Hackers in the Elusive Comet campaign exploit Zoom’s remote-control feature to steal cryptocurrency, and over $100K lost in social engineering scam.
A new cybercrime campaign called “Elusive Comet” is targeting professionals in the cryptocurrency space. But, instead of going after blockchain tech directly, the attackers are using Zoom’s remote-control features to gain access to targeted devices.
Cybersecurity firm Security Alliance (SEAL) broke down the details in a report published in March 2025. Security Alliance (SEAL) in March 2025.
The Elusive Comet campaign is a social engineering scam where cybercriminals impersonate legitimate figures to lure victims into Zoom meetings. They often use phishing emails or DMs on X to create a convincing scenario, posing as individuals wanting to interview the victim for a podcast or media feature by Aureon Capital, which claims to be a legitimate venture capital firm.
Once the victim accepts the Zoom invitation, the attackers manipulate their computer by requesting remote control access under the pretence of needing technical assistance or help with a presentation. They change their Zoom display name to “Zoom,” creating a false sense of trust.
For your information, Zoom’s remote-control feature is designed for accessibility and collaboration, allowing one participant to control another’s screen with explicit permission. When attackers gain remote control, they install malware onto the victim’s machine, often including infostealers and RATs (Remote Access Trojans), eventually obtaining unauthorized access to the compromised system, exfiltrating crucial information like cryptocurrency wallet credentials, personal data, and private keys.
The effectiveness of this attack is illustrated by the experience of Jake Gallen, CEO of Emblem Vault. Gallen lost over $100,000 in digital assets after falling victim to the Elusive Comet campaign. He agreed to a Zoom interview with a media personality and was granted remote control access following which “GOOPDATE” malware was installed, allowing the attacker to drain his cryptocurrency wallets.
Cybersecurity firm Trail of Bits also encountered the Elusive Comet campaign when their CEO received suspicious invitations to a fake “Bloomberg Crypto” series via Twitter. They identified the attackers’ refusal to communicate via email and the use of unofficial Calendly scheduling pages as key indicators of malicious intent.
SEAL highlighted similarities between these attacks and the notorious North Korean hacking collective Lazarus Group’s past operations but could not conclusively attribute the campaign to Lazarus.
SEAL and Trail of Bits recommend several mitigation strategies for cryptocurrency professionals to protect against cyberattacks. These include disabling Zoom’s Remote-Control feature by default and exercising extreme caution with unsolicited invitations.
Researchers also advise implementing strong authentication measures, considering alternative communication platforms like Google Meet, and restricting application controls over high-risk applications like Zoom by technically blocking remote control.
Max Gannon, Intelligence Manager at Cofense commented on the latest development, stating, “The malicious use of legitimate software is a growing trend we’ve continued to see in 2025. In this case, threat actors are leveraging legitimate Zoom and Calendly links to bypass security controls. As trusted domains, their use in this attack makes it more difficult to detect and block.”
