Campaigns
Operation CallSpoof

Operation CallSpoof

OysterBroomstickSEO-poisoningsupply-chain-lite
Operation CallSpoof is a malicious ad and SEO campaign that tricks users into downloading fake Microsoft Teams installers. These installers drop the Oyster (Broomstick) backdoor in AppData, set up a scheduled task for persistence, and connect to attacker servers for control. The campaign uses fake signatures and spoofed websites to appear legitimate and bypass basic checks.

Indicators of Compromise

No domains found for this campaign

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

T1608.006 Stage Capabilities: SEO Poisoning
ID Data Source Data Component Detects
DS0035 Internet Scan Response Content If infrastructure or patterns in the malicious web content related to SEO poisoning or Drive-by Target have been previously identified, internet scanning may uncover when an adversary has staged web content supporting a strategic web compromise. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on other phases of the adversary lifecycle, such as Drive-by Compromise or Exploitation for Client Execution.

T1204.002 User Execution: Malicious File

ID Data Source Data Component Detects
DS0022 File File Creation Monitor for files created in unusual directories or files with suspicious extensions. Focus on common locations like the Downloads folder, Temp directories, or the user’s Desktop, especially files that would be of interest from spearphishing attachments. While batch files are not inherently malicious, it is uncommon to see them created after OS installation, especially in the Windows directory. This analytic looks for the suspicious activity of a batch file being created within the C:\Windows\System32 directory tree. There will be only occasional false positives due to administrator actions. For MacOS, utilities that work in concert with Apple’s Endpoint Security Framework such as File Monitor can be used to track file creation events.

T1053.005 Scheduled Task/Job: Scheduled Task

ID Data Source Data Component Detects
DS0017 Command Command Execution Monitor for commands being executed via schtasks or other utilities related to task scheduling. Analytic 1 - Look for schtasks.exe execution with arguments indicative of task creation/modification.

Observed Countries250

AD (332)
AE (819)
AF (395)
AG (819)
AI (813)
AL (847)
AM (469)
AO (386)
AQ (164)
AR (980)
AS (413)
AT (912)
AU (225)
AW (757)
AX (64)
AZ (657)
BA (785)
BB (19)
BD (773)
BE (998)
BF (290)
BG (130)
BH (783)
BI (227)
BJ (394)
BL (710)
BM (124)
BN (320)
BO (789)
BQ (934)
BR (615)
BS (761)
BT (59)
BV (450)
BW (81)
BY (588)
BZ (465)
CA (384)
CC (146)
CD (387)
CF (423)
CG (418)
CH (994)
CI (618)
CK (636)
CL (338)
CM (783)
CN (87)
CO (404)
CR (647)
CU (825)
CV (37)
CW (709)
CX (540)
CY (628)
CZ (282)
DE (510)
DJ (750)
DK (634)
DM (573)
DO (815)
DZ (417)
EC (349)
EE (192)
EG (330)
EH (281)
ER (341)
ES (266)
ET (956)
FI (66)
FJ (673)
FK (878)
FM (124)
FO (616)
FR (295)
GA (89)
GB (444)
GD (476)
GE (938)
GF (409)
GG (411)
GH (481)
GI (187)
GL (117)
GM (435)
GN (998)
GP (713)
GQ (524)
GR (372)
GS (805)
GT (628)
GU (812)
GW (267)
GY (300)
HK (51)
HM (723)
HN (440)
HR (602)
HT (296)
HU (835)
ID (948)
IE (174)
IL (394)
IM (522)
IN (430)
IO (808)
IQ (633)
IR (926)
IS (98)
IT (451)
JE (165)
JM (483)
JO (93)
JP (723)
KE (115)
KG (846)
KH (461)
KI (147)
KM (542)
KN (613)
KP (541)
KR (602)
KW (675)
KY (934)
KZ (84)
LA (970)
LB (500)
LC (538)
LI (433)
LK (907)
LR (762)
LS (684)
LT (450)
LU (35)
LV (32)
LY (867)
MA (980)
MC (547)
MD (242)
ME (794)
MF (393)
MG (471)
MH (933)
MK (33)
ML (466)
MM (825)
MN (402)
MO (661)
MP (200)
MQ (234)
MR (623)
MS (431)
MT (55)
MU (228)
MV (823)
MW (391)
MX (959)
MY (692)
MZ (988)
NA (161)
NC (84)
NE (696)
NF (727)
NG (17)
NI (7)
NL (253)
NO (665)
NP (873)
NR (584)
NU (465)
NZ (198)
OM (528)
PA (248)
PE (723)
PF (718)
PG (5)
PH (752)
PK (778)
PL (269)
PM (829)
PN (507)
PR (657)
PS (663)
PT (56)
PW (935)
PY (484)
QA (475)
RE (328)
RO (871)
RS (766)
RU (536)
RW (311)
SA (778)
SB (601)
SC (402)
SD (121)
SE (384)
SG (908)
SH (875)
SI (807)
SJ (733)
SK (601)
SL (297)
SM (9)
SN (83)
SO (946)
SR (524)
SS (370)
ST (179)
SV (851)
SX (25)
SY (950)
SZ (429)
TC (364)
TD (647)
TF (574)
TG (163)
TH (313)
TJ (470)
TK (946)
TL (636)
TM (181)
TN (10)
TO (930)
TR (776)
TT (967)
TV (874)
TW (698)
TZ (958)
UA (374)
UG (50)
UM (385)
US (162)
UY (648)
UZ (766)
VA (35)
VC (857)
VE (658)
VG (604)
VI (943)
VN (95)
VU (837)
WF (354)
WS (564)
XK (971)
YE (57)
YT (930)
ZA (90)
ZM (709)
ZW (873)