Protecting Our Platform: How Teramind Is Responding to the Misuse of Our Software by Threat Actors
By Isaac Kohen, CIO at Teramind
Earlier last month, security researchers published two detailed reports documenting how cybercriminals built fake Zoom and Google Meet websites to trick people into downloading software onto their machines without their knowledge. Threat actors obtained a Teramind trial installer and distributed a modified version of it without Teramind’s authorization or involvement.
We want to talk openly about what happened, what we’ve done about it, and what we’re changing.
What Happened
Threat actors created convincing phishing sites that impersonated Zoom and Google Meet. Visitors were shown what appeared to be a live video call with connection issues. After a few seconds, a fake “update” prompt appeared, and a renamed Teramind installer file was automatically downloaded to the visitor’s machine. Installation could then occur if the user executed the downloaded file and approved the installer prompt.
Our systems were not breached. Our infrastructure was not compromised. The activity involved third parties obtaining a trial installer and distributing it without Teramind’s authorization as part of a phishing campaign. While this misuse did not involve any compromise of our platform, we recognize that software bearing our name was distributed in a way that could mislead users, and we take that seriously. Teramind software is designed for lawful enterprise compliance monitoring and security purposes. Any distribution or deployment of the software outside of authorized enterprise use is something we don’t agree with and violates our Terms of Service.
What We Did Immediately
Promptly after becoming aware of this campaign, our security and operations teams moved to contain it. Every known Teramind instance identified in connection with these attacks has been shut down as well as additional instances our internal investigation flagged as potentially related. Those accounts have been permanently terminated.
What We’re Changing
Containing the immediate threat was the first step. But we recognize that responding to individual incidents isn’t enough. As part of our ongoing security improvements, we are implementing additional safeguards designed to reduce the likelihood of similar misuse. Here is what we are doing:
Improving Our Automated Free Trials Process
We have stopped all automated free trial provisioning while we implement stronger fraud prevention checks. Previously, a bad actor could sign up for a free trial and immediately generate a fully functional agent installer. That pathway is now closed. New trial access will require additional verification before any agent can be deployed.
Tightening Our Know Your Customer (KYC) Verification
We are improving our KYC program to require more stringent identity verification before granting full platform access. Our goal is straightforward: make it significantly harder for anonymous bad actors to obtain a working Teramind deployment while keeping the process practical for the legitimate businesses we serve.
Blocking Dashboard Access from Anonymizing Services
In addition to our forced MFA already in place we are integrating an IP reputation API to screen all connections to the Teramind dashboard. Access attempts originating from VPNs, proxies, Tor exit nodes, and other anonymizing services will be blocked. Threat actors rely on these services to obscure their identity when setting up and managing fraudulent instances. Removing that cover makes it harder to operate on our platform without leaving a traceable footprint, and it complements the KYC checks by adding a real-time technical layer to our identity verification efforts.
Addressing Stealth Mode and Installer Flexibility
We need to be direct about this, because it featured prominently in the reporting. Teramind offers a deployment option called Hidden Agent, commonly referred to as stealth mode. In its intended context, this is a legitimate and widely used enterprise feature. Organizations deploy our agents in hidden mode for insider threat detection, compliance monitoring, and security investigations. This occurs on company-owned devices, with appropriate legal authorization and employee notice policies in place.
In this campaign, threat actors exploited that capability to install our agent on personal devices without the victim’s knowledge. This represents an intentional misuse of the feature outside its intended enterprise context and our Terms of Service. We are implementing additional safeguards around how the feature is provisioned.
Going forward, stealth mode will not be available on any authorized Teramind accounts, trial or paid, without going through our extended KYC process. We’ve removed specific options available to the installer that would allow it to be deployed in stealth mode and have made it so a new installation will show a pop up on the endpoint during the installation. Trial deployments will operate in this revealed installer mode only, meaning the agent’s presence will be visible to the user of the device during installation. This will make it clear that Teramind is being installed while not giving the false impression of any other program being installed like a Zoom or Google Meet updater. Full stealth deployment capabilities will be restricted to verified, paid accounts that have completed our extended KYC process.
The reported deep dive documented how a single binary could serve multiple attacker accounts because the installer reads its configuration from its own filename. Attackers exploited this by renaming the file to include their account identifier, disguising it as a Zoom or Google Meet component.
We are enforcing a fixed filename structure for installation files so that the installer name can no longer be arbitrarily changed. This removes the ability for a threat actor to rebrand the file to impersonate other software.
Certificate Pinning: One Agent, One Instance
One of the technical changes we want to highlight addresses the potential mechanisms that may have made malicious attacks scalable. As the analysis detailed, a single installer binary could be pointed at any number of attacker-controlled accounts by intentionally and maliciously modifying the base Teramind code and changing the filename or overriding configuration properties at install time.
To address this, we are implementing additional controls so that agents can verify they are communicating only with the Teramind instance for which they were generated. For example, implementing certificate pinning so that each agent is cryptographically bound to a specific Teramind instance. If a threat actor attempts to redirect the agent to a different server, the connection will fail.
This significantly reduces the ability to redirect installed agents to unrelated instances.
Limiting Free Trial Scope
Free trial accounts will now be limited to a maximum of five connected agents unless a Proof of Value agreement is in place. This constraint is designed to make our trial useful for legitimate evaluation purposes while sharply reducing its value as a tool for broad surveillance campaigns.
Fraud Detection and Ongoing Enforcement
We have deployed new algorithms and enhanced our detection capabilities specifically designed to improve our detection of fraudulent instances across our cloud deployments. Our fraud team is actively checking for patterns consistent with misuse. This includes anomalous signup behavior, unusual agent deployment patterns, and connections from infrastructure associated with known malicious activity. Instances identified as potentially abusive are being shut down proactively.
This is an ongoing effort that will continue to be improved upon as new threat vectors emerge.
Report Misuse
We have created a dedicated Report Misuse page on our website. If anyone believes Teramind software is being distributed or used in a way that violates our Terms of Service or applicable law, we want to hear about it. Reports submitted through this form go directly to our security team for investigation.
A Broader Problem, and Our Responsibility Within It
The misuse of legitimate commercial software by threat actors is not unique to Teramind. It is a growing pattern across the enterprise software industry. Remote access tools, IT management platforms, and behavior telemetry solutions have all been co-opted by attackers precisely because they are trusted, professionally built, and designed to operate reliably.
If malicious actors modify our services beyond their intended and authorized purpose, if someone is harmed by software that carries our name, we will take action. We will investigate and take steps consistent with our Terms of Service and security policies.
We are examining how malicious actors exploit our platform and will continue to make structural changes that reduce the likelihood of it happening again. For clarity, the specific accounts involved have been shut down. Addressing those accounts was the initial step. The additional precautionary safeguards described above, designed to further strengthen controls, reflect our ongoing efforts to operate our platform responsibly and continue earning the trust organizations place in Teramind.
Our Commitment
Teramind is used by thousands of organizations around the world for lawful insider threat protection, compliance monitoring, and workforce productivity management. That trust is something we have tirelessly worked to earn over years, and it is something we intend to protect.Teramind does not authorize the installation of its software on devices without appropriate authorization from the device owner or administrator and in compliance with applicable laws and organizational policies.
We will continue to be transparent about this situation as our response evolves. If you are an existing customer with questions about these changes, please reach out to your account team. If you are a security researcher with information related to this or similar campaigns, we welcome your outreach through our Report Misuse so we can work with you directly.
We have always been a company that demonstrates instead of talks. We look forward to showing everyone what we ship and what we stand for.
Trusted by 10,000+ organizations to improve productivity, security, compliance, and workforce analytics
