate response was to direct\r\ncommunication to email—following our standard procedure for external engagements. Establish clear\r\nverification processes requiring communication through official channels (corporate email) for any external\r\nengagement. Train staff that legitimate media organizations respect and follow these processes.\r\n4. Deploy email boundary controls as brand protection: While this specific ELUSIVE COMET campaign\r\ndidn’t use email spoofing, properly configured DMARC, SPF, and DKIM prevent attackers from directly\r\nimpersonating your domain in future campaigns. This limits an attacker’s ability to exploit your\r\norganization’s brand when targeting others. Bloomberg’s properly implemented email security likely forced\r\nELUSIVE COMET to use non-Bloomberg domains (gmail.com accounts)—a red flag that helped our CEO\r\nidentify the attack immediately.\r\n5. Cultivate a rapid information sharing culture: When our CEO identified this attack, he immediately\r\nposted a notification to the company-wide Slack channel, alerting everyone to the ongoing campaign.\r\nCreate low-friction reporting channels that make it easy for employees to share suspicious interactions.\r\nEstablish a “no penalty” culture for security reporting—reward people who report suspicious activity even\r\nif it turns out to be legitimate. Time is critical in these situations; a culture of rapid, blame-free reporting\r\ncan prevent multiple victims within your organization.\r\nBuilding resilient security against human-centered attacks\r\nThe ELUSIVE COMET campaign represents the continuing evolution of threats targeting operational security\r\nrather than technical vulnerabilities. As we’ve entered the era of operational security failures, organizations must\r\nevolve their defensive posture to address these human-centric attack vectors.\r\nBy implementing the multilayered defense approach outlined above, organizations can significantly reduce their\r\nexposure to this specific attack vector while maintaining business functionality. More importantly, this case study\r\ndemonstrates the critical importance of combining technical controls with operational security awareness in\r\ndefending against modern threats.\r\nIf your organization handles sensitive data or manages cryptocurrency transactions, our security engineers can\r\nhelp you develop a tailored threat model that addresses both traditional vulnerabilities and operational security\r\nboundaries. Contact us to learn more.\r\nhttps://blog.trailofbits.com/2025/04/17/mitigating-elusive-comet-zoom-remote-control-attacks/\r\nPage 7 of 8\n\nSource: https://blog.trailofbits.com/2025/04/17/mitigating-elusive-comet-zoom-remote-control-attacks/\r\nhttps://blog.trailofbits.com/2025/04/17/mitigating-elusive-comet-zoom-remote-control-attacks/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://blog.trailofbits.com/2025/04/17/mitigating-elusive-comet-zoom-remote-control-attacks/"
	],
	"report_names": [
		"mitigating-elusive-comet-zoom-remote-control-attacks"
	],
	"threat_actors": [
		{
			"id": "08c8f238-1df5-4e75-b4d8-276ebead502d",
			"created_at": "2023-01-06T13:46:39.344081Z",
			"updated_at": "2026-04-10T02:00:03.294222Z",
			"deleted_at": null,
			"main_name": "Copy-Paste",
			"aliases": [],
			"source_name": "MISPGALAXY:Copy-Paste",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "46fb3cc7-d4e4-4239-8a3e-f231a5255a36",
			"created_at": "2025-05-29T02:00:03.226791Z",
			"updated_at": "2026-04-10T02:00:03.878755Z",
			"deleted_at": null,
			"main_name": "ELUSIVE COMET",
			"aliases": [],
			"source_name": "MISPGALAXY:ELUSIVE COMET",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434488,
	"ts_updated_at": 1775791841,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/118c154c5e3d0ccfa0093055d8dcc54ff41bd9f7.pdf",
		"text": "https://archive.orkl.eu/118c154c5e3d0ccfa0093055d8dcc54ff41bd9f7.txt",
		"img": "https://archive.orkl.eu/118c154c5e3d0ccfa0093055d8dcc54ff41bd9f7.jpg"
	}
}