Russian malware communicates by leaving comments in Britney Spears's Instagram account


Originally published at:


Well that’s clever.


I’m not even mad, I’m impressed. That is extremely clever.


Yup. Novel and new, but in the past things like IRC channels, XMPP users, AIM users, etc. all have been used for C&C channels. Very much an evolution, and authors thinking, “where, where else can we put this stuff?”


Well they are not going to be using for much longer now…


Agreed. I consider myself an out of the box thinker but this makes me step back and say


This explains all YouTube comments


Aah, but Teresa May is to be the new sheriff, and she’s gonna clean up Internet Town, she sure is, I betcha. A couple of new laws and all this stuff is gonna be history…

…my arse.


So many key rotation opportunities - different accounts, false trails, etc.

But the surface vector is really low - Instagram could just strip all zero-width-characters from their comments with a single API update.


Thi‍S is inter‍Esti‍Ng, but har‍Dly a ‍New form of comm‍Unication for malware. In‍Deed, w‍Ebsite comment thread‍S have been used this way for years.


Steganography is sad.



Oops, they did it again.


…and then break all the languages, like arabic, which rely on zero width characters.


reminds me of the old site about Brittney teaching physics - -


You are assuming they or indeed any large company gives a damn, has the tech chops to understand what you just said (at management levels) and can be convinced/forced to spend even ten cents on something that isn’t a profit center.

People can’t get some of these places to install basic security patches let alone actually write custom code for someone else’s benefit.


Britney Spears and Instagram.

Excellent! Never been there. Never done that.


Feature, not a bug? #PoesLaw


Yeah, Instagram has like 50 employees, they’re not really a “large” company. And their CTO wrote Instagram, he’s got tech chops.


That is a tough technical trick there. Think of all the properties that message needs to met 1) encodes the new URL 2) hides the URL 3) looks like a normal post 4) hashes to a specific value. I am really interested in the algorithms and compute time required to generate such a message. It feels like it would be hard to forge such a message.