A newly identified hacking group known as Elusive Comet is targeting cryptocurrency users through a deceptive campaign that leverages Zoom’s remote control feature to gain unauthorized access to victims' systems.
The remote control tool, built into Zoom, enables meeting participants to take control of another person's computer — a capability now being manipulated by cybercriminals to bypass technical defenses through social engineering rather than traditional code exploitation.
According to a report from cybersecurity firm Trail of Bits, the group’s tactics closely resemble those used in the $1.5 billion Bybit crypto heist believed to be linked to the Lazarus group.
"The ELUSIVE COMET methodology mirrors the techniques behind the recent $1.5 billion Bybit hack in February, where attackers manipulated legitimate workflows rather than exploiting code vulnerabilities," explains the Trail of Bits report.
Trail of Bits uncovered the campaign when attackers attempted to target their CEO via a direct message on X (formerly Twitter), posing as representatives of Bloomberg Crypto.
The ruse begins with a fraudulent invitation to a "Bloomberg Crypto" interview, sent to high-profile individuals either through email (bloombergconferences[@]gmail.com) or social media. The attackers use sock-puppet accounts, mimicking journalists or crypto media outlets, and send Calendly links to schedule the meeting.
Because both Calendly and Zoom links are genuine, the setup appears trustworthy to the victims. During the meeting, the attackers launch a screen-sharing session and issue a remote control request — with a crucial twist: their Zoom display name is changed to “Zoom.”
This results in a misleading prompt that reads:
"Zoom is requesting remote control of your screen,"
— tricking the target into thinking the request is from the app itself.
Granting access allows the attacker full remote control, enabling data theft, malware installation, unauthorized file access, or even the initiation of crypto transactions. In some cases, attackers establish persistence through hidden backdoors, remaining unnoticed even after disconnecting.
"What makes this attack particularly dangerous is the permission dialog's similarity to other harmless Zoom notifications," says Trail of Bits.
"Users habituated to clicking 'Approve' on Zoom prompts may grant complete control of their computer without realizing the implications."
To guard against such threats, Trail of Bits recommends the use of Privacy Preferences Policy Control (PPPC) profiles to restrict system accessibility permissions. For highly sensitive environments — particularly those handling digital assets or crypto transactions — the firm advises removing the Zoom desktop client entirely.
"For organizations handling particularly sensitive data or cryptocurrency transactions, the risk reduction from eliminating the Zoom client entirely often outweighs the minor inconvenience of using browser-based alternatives," explains Trail of Bits.
