Threat actors are exploiting the popularity of online meeting platforms to disseminate malware, new research from Zscaler’s ThreatLabz shows.

Since December 2023, threat actors have been leveraging fake websites mimicking Skype, Google Meet, and Zoom, targeting both Android and Windows users. The attacker utilized shared web hosting, hosting all these fake online meeting sites on a single IP address. The malicious websites, predominantly in Russian, closely resemble the legitimate platforms, prompting users to download malicious files, infecting their devices with Remote Access Trojans (RATs).

The discovered malware includes SpyNote RAT for Android devices, and NjRAT and DCRat for Windows systems.

“When a user visits one of the fake sites, clicking on the Android button initiates the download of a malicious APK file, while clicking on the Windows button triggers the download of a BAT file,” the researchers wrote.

The first fake site identified, join-skype[.]info, emerged in early December, enticing users to download a fake Skype application. Clocking on the Windows button lead to a file named Skype8.exe and the Google Play button pointed at Skype.apk.

Similarly, online-cloudmeeting[.]pro, masquerading as Google Meet, surfaced later that month. In late January, a fraudulent Zoom site appeared, disseminating the DCRat malware.

In addition to hosting DCRat, the fake Google Meet and Zoom websites also contained an open directory with two additional Windows executable files named driver.exe and meet.exe, which are NjRAT. The presence of these files suggests that the threat actor may use them in other campaigns.