{
	"id": "42ea3a88-65a4-4c12-a4af-30808e069624",
	"created_at": "2026-04-06T00:06:17.464808Z",
	"updated_at": "2026-04-10T03:20:38.980673Z",
	"deleted_at": null,
	"sha1_hash": "99c5ef9ff41997692f1bed93bb73ae5d48f3ccf9",
	"title": "Malicious Actors Target Comm Apps such as Zoom, Slack, Discord",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 530273,
	"plain_text": "Malicious Actors Target Comm Apps such as Zoom, Slack, Discord\r\nArchived: 2026-04-05 17:53:42 UTC\r\nIn our 2020 midyear report, we discussed how the Covid-19 pandemic had forced many organizations to shift\r\nfrom physical offices to virtual ones — a change that also led to the rise of messaging and video conferencing\r\napps as indispensable tools for communication. While these apps have provided businesses a way of maintaining\r\ncommunication between employees, they have also caught the eye of malicious actors who are always looking to\r\nintegrate new techniques in their malicious activities.\r\nZoom-based attacks have remained consistent\r\nNo other software has defined 2020 as much as the video conferencing app Zoom, which has exploded in\r\npopularity since the start of the pandemic. Given its high usage rate among schools, businesses, and individuals,\r\nit’s no surprise that cybercriminals have been focusing their efforts on Zoom-based attacks.\r\nThe most well-known malicious activity involving Zoom is probably “Zoombombing,” which involves pranksters\r\ncrashing a meeting and then performing disruptive actions, such as spamming pornographic content or even just\r\ngenerally being a nuisance.\r\nWhile annoying, Zoombombing is typically harmless in terms of security. On the other hand, we’ve encountered\r\nZoom-related attacks that involve actual malware, which can potentially be more damaging to organizations and\r\nindividuals. The most common Zoom-related attack technique is the use of Zoom installers bundled with malware.\r\n \r\nIn some cases, the attackers use fake Zoom installers to trick users into installing them on their machines. We\r\nencountered an example of this in May, after we found samples of malware files that were disguised as fake Zoom\r\ninstallers. While it could be difficult for the average user to distinguish the legitimate Zoom app from the fake\r\nones, closer inspection shows that the malicious versions have significantly larger file sizes.\r\nFigure 1. The file size of malicious Zoom copies compared with that of the legitimate installer\r\nOne of the malware samples (Trojan.Win32.ZAPIZ.A) is a backdoor with remote access features, allowing the\r\nattacker to gain access to the infected machine to perform malicious actions, such as stealing information. The\r\nother sample (Backdoor.Win32.DEVILSHADOW.THEAABO) has an installer that consists of a file containing\r\nmalicious commands. Interestingly, both compromised installers installed a legitimate version of Zoom, likely to\r\nhide evidence of malicious activity from the user.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-actors-target-comm-apps-such-as-zoom-slack-discord\r\nPage 1 of 6\n\nAside from using compromised installers, we also found instances where malicious actors bundled legitimate\r\ninstallers with malware files. In April, we discovered an attack that used real Zoom installers that came with the\r\nRevCode WebMonitor RAT (Backdoor.Win32.REVCODE.THDBABO). This malware variant allows its operator\r\nto execute commands remotely, such as adding or deleting files, recording keystrokes, and gathering information.\r\nAnother example of this is the ZAPIZ malware (Trojan.Win32. ZAPIZ.A), a trojan that also comes bundled with a\r\nlegitimate Zoom installer. Once downloaded, it will kill all running remote utilities, after which it will use PORT\r\n=5650/TCP for remote inbounding.\r\nBased on our analysis, ZAPIZ will perform information theft, gathering the target machine’s usernames and its\r\nmachine name — perhaps as a prelude to further attacks.\r\nWe also found an email sample where a malicious actor tried to extort money from the victim by threatening them\r\nwith the release of compromised video footage — allegedly acquired via a hacked camera.\r\nFigure 2. Email threatening the victim with release of compromised video footage\r\nAbuse of other communication apps such as Discord and Slack\r\nWhile Zoom remains perhaps the most popular communication app during the pandemic, it’s not the only one that\r\ncybercriminals have abused. We found evidence of attacks that integrate other communication services —\r\nspecifically Slack and Discord — into their routines.\r\nSlack has earned a loyal following over the years, with over 10 million daily active users as of 2019news article.\r\nHowever, we also found evidence of malicious actors making use of some of its features.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-actors-target-comm-apps-such-as-zoom-slack-discord\r\nPage 2 of 6\n\nWe recently found a ransomware variant (Ransom.Win32.CRYPREN.C) that, on the surface, seems fairly standard\r\nin terms of capabilities. It encrypts files with the following extensions (after which it will append the .encrypted\r\nsuffix):\r\n.bmp\r\n.doc\r\n.docx\r\n.gif\r\n.jpeg\r\n.jpg\r\n.m2ts\r\n.m4a\r\n.mkv\r\n.mov\r\n.mp3\r\n.mp4\r\n.mpeg\r\n.mpg\r\n.pdf\r\n.png\r\n.ppt\r\n.pptx\r\n.txt\r\n.xls\r\n.xlsx\r\nFigure 3. The ransom note for the Crypren ransomware\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-actors-target-comm-apps-such-as-zoom-slack-discord\r\nPage 3 of 6\n\nWhat makes Crypren interesting is its use of Slack webhooks to report its victims’ encryption status back to its\r\ncommand-and-control (C\u0026C) server — a technique we haven’t encountered before.\r\nCurrently, it only sends back a minimal amount of data, namely computer and user names, the number of infected\r\nfiles, and the infection timestamp — indicating that the use of Slack for infection status reporting might still be in\r\nits testing phase.\r\nDiscord is another communication software that shares similar features with Slack (while also being notable for its\r\nwidespread use in gaming communities). We found samples that show how malicious actors are using Discord as\r\npart of a campaign involving malicious spam emails that eventually end in an AveMaria or AgentTesla malware\r\ninfection. We first observed the use of malicious spam to deliver these malware families in 2019 — however, the\r\naddition of Discord as part of its attack routine is relatively recent.\r\nThe malicious emails are typically either postal delivery notifications or invoices with an included DHL or TNT-themed attachment:\r\nFigure 4. Spam mail sample\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-actors-target-comm-apps-such-as-zoom-slack-discord\r\nPage 4 of 6\n\nThese emails come with embedded links — either in the images or the text — that point to a Discord URL with\r\nthe following format: hxxps://cdn[.]discordapp[.]com/attachments/{ChannelID}/{AttachmentID}/example[.]exe.\r\nThese URLs are used to host AveMaria and AgentTesla, which will then infect the users’ machines once they click\r\non the executable.\r\nThe use of legitimate apps such as Slack and Discord as part of an attack may come down to a few simple reasons:\r\nthey’re well-known, widely used, free, and provide some form of anonymity. Furthermore, users are not even\r\nrequired to have the apps installed to download files from them, making the process streamlined and efficient.\r\nAnother possible reason that explains these programs' use is that they can pass off as normal legitimate network\r\ncommunication. Their popularity also amounts to a high chance that employees and end-users are already using\r\nthese services.\r\nDefending against attacks that abuse communication apps\r\nFortunately, defending against these types of attacks is relatively straightforward. In the case of the Zoom\r\ninstallers, the commonality between the attacks is that they are downloaded from places other than the official\r\nZoom download page. The simplest way to avoid infection is to download communications apps (and all apps in\r\ngeneral) only from official channels. This will ensure that the software is free from tampering.\r\nUsers should also avoid clicking on any links or downloading attachments from suspicious or unverified emails. If\r\nunsure, it would be a good idea to double-check with the alleged sender to confirm if they were the ones who sent\r\nthe email.\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nWe Recommend\r\nThe Industrialization of Botnets: Automation and Scale as a New Threat Infrastructurenews article\r\nComplexity and Visibility Gaps in Power Automatenews article\r\nCracking the Isolation: Novel Docker Desktop VM Escape Techniques Under WSL2news article\r\nAzure Control Plane Threat Detection With TrendAI Vision One™news article\r\nThe AI-fication of Cyberthreats: Trend Micro Security Predictions for 2026predictions\r\nRansomware Spotlight: DragonForcenews article\r\nStay Ahead of AI Threats: Secure LLM Applications With Trend Vision Onenews article\r\nThe Road to Agentic AI: Navigating Architecture, Threats, and Solutionsnews article\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-actors-target-comm-apps-such-as-zoom-slack-discord\r\nPage 5 of 6\n\nSource: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-actors-target-comm-apps-such-as-zoom-slack-discord\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-actors-target-comm-apps-such-as-zoom-slack-discord\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-actors-target-comm-apps-such-as-zoom-slack-discord"
	],
	"report_names": [
		"malicious-actors-target-comm-apps-such-as-zoom-slack-discord"
	],
	"threat_actors": [],
	"ts_created_at": 1775433977,
	"ts_updated_at": 1775791238,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/99c5ef9ff41997692f1bed93bb73ae5d48f3ccf9.pdf",
		"text": "https://archive.orkl.eu/99c5ef9ff41997692f1bed93bb73ae5d48f3ccf9.txt",
		"img": "https://archive.orkl.eu/99c5ef9ff41997692f1bed93bb73ae5d48f3ccf9.jpg"
	}
}