Fake CVS Recruiters, Compromised WordPress, and a 10MB Dropper: Anatomy of a Job Seeker Malware Campaign
TL;DR: A threat actor impersonating CVS Health recruiters on Indeed is delivering malware through a purpose-built phishing email domain and a compromised Jordanian WordPress site hosting a fake Microsoft Teams update page. The campaign leverages Google Workspace for email credibility, a 16-year-old legitimate domain for reputation laundering, and an auto-downloading ~10MB dropper consistent with the Oyster/Broomstick malware family. The phishing domain was registered just 8 days before the observed attack.
The Setup: From Job Application to Malware Delivery
In early March 2026, BGI flagged a multi-stage social engineering campaign targeting job seekers on Indeed. What distinguishes this operation from typical recruiter impersonation scams -- which usually end with fake check fraud or advance-fee schemes -- is its terminal payload: a fake Microsoft Teams installer designed to silently deploy an infostealer or backdoor.
The attack chain is clean, deliberate, and built for scale:
STAGE 1 β SOCIAL ENGINEERING
Victim applies to legitimate-looking CVS Project Manager listing on Indeed
Receives follow-up email from @cvshealthsinfo.com (NOT @cvshealth.com)
Sender impersonates a real CVS employee by name
Email contains link to "required software update"
STAGE 2 β MALWARE DELIVERY
Link: https://eai-jo.com/es-us.microsohtramsupdate
Victim lands on compromised WordPress site (European Arab Institute, Jordan)
Site serves a convincing fake Microsoft Teams update page
STAGE 3 β PAYLOAD
Page auto-downloads ~10MB executable (fake Teams installer)
If executed: likely deploys Oyster/Broomstick backdoor
Establishes C2, credential theft, lateral movement capability
The victim in this case did not execute the file and performed a factory reset -- the correct response. But the infrastructure behind this campaign reveals a well-organized operation with evidence of months of preparation and multiple parallel phishing domains.
The Phishing Domain: cvshealthsinfo.com
The attack's email layer is built on cvshealthsinfo.com, a domain registered on February 25, 2026 -- exactly 8 days before the observed attack. The domain was purpose-built as email-only phishing infrastructure.
| Field | Value |
|---|---|
| Domain | cvshealthsinfo.com |
| Created | 2026-02-25T07:00:00Z |
| Registrar | NameSilo, LLC |
| Privacy | PrivacyGuardian.org (user ID: c7576c4c) |
| A Record | 91.195.240.123 (SEDO GmbH parking, Germany) |
| MX Records | Google Workspace (ASPMX.L.GOOGLE.com + ALT1-4) |
| SPF | v=spf1 include:_spf.mail.google.com ~all |
| TLS | DigiCert Encryption Everywhere DV, issued 2026-02-25 |
| Web | HTTP 403 (no web content -- email-only) |
The operational choices here are noteworthy. The threat actor paid for Google Workspace, which gives their phishing emails legitimate DKIM signatures and SPF validation. Emails from @cvshealthsinfo.com would pass most email gateway checks because they are genuinely sent through Google's mail infrastructure. The A record points to SEDO domain parking because the attacker has no need for a web presence -- this domain exists solely to send emails.
The domain name itself exploits visual similarity: cvshealthsinfo.com versus the legitimate cvshealth.com. The extra "s" and "info" suffix create plausible confusion, especially on mobile devices where the full sender address may be truncated.
MITRE ATT&CK: Initial Access
| Technique | ID | Application |
|---|---|---|
| Phishing: Spearphishing Link | T1566.002 | Email with link to malware delivery site |
| Trusted Relationship | T1199 | Leverages Indeed platform trust for initial contact |
| Impersonation | T1656 | Impersonates real CVS employee by name |
Registrar Fingerprinting
All legitimate CVS domains use MarkMonitor as their registrar -- this is standard practice for Fortune 500 companies. The phishing domains use budget registrars:
| Domain | Registrar | Purpose | Verdict |
|---|---|---|---|
| cvshealth.com | MarkMonitor | Official corporate | Legitimate |
| cvshealthcareer.com | MarkMonitor | Defensive registration | Legitimate |
| cvshealthsinfo.com | NameSilo | Phishing email sender | Malicious |
| cvshealthinfo.com | GoDaddy | Earlier phishing domain | Suspected malicious |
This registrar mismatch is a reliable signal. Any CVS Health-branded domain not registered through MarkMonitor warrants immediate suspicion.
The Delivery Platform: A Compromised Jordanian WordPress Site
The malware delivery infrastructure is hosted on eai-jo.com, the legitimate website of the European Arab Institute (EAI) in Amman, Jordan -- a training and business solutions provider affiliated with Cambridge International College. The domain is 16 years old, registered in 2009, and has accumulated years of clean reputation history. This is precisely why the threat actor chose it.
| Field | Value |
|---|---|
| Domain | eai-jo.com |
| Created | 2009-11-09 |
| IP | 192.250.239.61 |
| Hosting | WHG Hosting Services Ltd (AS51713), London |
| CMS | WordPress 6.9.1 |
| Malicious path | /es-us.microsohtramsupdate (now 404) |
Compromise Evidence: 1,268 Gambling Spam Posts and Counting
The compromise of this site extends far beyond the malware delivery page. As of March 5, 2026, the site contains 1,268 injected gambling spam posts, all published under WordPress admin user ID 1 -- confirming the administrator account itself is compromised. The spam content promotes Mostbet and 1xbet gambling operations in Russian, Uzbek, Arabic, English, Portuguese, French, and Danish, with external links pointing to mostbet-uz.c-society.ru (Russian gambling infrastructure).
Posts were being added continuously, with the most recent injection timestamped 2026-03-04T23:36:19 UTC -- less than 24 hours before this investigation confirmed the compromise.
The Likely Initial Access Vector: Slider Revolution 6.5.20
The site runs Slider Revolution version 6.5.20, a plugin from 2022 that is critically outdated (current version: 6.7+). This version is vulnerable to:
- CVE-2025-9217: Arbitrary file read via path traversal (CVSS 6.5)
- Multiple older RCE and file upload vulnerabilities in the RevSlider lineage
Combined with the default admin username (confirmed via exposed WordPress REST API user enumeration), this site was effectively an open door.
| Plugin | Version | Risk |
|---|---|---|
| Slider Revolution | 6.5.20 | Critical -- known CVEs, 3+ years outdated |
| Elementor | Unknown | Present |
| Porto Theme | 6.6.0 | Present |
| WPML | 4.5.7 | Present |
MITRE ATT&CK: Resource Development & Execution
| Technique | ID | Application |
|---|---|---|
| Compromise Infrastructure: Web Services | T1584.006 | Compromised WordPress site for payload hosting |
| Exploit Public-Facing Application | T1190 | Slider Revolution vulnerability exploitation |
| Drive-by Compromise | T1189 | Auto-download from fake update page |
| User Execution: Malicious File | T1204.002 | Victim must run the downloaded installer |
URL Obfuscation: Deliberate Typosquatting
The malicious URL path deserves close analysis:
Full URL: https://eai-jo.com/es-us.microsohtramsupdate
Path deconstruction:
"es-us" β Mimics Microsoft's locale prefix format (en-us, es-es)
"microsohtramsupdate" β Typosquat of "microsoftteamsupdate"
Character-level comparison:
Malicious: m-i-c-r-o-s-o-h-t-r-a-m-s-u-p-d-a-t-e (19 chars)
Intended: m-i-c-r-o-s-o-f-t-t-e-a-m-s-u-p-d-a-t-e (20 chars)
Substitutions: 'f' β 'h', 'te' β 'r' (collapsed)
This is not a clean anagram. It is a deliberate obfuscation designed to pass the glance test while evading exact-match string detection rules for "microsoftteamsupdate" in security products. The es-us locale prefix adds visual legitimacy -- it looks like a localized Microsoft download path.
Malware Assessment: Oyster/Broomstick (HIGH Confidence)
The actual payload could not be recovered -- the malicious path now returns 404, no sandbox captured the URL before it was rotated, and the victim factory-reset the device that downloaded the file. However, the delivery pattern provides a strong basis for malware family attribution.
| Candidate | Confidence | Rationale |
|---|---|---|
| Oyster/Broomstick | HIGH | Exact delivery pattern match: fake MSTeamsSetup.exe, ~10MB, auto-download from compromised WordPress. Known to use fraudulent code-signing certificates. |
| Chaya_002 | MEDIUM | Uses compromised WordPress with payloads in wp-includes/images/, but no matching JS injection found on eai-jo.com. |
| SocGholish/FakeUpdates | LOW | Typically JavaScript-based payloads, not direct EXE auto-downloads. |
Oyster (also tracked as Broomstick by some vendors) has been documented delivering fake Teams installers via compromised WordPress sites in multiple campaigns throughout 2025-2026. Known Oyster distribution domains include teams-install[.]top, teams-install[.]icu, and team[.]frywow[.]com. The malware deploys a backdoor DLL (CaptureService.dll) that establishes C2 communication and enables credential theft.
Why VirusTotal Missed It
The victim reported that VirusTotal did not flag the delivery site. This is expected for several reasons:
- Fresh URL -- no prior scans existed in the VT database
- Server-side cloaking -- the page may have served benign content to automated scanners
- Short-lived payload -- the malicious page was rotated quickly
- Reputation laundering -- eai-jo.com has 16 years of clean history; domain reputation systems gave it a pass
The Broader Campaign: CVS Health Impersonation at Scale
This malware delivery operation is one node in a broader CVS Health impersonation campaign operating across multiple job platforms. ScamPulse reports and victim accounts reveal a range of tactics -- from malware delivery to financial fraud -- unified by the CVS Health brand:
| Scam Email | Platform | Method |
|---|---|---|
| *@cvshealthsinfo.com | Indeed | Malware dropper (this investigation) |
| Renee@cvs-healthcare.com | Multiple | Reported on ScamPulse |
| cvshealth.service@gmail.com | ZipRecruiter | Fake check scheme ($2,951.98) |
| cvshealthrecruiter@gmail.com | Equipment purchase scam ($300) | |
| recruiter.cvs@outlook.com | Multiple | Job offer scam |
The campaign uses rotating personas -- "BRANDON," "Lynn," "Sandra Atkinson," "Patryk Mccormick," "Michelle Peluso" -- and spans Indeed, ZipRecruiter, LinkedIn, Facebook, Google Hangouts, Microsoft Teams, Signal, and WhatsApp. The multi-platform presence and rotating infrastructure suggest an organized group, not a lone actor.
Hosting History and Compromise Timeline
Wayback Machine and Shodan data reveal that eai-jo.com was suspended by its hosting provider in July 2025, then restored. The first compromise indicators appear on February 7, 2026, when suspicious numeric paths (/1817810962, /1932074703, etc.) characteristic of automated injection were captured. The phishing domain was registered 18 days later. This timeline suggests the attacker identified and compromised the restored WordPress site, then built the phishing email infrastructure to drive victims to it.
| Date | Event |
|---|---|
| 2025-08-21 | cvshealthinfo.com registered (possible early campaign domain) |
| ~2026-02-07 | eai-jo.com shows first compromise evidence (Wayback: numeric path injection) |
| 2026-02-25 | cvshealthsinfo.com registered + Google Workspace configured |
| 2026-02-28 | eai-jo.com receives fresh Let's Encrypt certificate |
| ~2026-03-04 | Victim receives fake CVS recruiter email; malware auto-downloads |
| 2026-03-05 | Investigation confirms active compromise, 1,268+ spam posts |
Indicators of Compromise
Domains
| Indicator | Type | Status |
|---|---|---|
| cvshealthsinfo.com | Phishing email domain | ACTIVE |
| cvshealthinfo.com | Suspected phishing domain | ACTIVE (parked) |
| eai-jo.com/es-us.microsohtramsupdate | Malware delivery URL | DOWN (404) |
IP Addresses
| IP | ASN | Use |
|---|---|---|
| 91.195.240.123 | AS47846 SEDO GmbH, DE | cvshealthsinfo.com parking |
| 192.250.239.61 | AS51713 WHG Hosting, GB | eai-jo.com (compromised host) |
| 15.197.148.33 | AWS Global Accelerator | cvshealthinfo.com |
Email Addresses (Campaign-wide)
| Address | Platform |
|---|---|
| *@cvshealthsinfo.com | Indeed |
| Renee@cvs-healthcare.com | Multiple |
| cvshealth.service@gmail.com | ZipRecruiter |
| cvshealthrecruiter@gmail.com | |
| recruiter.cvs@outlook.com | Multiple |
| sandra.atkinson@outlook.com |
WHOIS Fingerprint
| Field | Value |
|---|---|
| Privacy Service | PrivacyGuardian.org |
| User ID | c7576c4c |
| Proxy Email | pwp-3e72b54607104b1f68f1ed2c9b7ddd51@privacyguardian.org |
| Proxy Phone | +1.3478717726 |
Reference Oyster/Broomstick IOCs
Known hashes from related Oyster campaigns (MSTeamsSetup.exe variants):
9dc86863e3188912c3816e8ba21eda939107b8823f1afc190c466a7d5ca708d1
ac5065a351313cc522ab6004b98578a2704d2f636fc2ca78764ab239f4f594a3
512D7EFB22BC59C84683F931D5AD1E1A092791EEFF20B45DF0E37864A95EA4D3
035945729AD4E4B7C6CE4D5760C5F59BAF35A74CD7EB75EEDC91135F0BAE34FC
Known Oyster C2 domains:
nickbush24[.]com
techwisenetwork[.]com
maddeehot[.]online
server-na-qc2[.]farsafe[.]net
urbangreencorner[.]com
Detection Signatures
Email Gateway Rule
sender_domain IN (
"cvshealthsinfo.com",
"cvshealthinfo.com",
"cvs-healthcare.com"
)
AND subject CONTAINS ("position", "role", "interview", "job", "offer", "recruiter")
β BLOCK + QUARANTINE
Snort/Suricata Rule
alert http any any -> any any (
msg:"BGI - CVS Recruiter Campaign - FakeUpdates Delivery";
content:"eai-jo.com"; http_host;
content:"microsohtramsupdate"; http_uri;
sid:2026030501; rev:1;
)
YARA Rule
rule FakeTeamsInstaller_CVSCampaign {
meta:
description = "Detects fake MS Teams installer from CVS recruiter campaign"
date = "2026-03-05"
reference = "TEAO-2026-0305-001"
strings:
$url1 = "eai-jo.com" ascii wide
$url2 = "microsohtramsupdate" ascii wide
$url3 = "cvshealthsinfo.com" ascii wide
condition:
uint16(0) == 0x5A4D and filesize > 5MB and filesize < 15MB and any of ($url*)
}
Defensive Recommendations
For Security Operations Teams
- Block the IOC domains at DNS and email gateway level immediately. The phishing domain uses Google Workspace, so SPF/DKIM checks alone will not catch it -- you need explicit domain blocklisting.
- Hunt for historical email delivery from
@cvshealthsinfo.comand@cvshealthinfo.comacross mail logs. Any employee who received and clicked should be triaged for endpoint compromise. - Deploy the Snort/Suricata signature for network-level detection of the delivery URL pattern.
- Monitor for typosquat variations of your organization's recruiting domains. Threat actors rotate infrastructure frequently --
cvshealthsinfo.comwill eventually be burned and replaced.
For Job Seekers
- Verify recruiter domains -- legitimate CVS emails come from
@cvshealth.com, not@cvshealthsinfo.com. Check the full sender address, not just the display name. - Never install software from recruiter links. Real Microsoft Teams downloads come from
microsoft.comorteams.microsoft.comonly. - Check domain age using any WHOIS lookup tool. A domain registered days or weeks ago claiming to represent a Fortune 500 company is a definitive red flag.
- If you downloaded but did not execute: delete the file, run a full antivirus scan, and monitor accounts for unauthorized access. The victim in this case did the right thing.
For WordPress Site Operators
This campaign exploited a WordPress site running Slider Revolution 6.5.20 -- a plugin from 2022 with known critical vulnerabilities. If you run WordPress:
- Audit your plugin versions against CVE databases. Slider Revolution alone has a history of path traversal, RCE, and arbitrary file upload vulnerabilities.
- Never use
adminas your username. WordPress REST API exposes usernames by default via/wp-json/wp/v2/users/. - Restrict REST API access and disable
wp-cron.phpexternal access. - Monitor for injected content -- 1,268 gambling spam posts went unnoticed on this site for weeks.
Conclusion
This campaign is a case study in how commodity threat actors build effective attack infrastructure on a budget. For roughly $1 (NameSilo domain registration) plus a Google Workspace subscription, the attacker created a phishing email platform that passes SPF/DKIM validation. For the delivery layer, they spent nothing at all -- compromising a neglected WordPress site with a three-year-old Slider Revolution vulnerability and leveraging its 16-year domain reputation to bypass URL filtering.
The threat actor profile fits an initial access broker or commodity malware distributor operating within the Oyster/Broomstick ecosystem. They are financially motivated, operationally experienced (multiple domains, rotating personas, multi-platform presence), and will continue to iterate. The shift from GoDaddy email hosting on the August 2025 domain to Google Workspace on the February 2026 domain shows active operational learning -- each iteration gets harder to detect.
The broader pattern is worth watching. Job seekers are high-volume, low-sophistication targets who are psychologically primed to follow instructions from apparent authority figures. As job platforms become a standard delivery mechanism for malware campaigns, defenders need to treat recruiter impersonation emails with the same scrutiny they apply to financial phishing -- because the payload at the end of the chain is increasingly the same.
Classification: TLP:CLEAR | Investigation ID: TEAO-2026-0305-001 | Published: 2026-03-08