Good Carder
Professional
- Messages
- 904
- Reaction score
- 520
- Points
- 93
From a carder to carders. For a long time, video conferencing was considered the gold standard for verification. Employees would receive a suspicious email, and instead of blindly clicking, they would simply pull up a colleague on Zoom. Seeing a face, hearing a voice — that was enough to deem the transaction safe. In 2026, that era is over.
In 2026, video conferencing is no longer a reliable verification method. It has become the main attack vector. Carders infiltrate internal meetings, conduct confidential conversations, and defraud employees of hundreds of thousands of dollars. Deepfake face swapping, video stream injections, OTP code retransmission via chats, and automated bots for mass phishing — these are your new weapons. This article explains how to take control of Zoom sessions and turn Teams into a data theft tool.
In this article, I'll examine the "MFA bypass via Teams tokens" vector, the CVE-2026-22844 attack (gaining full control of a network via a Zoom meeting), Zoom phishing pages that steal sessions, screenshot exfiltration via Telegram bots, and complex schemes where a fake Microsoft call center resolves your payment issues. And, of course, OPSEC for those fighting on this new battlefield.
Three pillars of video conferencing vulnerability:
In 2026, unauthorized access to meetings has evolved from internet trolling to sophisticated corporate espionage. Carders don't just join meetings; they infiltrate internal conferences on a regular basis and conduct private conversations with employees, posing as their colleagues. Video conferencing has ceased to be a means of verification and has become a target for attack.
The attack describes this: If you participate in a Zoom meeting where the company's client interacts with Zoom Node Multimedia Routers, you gain the ability to inject commands with a CVSS score of 9.9 out of 10. Simply put, you transform any meeting participant into a full-fledged network administrator with rights to modify the entire video conferencing infrastructure, leading to a "total collapse." Simply send a specially crafted malicious packet over the network during the meeting, and you gain control of the media traffic processing nodes. What payment data, exactly, are we talking about? You take control of the servers that host all video streams and, more importantly, handle file and billing data exchange.
Even more frightening is its actual danger: this vulnerability was discovered by Zoom's internal security team, not by external researchers. In 2026, a network injection attack doesn't require hacking the victim's local machine — it only requires being in a session with a corporate user and skillfully sending traffic.
And this isn't a "theoretical" bug. Zoom has released an emergency patch for millions of organizations, but as always, patch deployment could take months, and vulnerable servers are still hanging around on corporate networks around the world. For carders, this means the opportunity to compromise payment streams for "internal" company meetings remains open for a long time.
In this attack, carders used the Telegram API to monitor whether the victim clicked the download button, allowing them to track victims in real time. This is an ideal setup for a carder targeting crypto investors, who often use Zoom to discuss deals.
Here's an example of how carders managed to steal a million: a finance employee receives an urgent request to transfer a large sum. Following corporate protocol, he requests a video call. Upon joining the conference, he sees his CFO and several familiar colleagues seated in their seats. All faces look real, all voices sound authentic. The only problem: every face in this conference, except the victim, was created by AI. The employee approved the transfer of millions without even suspecting the deception.
We now have tools for creating synthetic video streams in real time. Deep video selection techniques can be used to conduct phishing Zoom meetings in which the victim is convinced to provide payment information, a 2FA code, or transfer funds directly to a controlled account.
The attack exploits the legitimate "Invite a Guest" feature in Teams. You create a Team with a name that mimics an urgent payment notification: "Subscription Auto-Pay Notice (Invoice ID: 2025_614632PPOT_SAG Amount at least 629.98 USD). If you did not authorize or complete this monthly payment, please contact our support team urgently." You then invite the victim to this Team via an official Microsoft email — impeccable design, authentic subject lines, and passing all email checks.
The victim sees a legitimate email from Microsoft, navigates to Teams, sees an "invoice" to be paid, and calls the fake support number provided. During the call, the carder coaxes the victim's login, password, and MFA codes, gaining full access to the account.
This method bypasses 2FA head-on: you don't hack the technology — you force the victim to dictate an authentication code to reset their corporate email password. From the corporate email, you gain access to bank accounts and payment orders.
For the carder, the most valuable feature here is how they masquerade as the billing system. Payment data can be obtained by posing as the billing department "verifying an incorrect payment." An attack targeting business accounts can generate tens of thousands of dollars with a single call. This is how carders trick victims into calling back fake support numbers to resolve a payment issue.
OPSEC for the attacker: Use Caller ID spoofing with numbers similar to the Microsoft hotline number. When registering domains for Team Names, use letter similarities (for example, replacing o with 0 or e with 3) to bypass security filters.
The main component of the attack is called "GIFShell." The attacker tricks the victim into sending a GIF file, which actually contains hidden instructions. This file is synchronized via Microsoft servers, and the attacker can send commands for execution and read the responses through GIF image searches.
In a classic C2 (Command-and-Control) attack, traffic between the hacker and the victim is direct, making it easy to detect. GIFShell forwards control commands through Microsoft's own legitimate servers, disguising them as a regular GIF search.
Here's how it works:
By gaining control of a corporate chat using GIFShell, a carder can force the victim to take a screenshot of their desktop and forward it to themselves in order to obtain any payment summaries, reports, and billing information.
If you're holding a public meeting with screen sharing, you can pixel-swapping the video stream in real time. Software like OBS Studio allows you to overlay any image on the video.
The process is simple:
The victim sees a QR code for payment at an "official" presentation, scans it, and enters their details on a phishing website. It's that simple.
For corporate meetings without screen sharing, we use social engineering via chat. Having hijacked the chat, we send payment links on behalf of the meeting participants.
In August 2025, researchers identified the "Elusive Comet" group, which specializes in exploiting Zoom to steal cryptocurrency. Their strategy involves searching the web for advertisements for upcoming Zoom webinars on cryptocurrency, obtaining registration links, and automatically adding dozens of fake participants from shell accounts. Posing as "organizers," they send malicious links.
The profits are automatic: a chat with thousands of users, where the administrator promises "free trade analysis" and asks users to click a link to verify their wallet.
Communication platforms are the most secure systems in any company; that's why they're the biggest targets. Protocols that require visual confirmation from management must be reconsidered. The only reliable protection now is hardware keys and strict adherence to organizational-level information security policies.
A quick one-line reminder:
"In 2026, video conferencing no longer protects companies — it makes them vulnerable. CVE-2026-22844 turns any meeting participant into a network administrator. GIFShell bypasses corporate firewalls via GIFs. Deepfake coworkers steal millions. Your next call with the 'CFO' could cost you a fortune."
In 2026, video conferencing is no longer a reliable verification method. It has become the main attack vector. Carders infiltrate internal meetings, conduct confidential conversations, and defraud employees of hundreds of thousands of dollars. Deepfake face swapping, video stream injections, OTP code retransmission via chats, and automated bots for mass phishing — these are your new weapons. This article explains how to take control of Zoom sessions and turn Teams into a data theft tool.
In this article, I'll examine the "MFA bypass via Teams tokens" vector, the CVE-2026-22844 attack (gaining full control of a network via a Zoom meeting), Zoom phishing pages that steal sessions, screenshot exfiltration via Telegram bots, and complex schemes where a fake Microsoft call center resolves your payment issues. And, of course, OPSEC for those fighting on this new battlefield.
Part 1: Why Video Conferencing Is the New Target
Video conferencing is the perfect balance between trust and vulnerability. People tend to believe what they see and hear. In 2026, carders have learned to fake both. Hacking a meeting room no longer requires physical entry; sending an invitation is enough.Three pillars of video conferencing vulnerability:
- The human factor. Voice and face still command the highest level of trust.
- A rich attack interface. Screencasts, chats, reactions, and remote control — conference functionality opens up a wealth of opportunities for data interception.
- Technical complexity of protection. Today, companies use Teams and Zoom, which have become end-to-end communications platforms. Protecting something that the entire business has a stake in is incredibly difficult, making them the single most vulnerable point in your security perimeter.
In 2026, unauthorized access to meetings has evolved from internet trolling to sophisticated corporate espionage. Carders don't just join meetings; they infiltrate internal conferences on a regular basis and conduct private conversations with employees, posing as their colleagues. Video conferencing has ceased to be a means of verification and has become a target for attack.
Part 2. Zoom Hacking: From Command to Remote Code
Zoom remains a prime target for cybercriminals due to its popularity and rich functionality.2.1. CVE-2026-22844 – How one meeting participant destroys the entire infrastructure
This isn't a simple camera takeover; it's an infrastructure hacking command. We're talking about vulnerability CVE-2026-22844, which affects Zoom Node Multimedia Routers (versions prior to 5.2.1716.0).The attack describes this: If you participate in a Zoom meeting where the company's client interacts with Zoom Node Multimedia Routers, you gain the ability to inject commands with a CVSS score of 9.9 out of 10. Simply put, you transform any meeting participant into a full-fledged network administrator with rights to modify the entire video conferencing infrastructure, leading to a "total collapse." Simply send a specially crafted malicious packet over the network during the meeting, and you gain control of the media traffic processing nodes. What payment data, exactly, are we talking about? You take control of the servers that host all video streams and, more importantly, handle file and billing data exchange.
Even more frightening is its actual danger: this vulnerability was discovered by Zoom's internal security team, not by external researchers. In 2026, a network injection attack doesn't require hacking the victim's local machine — it only requires being in a session with a corporate user and skillfully sending traffic.
And this isn't a "theoretical" bug. Zoom has released an emergency patch for millions of organizations, but as always, patch deployment could take months, and vulnerable servers are still hanging around on corporate networks around the world. For carders, this means the opportunity to compromise payment streams for "internal" company meetings remains open for a long time.
2.2. Fake Zoom links and the distribution of "droppers"
It's the oldest and most widespread method of attack - but carders have taken it to a new level.- Case Study 2026: Carders register domains that mimic official Zoom links (e.g., app.us4zoom.us). The victim clicks the link and sees a page indistinguishable from the real one. Clicking "Start Meeting" triggers a download of a malicious installer (ZoomApp_v.3.14.dmg) instead of the local client.
- Theft mechanism: The installer is a Trojan that prompts the victim to enter a password in the terminal and then collects system information, KeyChain data, and cookies, compresses them, and sends them to a remote server, such as 141.98.9.20. The collected data allows carders to steal crypto wallet seed phrases and private keys.
In this attack, carders used the Telegram API to monitor whether the victim clicked the download button, allowing them to track victims in real time. This is an ideal setup for a carder targeting crypto investors, who often use Zoom to discuss deals.
2.3. Deepfake injection: when the "face" does not belong to the victim
This attack vector elevates the threat to the level of third-generation social engineering.Here's an example of how carders managed to steal a million: a finance employee receives an urgent request to transfer a large sum. Following corporate protocol, he requests a video call. Upon joining the conference, he sees his CFO and several familiar colleagues seated in their seats. All faces look real, all voices sound authentic. The only problem: every face in this conference, except the victim, was created by AI. The employee approved the transfer of millions without even suspecting the deception.
We now have tools for creating synthetic video streams in real time. Deep video selection techniques can be used to conduct phishing Zoom meetings in which the victim is convinced to provide payment information, a 2FA code, or transfer funds directly to a controlled account.
Part 3. Microsoft Teams: Vishing, Token Theft, and GIFShell
Microsoft Teams is becoming more and more popular in corporate environments, and carders are actively taking advantage of it.3.1. Stealing MFA tokens via Teams chats
In January 2026, a large-scale phishing campaign targeting Microsoft Teams was discovered, in which carders bypassed traditional email security and delivered over 12,000 malicious emails to over 6,000 users across various industries.The attack exploits the legitimate "Invite a Guest" feature in Teams. You create a Team with a name that mimics an urgent payment notification: "Subscription Auto-Pay Notice (Invoice ID: 2025_614632PPOT_SAG Amount at least 629.98 USD). If you did not authorize or complete this monthly payment, please contact our support team urgently." You then invite the victim to this Team via an official Microsoft email — impeccable design, authentic subject lines, and passing all email checks.
The victim sees a legitimate email from Microsoft, navigates to Teams, sees an "invoice" to be paid, and calls the fake support number provided. During the call, the carder coaxes the victim's login, password, and MFA codes, gaining full access to the account.
This method bypasses 2FA head-on: you don't hack the technology — you force the victim to dictate an authentication code to reset their corporate email password. From the corporate email, you gain access to bank accounts and payment orders.
For the carder, the most valuable feature here is how they masquerade as the billing system. Payment data can be obtained by posing as the billing department "verifying an incorrect payment." An attack targeting business accounts can generate tens of thousands of dollars with a single call. This is how carders trick victims into calling back fake support numbers to resolve a payment issue.
OPSEC for the attacker: Use Caller ID spoofing with numbers similar to the Microsoft hotline number. When registering domains for Team Names, use letter similarities (for example, replacing o with 0 or e with 3) to bypass security filters.
3.2. GIFShell – a hidden control channel via GIF
The GIFShell attack represents a breakthrough in traffic obfuscation techniques.The main component of the attack is called "GIFShell." The attacker tricks the victim into sending a GIF file, which actually contains hidden instructions. This file is synchronized via Microsoft servers, and the attacker can send commands for execution and read the responses through GIF image searches.
In a classic C2 (Command-and-Control) attack, traffic between the hacker and the victim is direct, making it easy to detect. GIFShell forwards control commands through Microsoft's own legitimate servers, disguising them as a regular GIF search.
Here's how it works:
- The carder sends the victim a GIF file containing encrypted commands.
- A special script on the victim's machine (GIFShell Python script) interprets this GIF as a command.
- The result of the command is uploaded to Microsoft servers as a GIF search.
- The carder reads these "search queries" and retrieves the data.
By gaining control of a corporate chat using GIFShell, a carder can force the victim to take a screenshot of their desktop and forward it to themselves in order to obtain any payment summaries, reports, and billing information.
Part 4. Video stream injection and QR code substitution during a meeting
Old phishing techniques aren't dead — they've simply migrated to streaming.If you're holding a public meeting with screen sharing, you can pixel-swapping the video stream in real time. Software like OBS Studio allows you to overlay any image on the video.
The process is simple:
- You find an open webinar on "investments" or "payment security."
- You run a local proxy that replaces the incoming video stream of the Zoom client.
- You embed your own QR code into the frame, which leads to a fake payment site, replacing the original payment QR.
The victim sees a QR code for payment at an "official" presentation, scans it, and enters their details on a phishing website. It's that simple.
For corporate meetings without screen sharing, we use social engineering via chat. Having hijacked the chat, we send payment links on behalf of the meeting participants.
Part 5. OTP Interception Techniques and Screen Reading
If a victim makes a payment during a video conference, we can intercept that data in real time.- Intercept 2FA via screen capture: You can secretly record while sharing your screen. When the victim receives an SMS confirmation code, it is also displayed on the screen.
- Malicious browser extensions: Carders distribute fake conference recording extensions that intercept active bank tabs with OTP codes.
Part 6. Bots for Mass Webinar Participation: Phishing on an Industrial Scale
The dirtiest and most effective scheme for the mass market: you create bots that automatically find webinars on crypto trading and investing, register for them, and flood chats with malicious links.In August 2025, researchers identified the "Elusive Comet" group, which specializes in exploiting Zoom to steal cryptocurrency. Their strategy involves searching the web for advertisements for upcoming Zoom webinars on cryptocurrency, obtaining registration links, and automatically adding dozens of fake participants from shell accounts. Posing as "organizers," they send malicious links.
The profits are automatic: a chat with thousands of users, where the administrator promises "free trade analysis" and asks users to click a link to verify their wallet.
Part 7. Complete Attacker's Checklist (OPSEC for Conf-Call)
- OSINT: Use LinkedIn to find finance people and collect their email addresses.
- Infrastructure: Prepare domains for emails and malicious sites.
- Honeypot: Create a decoy team in Teams or a fake Zoom meeting.
- Weapons: To intercept MFA tokens, use offline frameworks (e.g., evilginx2). To distribute malicious links, use conference chats.
- Account Hacking: Once you have obtained the MFA token, log into the victim's email account.
- Profit making: Use email to find payment details and initiate a fake transfer or intercept supplier invoices.
Summary
In 2026, video conferencing is the primary battleground for payment data. Technology has evolved beyond phishing. We intercept MFA tokens through Teams, send hidden commands via GIFs, and use facial approval to transfer millions of dollars.Communication platforms are the most secure systems in any company; that's why they're the biggest targets. Protocols that require visual confirmation from management must be reconsidered. The only reliable protection now is hardware keys and strict adherence to organizational-level information security policies.
A quick one-line reminder:
"In 2026, video conferencing no longer protects companies — it makes them vulnerable. CVE-2026-22844 turns any meeting participant into a network administrator. GIFShell bypasses corporate firewalls via GIFs. Deepfake coworkers steal millions. Your next call with the 'CFO' could cost you a fortune."
