
Operation CallSpoof
OysterBroomstickSEO-poisoningsupply-chain-lite
Operation CallSpoof is a malicious ad and SEO campaign that tricks users into downloading fake Microsoft Teams installers. These installers drop the Oyster (Broomstick) backdoor in AppData, set up a scheduled task for persistence, and connect to attacker servers for control. The campaign uses fake signatures and spoofed websites to appear legitimate and bypass basic checks.
Indicators of Compromise
No domains found for this campaign
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
T1608.006 Stage Capabilities: SEO Poisoning
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0035 | Internet Scan | Response Content | If infrastructure or patterns in the malicious web content related to SEO poisoning or Drive-by Target have been previously identified, internet scanning may uncover when an adversary has staged web content supporting a strategic web compromise. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on other phases of the adversary lifecycle, such as Drive-by Compromise or Exploitation for Client Execution. |
T1204.002 User Execution: Malicious File
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0022 | File | File Creation | Monitor for files created in unusual directories or files with suspicious extensions. Focus on common locations like the Downloads folder, Temp directories, or the user’s Desktop, especially files that would be of interest from spearphishing attachments. While batch files are not inherently malicious, it is uncommon to see them created after OS installation, especially in the Windows directory. This analytic looks for the suspicious activity of a batch file being created within the C:\Windows\System32 directory tree. There will be only occasional false positives due to administrator actions. For MacOS, utilities that work in concert with Apple’s Endpoint Security Framework such as File Monitor can be used to track file creation events. |
T1053.005 Scheduled Task/Job: Scheduled Task
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0017 | Command | Command Execution | Monitor for commands being executed via schtasks or other utilities related to task scheduling. Analytic 1 - Look for schtasks.exe execution with arguments indicative of task creation/modification. |
Observed Countries250
AD (332)
AE (819)
AF (395)
AG (819)
AI (813)
AL (847)
AM (469)
AO (386)
AQ (164)
AR (980)
AS (413)
AT (912)
AU (225)
AW (757)
AX (64)
AZ (657)
BA (785)
BB (19)
BD (773)
BE (998)
BF (290)
BG (130)
BH (783)
BI (227)
BJ (394)
BL (710)
BM (124)
BN (320)
BO (789)
BQ (934)
BR (615)
BS (761)
BT (59)
BV (450)
BW (81)
BY (588)
BZ (465)
CA (384)
CC (146)
CD (387)
CF (423)
CG (418)
CH (994)
CI (618)
CK (636)
CL (338)
CM (783)
CN (87)
CO (404)
CR (647)
CU (825)
CV (37)
CW (709)
CX (540)
CY (628)
CZ (282)
DE (510)
DJ (750)
DK (634)
DM (573)
DO (815)
DZ (417)
EC (349)
EE (192)
EG (330)
EH (281)
ER (341)
ES (266)
ET (956)
FI (66)
FJ (673)
FK (878)
FM (124)
FO (616)
FR (295)
GA (89)
GB (444)
GD (476)
GE (938)
GF (409)
GG (411)
GH (481)
GI (187)
GL (117)
GM (435)
GN (998)
GP (713)
GQ (524)
GR (372)
GS (805)
GT (628)
GU (812)
GW (267)
GY (300)
HK (51)
HM (723)
HN (440)
HR (602)
HT (296)
HU (835)
ID (948)
IE (174)
IL (394)
IM (522)
IN (430)
IO (808)
IQ (633)
IR (926)
IS (98)
IT (451)
JE (165)
JM (483)
JO (93)
JP (723)
KE (115)
KG (846)
KH (461)
KI (147)
KM (542)
KN (613)
KP (541)
KR (602)
KW (675)
KY (934)
KZ (84)
LA (970)
LB (500)
LC (538)
LI (433)
LK (907)
LR (762)
LS (684)
LT (450)
LU (35)
LV (32)
LY (867)
MA (980)
MC (547)
MD (242)
ME (794)
MF (393)
MG (471)
MH (933)
MK (33)
ML (466)
MM (825)
MN (402)
MO (661)
MP (200)
MQ (234)
MR (623)
MS (431)
MT (55)
MU (228)
MV (823)
MW (391)
MX (959)
MY (692)
MZ (988)
NA (161)
NC (84)
NE (696)
NF (727)
NG (17)
NI (7)
NL (253)
NO (665)
NP (873)
NR (584)
NU (465)
NZ (198)
OM (528)
PA (248)
PE (723)
PF (718)
PG (5)
PH (752)
PK (778)
PL (269)
PM (829)
PN (507)
PR (657)
PS (663)
PT (56)
PW (935)
PY (484)
QA (475)
RE (328)
RO (871)
RS (766)
RU (536)
RW (311)
SA (778)
SB (601)
SC (402)
SD (121)
SE (384)
SG (908)
SH (875)
SI (807)
SJ (733)
SK (601)
SL (297)
SM (9)
SN (83)
SO (946)
SR (524)
SS (370)
ST (179)
SV (851)
SX (25)
SY (950)
SZ (429)
TC (364)
TD (647)
TF (574)
TG (163)
TH (313)
TJ (470)
TK (946)
TL (636)
TM (181)
TN (10)
TO (930)
TR (776)
TT (967)
TV (874)
TW (698)
TZ (958)
UA (374)
UG (50)
UM (385)
US (162)
UY (648)
UZ (766)
VA (35)
VC (857)
VE (658)
VG (604)
VI (943)
VN (95)
VU (837)
WF (354)
WS (564)
XK (971)
YE (57)
YT (930)
ZA (90)
ZM (709)
ZW (873)