{ "id": "609f2557-dd61-4f43-9c4c-7ded75d36212", "created_at": "2026-04-06T00:17:46.350217Z", "updated_at": "2026-04-10T03:30:21.166075Z", "deleted_at": null, "sha1_hash": "15f0b840e842da4a1ef38845811f8d0759bc8867", "title": "FIN11 is Back : Impersonates Popular Video Conference Application - CYFIRMA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 703835, "plain_text": "FIN11 is Back : Impersonates Popular Video Conference\r\nApplication - CYFIRMA\r\nArchived: 2026-04-05 21:35:29 UTC\r\nPublished On : 2022-09-21\r\nCYFIRMA research team has observed impersonated web download pages of Zoom Application – which is the\r\nmost downloaded application in recent years. We believe with moderate confidence that financially motivated\r\nFIN11 is behind this campaign. This threat actor is known for conducting a large-scale campaign using the\r\nimpersonated web applications. In this case, FIN 11 was observed employing Zoom download pages to install\r\nInformation Stealer (Vidar) targeting a large attack surface. We also observed an IP address that was earlier\r\nassociated with AsyncRAT.\r\nAs per our VT research, the threat actor is using the disguised Zoom application which is used worldwide as a\r\nvideo conference solution indicating its focus to compromise a large number of systems across all operating\r\nsystems using popular web applications. Russia-based threat actor FIN11 has lately been associated with CLOP\r\nransomware for post-compromise ransomware deployment and data theft extortion. This association with the\r\nransomware group increases the possibility of compromised systems becoming potential ransomware victims.\r\nhttps://www.cyfirma.com/outofband/fin11-is-back-impersonates-popular-video-conference-application/\r\nPage 1 of 9\n\nSeveral fake Zoom Video Communications download pages were discovered in the wild by the CYFIRMA\r\nresearch team. The Russian Federation is the registrant country for all the hosts. The CYFIRMA research team\r\nbelieves with moderate confidence that financially motivated FIN11 is behind this campaign involving fake\r\ndownload pages of popular web applications used worldwide.\r\nRecently Identified Impersonated Web Application Download Page Links:\r\nBelow are the six impersonated web application download page links observed in the wild.\r\nhttps://zoom-download[.]host – 92[.]53[.]96[.]41\r\nhttps://zoom-download[.]space – 2a03:6f00:1::5c35:6029\r\nhttps://zoom-download[.]fun – 92[.]53[.]96[.]41 pDNS 5.101.159[.]26; 87.236.16[.]226\r\nhttps://zoomus[.]host – 92[.]53[.]113[.]155\r\nhttps://zoomus[.]tech – 92[.]53[.]114[.]144\r\nhttps://zoomus[.]website – 92[.]53[.]114[.]172\r\nDuring our passive DNS research, we observed a vast number of impersonated web applications used in the past.\r\nHere are a few sample links:\r\nwww.user01zoom[.]website – 161[.]35[.]144[.]236\r\nwww.zo0m[.]info – 23[.]82[.]19[.]170\r\nwww.app-zoom[.]com – 198[.]54[.]116[.]220\r\nzoom-meetings[.]net – 2607:f1c0:100f:f000::2ce\r\nzoom-update[.]online – 192[.]254[.]185[.]80\r\nzoomcyber[.]nl – 2606:4700:3030::6815:970\r\nzoomclient[.]nl – 2606:4700:3037::ac43:a1d6\r\nhttps://veehy[.]com/download-zoom/ – 5[.]39[.]216[.]178\r\nhttp://videoconfer[.]xyz/ – 2606:4700:3035::ac43:87c5\r\nzoom-download.huvpn[.]com–5[.]39[.]216[.]179\r\nhttps://zoom[.]cheap/ – 2606:4700:3031::ac43:9b36\r\nThe Zoom Video Communication application as a phishing lure has been historically been used in large-scale\r\ncampaigns. Since, the past two years, due to COVID-19, the world saw a significant increase in remote work,\r\ndistance education, as well as the growth of online social relations. This led to high downloads of the Zoom\r\napplication, and the trend has continued even after the pandemic. Zoom emerged as one of the most downloaded\r\napplications in the world year after year. For instance, with 300 million downloads, it was the most downloaded\r\nbusiness app worldwide in 2021.\r\nThis popularity of Zoom has led to a renewed interest in employing it as phishing lures. In the reported incident,\r\nthe threat actor employed the ‘Vidar’ information stealer embedded in the Zoom application to target broad attack\r\nsurface across all industries and geographies.\r\nhttps://www.cyfirma.com/outofband/fin11-is-back-impersonates-popular-video-conference-application/\r\nPage 2 of 9\n\nExternal Threat Landscape Management\r\nSince 2016, the Russian-based threat actor group FIN11 has been conducting widespread phishing campaigns.\r\nInitially, the threat group targeted financial, retail, and hospitality organizations. However, FIN11 later broadened\r\nits target to include a diverse set of sectors and geographic regions. During their phishing operations, threat actors\r\ncast a wide net and then select which victims to further exploit based on characteristics such as sector,\r\ngeolocation, or perceived security posture. FIN11 has lately been associated with CLOP ransomware for post-compromise ransomware deployment and data theft extortion. Historically, the group has used services that\r\nprovide anonymous domain registration, bulletproof hosting, code signing certificates, and private or semi-private\r\nmalware; this strategy has been carried over into the ongoing campaign. In this incident, the threat actor used\r\nVidar information stealer which is one of the prominent malware used by the group.\r\nVT View on Malicious Content in the Host\r\nhttps://www.cyfirma.com/outofband/fin11-is-back-impersonates-popular-video-conference-application/\r\nPage 3 of 9\n\nThe observed hosts (six links mentioned above) are pointed to malicious .exe, .rar, .apk, .lnk, and .pdf files\r\nindicating that a well-planned campaign by FIN 11, targets all operating systems to compromise a large attack\r\nsurface.\r\nDetails are shared below.\r\nhttps://zoom-download[.]host – 92[.]53[.]96[.]41\r\nhttps://zoom-download[.]space – 2a03:6f00:1::5c35:6029\r\nhttps://zoom-download[.]fun – 92[.]53[.]96[.]41 pDNS – 5[.]101[.]159[.]26; 87[.]236[.]16[.]226\r\nhttps://www.cyfirma.com/outofband/fin11-is-back-impersonates-popular-video-conference-application/\r\nPage 4 of 9\n\nhttps://zoomus.host – 92[.]53[.]113[.]155; https://zoomus.tech – 92[.]53[.]114[.]144\r\nImpersonated Web Application View\r\nTechnical Analysis of Malicious Zoom URLs and Application Installed\r\nOur research team analysed samples obtained from impersonated Zoom application download page. When clicked\r\non the Download button, a malicious zip archive (8B07C2E1D99A6E43FB29C4B1A23BC743) downloaded\r\nwhich contains malicious “Zoom.exe” (19AFF3D6ED110A9037AFF507CAC4077F) file pretends to be a\r\nlegitimate Zoom App having a Zoom icon. This file “Zoom.exe” is a 64-bit SFX [Microsoft Cabinet] file. Once\r\nextracted “Zoom.exe”, it contains two files: “ZOOMIN~1.EXE” (E710423F15A7C40DAC815C2D637CABD0)\r\nwhich is zoom application setup [legitimate], 2nd one is “Decoder.exe”\r\n(98C8C28B790BBCE2BC2F20CC8FF2BD8E) which is a malicious downloader.\r\nUpon execution “Zoom.exe”, it drops “Decoder.exe” and “ZOOMIN~1.EXE” at location\r\n“C:\\Users\\Username\\AppData\\Local\\Temp\\IXP000.TMP\\“. “Decoder.exe” (as mentioned above-98C8C28B790BBCE2BC2F20CC8FF2BD8E), is a malicious downloader and “ZOOMIN~1.EXE” (as mentioned\r\nabove-E710423F15A7C40DAC815C2D637CABD0) is a valid zoom installer which installs the legitimate zoom\r\napp on the system so that the execution does not create suspicion to the user.\r\nhttps://www.cyfirma.com/outofband/fin11-is-back-impersonates-popular-video-conference-application/\r\nPage 5 of 9\n\nFollowing is the process tree corresponding to the execution of malicious “Zoom.exe”:\r\nThe “Decoder.exe” when executed, establishes a connection with\r\n“hxxp[:]//193[.]106[.]191[.]223/CharSequence[.]TextPaint[.]setAlignment.module8_Rkbbnqyt[.]png” and\r\ndownloads an encoded .PNG (21ABAC012CAA151DA5ED7C760198FAC6) file.\r\nThe IP address (193[.]106[.]191[.]223) is attributed to Russia and with AsyncRAT as shown below :\r\nLater, “Decoder.exe” leverage PowerShell and execute Base64 encoded command as shown below:\r\n“C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe” -enc\r\nUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAyAA==\r\nThe Base64 encoded command:\r\n“UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAyAA==” when\r\ndecoded equivalent to “S t a r t-Sleep-Seconds 12” might be used to become inactive for 12 seconds before next\r\noperation.\r\nFurther, it creates a child process with the name MSBuild.exe. The Microsoft Build Engine (MSBuild.exe) is a\r\nplatform for building applications. This engine, which is also known as MSBuild, provides an XML schema for a\r\nhttps://www.cyfirma.com/outofband/fin11-is-back-impersonates-popular-video-conference-application/\r\nPage 6 of 9\n\nproject file that controls how the build platform processes and builds software. Visual Studio uses MSBuild, but\r\nMSBuild does not depend on Visual Studio. By invoking msbuild.exe on a project or solution file, we can\r\norchestrate and build products in environments where Visual Studio is not installed. The malware authors earlier\r\nalso in several instances abused the Microsoft Build Engine (MSBuild) to deploy remote access tools (RATs) and\r\npassword-stealing malware.\r\nThe first stage (Decoder.exe) is a simple .NET downloader that will execute a second-stage payload in memory.\r\nThe downloaded second-stage payload injects inside another process (MSBuild.exe).\r\nThe compromised MsBuild.exe make a connection with IP (116[.]202[.]179[.]139) and later download the zip file:\r\nhxxp[:]//116[.]202[.]179[.]139/1547 hxxp[:]//116[.]202[.]179[.]139/9642742070[.]zip\r\nAt a different running instance, the MsBuild.exe make a connection with another IP (79[.]124[.]78[.]206) and\r\nfurther download a similar zip file:\r\nhxxp://79[.]124[.]78[.]206/1547\r\nhxxp://79[.]124[.]78[.]206/1317434164[.]zip\r\nThe downloaded zip file contains a series of DLL files:\r\n“Freebl3.dll, mozglue.dll, msvcp140.dll, nss3.dll, softokn3.dll, vcruntime140.dll” In the past same set of DLLs\r\nwere used by information Stealer malware – “Vidar”\r\nhttps://www.cyfirma.com/outofband/fin11-is-back-impersonates-popular-video-conference-application/\r\nPage 7 of 9\n\nThe threat actor delivers malicious Zoom applications through phishing URLs masquerading as legitimate Zoom\r\nwebsite as well app. Upon execution of malicious “Zoom.exe”, it drops “Decoder.exe” which acts as a downloader\r\nto download additional payloads (RAT and Information Stealer), and the legitimate zoom app setup\r\n“ZOOMIN~1.EXE” to install the zoom app. The injected MSBuild.exe also downloads DLLs related to\r\ninformation stealers Vidar.\r\nConclusion\r\nUsage of impersonated popular web application download pages in cyber-attack is not a new tactic but using the\r\nmost downloaded application like Zoom to distribute malware is a dangerous move by threat actors indicating\r\ntheir intention of compromising a large number of systems worldwide. Based on their association with the\r\nransomware group it is an even more worrying factor that compromised systems can be potential ransomware\r\nvictims.\r\nMITRE ATT\u0026CK:\r\nTactic Technique\r\nTA0002: Execution\r\nT1059: Command and Scripting Interpreter\r\nT1204: User Execution\r\nTA0003: Persistence T1546: Event Triggered Execution\r\nTA0004: Privilege Escalation T1546: Event Triggered Execution\r\nTA0005: Defense Evasion T1553: Subvert Trust Controls\r\nTA0006: Credential Access\r\nT1555: Credentials from Password Stores\r\nT1539: Steal Web Session Cookie\r\nT1552: Unsecured Credentials\r\nTA0007: Discovery\r\nT1012: Query Registry\r\nT1518: Software Discovery\r\nT1082: System Information Discovery\r\nTA0009: Collection T1114: Email Collection\r\nIOCs\r\nType IOC\r\nSHA256 b76cad93d0501d69746c84db3f7bfc158968900c2e472121019efe5d234ffa34\r\nMD5 19AFF3D6ED110A9037AFF507CAC4077F\r\nMD5 98C8C28B790BBCE2BC2F20CC8FF2BD8E\r\nhttps://www.cyfirma.com/outofband/fin11-is-back-impersonates-popular-video-conference-application/\r\nPage 8 of 9\n\nMD5 21ABAC012CAA151DA5ED7C760198FAC6\r\nURL http://116.202.179.139\r\nURL http://193.106.191.223\r\nIP 92.53.96.41\r\nIP 5.101.159.26\r\nIP 87.236.16.226\r\nIP 92.53.113.155\r\nIP 92.53.114.144\r\nIP 92.53.114.172\r\nIP 79.124.78.206\r\nSource: https://www.cyfirma.com/outofband/fin11-is-back-impersonates-popular-video-conference-application/\r\nhttps://www.cyfirma.com/outofband/fin11-is-back-impersonates-popular-video-conference-application/\r\nPage 9 of 9\n\nhttps://zoom-download[.]host https://zoom-download[.]space – 92[.]53[.]96[.]41 – 2a03:6f00:1::5c35:6029 \nhttps://zoom-download[.]fun -92[.]53[.]96[.]41 pDNS-5[.]101[.]159[.]26; 87[.]236[.]16[.]226\n Page 4 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.cyfirma.com/outofband/fin11-is-back-impersonates-popular-video-conference-application/" ], "report_names": [ "fin11-is-back-impersonates-popular-video-conference-application" ], "threat_actors": [ { "id": "6728f306-6259-4e7d-a4ea-59586d90a47d", "created_at": "2023-01-06T13:46:39.175292Z", "updated_at": "2026-04-10T02:00:03.236282Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "TEMP.Warlock", "UNC902" ], "source_name": "MISPGALAXY:FIN11", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "1db21349-11d6-4e57-805c-fb1e23a8acab", "created_at": "2022-10-25T16:07:23.630365Z", "updated_at": "2026-04-10T02:00:04.694622Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "Chubby Scorpius", "DEV-0950", "Lace Tempest", "Operation Cyclone" ], "source_name": "ETDA:FIN11", "tools": [ "AZORult", "Amadey", "AmmyyRAT", "AndroMut", "BLUESTEAL", "Cl0p", "EMASTEAL", "FLOWERPIPE", "FORKBEARD", "FRIENDSPEAK", "FlawedAmmyy", "GazGolder", "Get2", "GetandGo", "JESTBOT", "MINEBRIDGE", "MINEBRIDGE RAT", "MINEDOOR", "MIXLABEL", "Meterpreter", "NAILGUN", "POPFLASH", "PuffStealer", "Rultazo", "SALTLICK", "SCRAPMINT", "SHORTBENCH", "SLOWROLL", "SPOONBEARD", "TiniMet", "TinyMet", "VIDAR", "Vidar Stealer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434666, "ts_updated_at": 1775791821, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/15f0b840e842da4a1ef38845811f8d0759bc8867.pdf", "text": "https://archive.orkl.eu/15f0b840e842da4a1ef38845811f8d0759bc8867.txt", "img": "https://archive.orkl.eu/15f0b840e842da4a1ef38845811f8d0759bc8867.jpg" } }