Developers, Air-Gapped Systems, and Zoom Meetings

Developers Are the New Initial Access Vector

This week, Microsoft published research on a campaign where attackers are creating fake software repositories that look like legitimate coding projects.

Some are disguised as job interview assignments. Others appear to be harmless starter templates built with Next.js. On the surface, everything feels normal:

• Clone the repo.
• Install dependencies.
• Run the project.

But hidden inside the workflow is malicious code that quietly establishes a command-and-control channel. Once that connection is made, attackers can execute remote commands, steal data, or maintain persistence on the developer’s machine.

What makes this especially concerning:

• The malicious code is embedded in normal development processes
• It can trigger during build scripts or local execution
• It targets developers who are used to quickly running unfamiliar code
• It exploits trust in open repositories and job-related projects

Even tools like Visual Studio Code can become part of the execution chain if scripts are wired into standard project tasks. This is a subtle shift. The developer workflow itself is becoming the attack surface.

Air Gaps Aren’t What They Used to Be

A separate report from Zscaler highlights how APT37 is expanding its capabilities, including techniques designed to reach air-gapped environments.

The campaign, dubbed Ruby Jumper, begins with weaponized Windows shortcut (LNK) files. From there, a chain of custom malware establishes persistence, moves laterally across systems, and exfiltrates data.

What stands out is how removable media is used to bridge isolated networks. Instead of relying purely on internet-based command-and-control, operators use USB devices to pass commands into air-gapped systems and retrieve collected data. In other words, physical separation alone is no longer a reliable boundary.

Air-gapped systems are often treated as inherently secure. This research is a reminder that isolation by itself isn’t a strategy.

• Controls around removable media matter.
• Monitoring shortcut file execution matters.
• Endpoint visibility still matters.

Beware the Fake Zoom “Update” Scam

A new phishing campaign is making the rounds, and it’s cleverly disguised as a routine Zoom update.

Security researchers at Malwarebytes uncovered the scam after spotting fake Zoom meeting pages that look almost identical to the real thing. Victims receive what appears to be a legitimate meeting link. When they click it, they’re taken to a convincing Zoom waiting room screen.

Everything looks normal at first.

Then a message appears saying a “Zoom update” is required to join the meeting. A countdown timer adds urgency. Once the timer runs out, a malicious file downloads automatically. Instead of installing a real update, the file installs surveillance-style malware that can monitor activity on the victim’s computer.

How the Scam Works

• You receive a meeting link (usually via email or message).
• The link opens a fake Zoom waiting room page.
• A pop-up claims you need to install an update.
• The “update” installs malware instead.

The attackers rely heavily on urgency and familiarity. Most people use Zoom regularly, so an update request doesn’t seem suspicious.

How to Protect Yourself

• Only update Zoom from the official app or the official website.
• Be cautious of update prompts that appear in your browser.
• Hover over links before clicking to check the actual URL.
• Keep your security software up to date.

If something feels rushed or unusual, pause. Real software updates don’t need a dramatic countdown timer.