Fake Zoom Process Execution

Rule Info

Name
Fake Zoom Process Execution
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects execution of fake Zoom process which could indicate potential malicious activity. Adversaries have been observed using spoofed versions of Zoom, a widely-used video conferencing and collaboration application, to distribute various types of commodity malware and gain initial access to systems.
Reference
https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/
Date
2025-04-02 00:00:00
Modified
None
Id
2857d10b-923c-4366-b213-97e8668d14e0
Tags
attack.initial-access attack.execution attack.t1204.002
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022