Hackers within the Elusive Comet marketing campaign exploit Zoom’s remote-control function to steal cryptocurrency, and over $100K misplaced in social engineering rip-off.
A brand new cybercrime marketing campaign known as “Elusive Comet” is concentrating on professionals within the cryptocurrency house. However, as an alternative of going after blockchain tech instantly, the attackers are utilizing Zoom’s remote-control options to realize entry to focused units.
Cybersecurity agency Safety Alliance (SEAL) broke down the main points in a report revealed in March 2025. Safety Alliance (SEAL) in March 2025.
The Elusive Comet marketing campaign is a social engineering rip-off the place cybercriminals impersonate reputable figures to lure victims into Zoom conferences. They typically use phishing emails or DMs on X to create a convincing state of affairs, posing as people eager to interview the sufferer for a podcast or media function by Aureon Capital, which claims to be a reputable enterprise capital agency.
As soon as the sufferer accepts the Zoom invitation, the attackers manipulate their pc by requesting distant management entry beneath the pretence of needing technical help or assist with a presentation. They alter their Zoom show title to “Zoom,” making a false sense of belief.
On your info, Zoom’s remote-control function is designed for accessibility and collaboration, permitting one participant to manage one other’s display with express permission. When attackers achieve distant management, they set up malware onto the sufferer’s machine, typically together with infostealers and RATs (Distant Entry Trojans), ultimately acquiring unauthorized entry to the compromised system, exfiltrating essential info like cryptocurrency pockets credentials, private knowledge, and personal keys.
The effectiveness of this assault is illustrated by the expertise of Jake Gallen, CEO of Emblem Vault. Gallen misplaced over $100,000 in digital property after falling sufferer to the Elusive Comet marketing campaign. He agreed to a Zoom interview with a media persona and was granted distant management entry following which “GOOPDATE” malware was put in, permitting the attacker to empty his cryptocurrency wallets.
Cybersecurity agency Path of Bits additionally encountered the Elusive Comet marketing campaign when their CEO acquired suspicious invites to a faux “Bloomberg Crypto” collection by way of Twitter. They recognized the attackers’ refusal to speak by way of e-mail and the usage of unofficial Calendly scheduling pages as key indicators of malicious intent.
SEAL highlighted similarities between these assaults and the infamous North Korean hacking collective Lazarus Group’s previous operations however couldn’t conclusively attribute the marketing campaign to Lazarus.
SEAL and Path of Bits advocate a number of mitigation methods for cryptocurrency professionals to guard towards cyberattacks. These embody disabling Zoom’s Distant-Management function by default and exercising excessive warning with unsolicited invites.
Researchers additionally advise implementing robust authentication measures, contemplating different communication platforms like Google Meet, and proscribing utility controls over high-risk functions like Zoom by technically blocking distant management.
Max Gannon, Intelligence Supervisor at Cofense commented on the newest growth, stating, “The malicious use of reputable software program is a rising development we’ve continued to see in 2025. On this case, menace actors are leveraging reputable Zoom and Calendly hyperlinks to bypass safety controls. As trusted domains, their use on this assault makes it harder to detect and block.”
