Elusive Comet Abusing Zoom Remote Control Feature For Crypto Theft

Published Date: April 21, 2025
Category: ShadowOpsIntel
Share:

The threat actor ELUSIVE COMET is actively targeting cryptocurrency users through highly engineered social engineering campaigns. Operating under the front of a fictitious venture capital firm Aureon Capital, along with associated entities like Aureon Press and The OnChain Podcast, the group lures victims into remote-access malware traps during fake interview setups via Zoom.

Severity Level: High

Threat Overview:

  1. Reconnaissance & Target Selection
    • Identifies high-value individuals in the cryptocurrency ecosystem (e.g., developers, investors, influencers).
    • TTPs:
      • Passive reconnaissance via public profiles (Twitter, LinkedIn, YouTube).
      • Creation of fake social media accounts and personas (e.g., @AureonCapital, @TheOnChainPod).
      • Use of websites like aureoncapital[.]com, onchain-podcast[.]com to establish legitimacy.

    2. Initial Contact:

    • Direct messages via Twitter, Telegram, or email inviting targets to join a podcast or media interview.
    • Use of fake entities like Aureon Press and The OnChain Podcast to enhance credibility.

    3. Remote Access Acquisition:

    • The engagement leads to a Zoom call where victims are prompted to share screens and often unknowingly grant remote control access.

    4. Infection:

    • Once access is granted, malware such as infostealers or remote access trojans (RATs) are installed. Executables include Comb_Setup.exe, Comb_Setup.tmp, and version_8.ocx.
    • These enable the threat actor to steal wallet credentials, private keys, other sensitive data or conduct cryptocurrency theft.

    Recommendations:

    1. Train staff to recognize unusual permission requests during video calls—particularly those requesting system control.
      Disable remote control capabilities by default in Zoom and other video platforms.
      Configure tenant-wide policies to prevent remote desktop control unless explicitly needed.
      Use waiting rooms and meeting authentication to prevent unauthorized access to virtual meetings.
      Encourage users to never share screens unless absolutely necessary and to avoid sharing sensitive information live.
      Enable application whitelisting to prevent execution of unknown binaries like Comb_Setup.exe or version_8.ocx.
      Block the IOCs at their respective controls. https://www.virustotal.com/gui/collection/c994957ad31bfa4a17ec161eeae73a6f0d797df8dd5a22c174cb122e5cabc6ff/iocs

    Source:

    • https://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.html
    • https://blog.trailofbits.com/2025/04/17/mitigating-elusive-comet-zoom-remote-control-attacks/

    Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.

    No related posts found.

    Ampcus Cyber
    Privacy Overview

    This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.