Some “elusive” threat actors are putting on their best button-down shirts and pajama pants and getting ready for a call with the CEO.
In an Apr. 17 blog post, cybersecurity research and consulting firm Trail of Bits detailed how a crypto-stealing threat group known as Elusive Comet targeted an exec with a scheme involving a media opportunity, a Zoom call, and a pushy request to share their screen.
“The Elusive Comet campaign represents the continuing evolution of threats targeting operational security rather than technical vulnerabilities. As we’ve entered the era of operational security failures, organizations must evolve their defensive posture to address these human-centric attack vectors,” the Trail of Bits team wrote in the conclusion of their analysis.
Foe request. An unnamed CEO, according to Trail of Bits, received an invitation from two separate X accounts to appear on a “Bloomberg Crypto” video series. The Elusive Comet actors refused to connect through email, instead sending a Calendly invite.
Some other details from the incident:
- The primary attack vector called for Zoom’s legitimate remote-control feature—one an IT professional may employ to control another user’s computer and troubleshoot an employee’s machine.
- The group used the forged name “Zoom,” so the target received a notification saying: “Zoom is requesting remote control of your screen.” With the alias, the pop-up looked like a system notification.
- If granted access, the group can install malware, exfiltrate data, or conduct cryptocurrency theft.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Elusive Comet is responsible for “millions of dollars in stolen funds” according to a March 2025 advisory from the Security Alliance.
Fraud city. A just released report from the FBI calculated $9.3 billion in cryptocurrency fraud costs for 2024—a year over year increase of 66%. Screensharing ruses involving IT impersonation have already created a stir this year.
Chris Pierson, CEO of BlackCloak, a company offering executive-level cybersecurity protection, recommends companies educate employees about the tools allowing system-level access, and the patterns of social-engineering attacks targeting such access.
“Making sure that you have not a 20-person IT and security team, but a 2000- [or] a 20,000-person IT and security team is absolutely critical,” Pierson said, also recommending IT pros provide the “least access” privileges possible, within the settings of a given tool.
Trail of Bits had a number of recommendations in its post, including deploying its own scripts to prevent accessibility options. The firm also advised companies to create policies for media appearances, deploy email-security tools that also monitor calendar invites, and train staff to recognize unusual permission requests during video calls.
“Zoom takes the security and privacy of its users very seriously, and a user must always provide explicit consent before allowing another participant to take control of their screen using the remote control feature,” Zoom spokesperson Colleen Rodriguez wrote in a statement shared with IT Brew, referring readers to security guidance from the company.