Malicious Twitter trends

Earlier tonight I was on my balcony and noticed a very rare phenomenon, at least when it comes to seeing it from Moscow: the Aurora. It was so beautiful, especially since it was the first time for me to see it. I decided to write about it on Twitter and then decided to search for “северное сияние” (Aurora in Russian) to see if others have noticed it too.

I saw a number of tweets from people in Moscow who also saw the Aurora. Then, I noticed “Morgan Freeman” listed in the Twitter Trends.

Thinking that something has happened to him I checked the tag and found a number of suspicious messages. After checking the URL I found they were malicious – a new attack being carried through Twitter right now, live.

Further investigation revealed several trending topics –‘Morgan Freeman’, ‘Advent Calendar’, ‘Pastor Maldonado’, ‘Toivonen’, ‘Grinch’ and ‘Hannukah’ – with various messages with the shortened URLs. Various shortening services were used:,,,,,,, – all pointing to malicious websites.

All these links lead to br********.com/about.html which will redirect user to bestivideos****.it. Then user will be redirected to myb****.com/flash/ where user will see the following ‘offer’:

This ‘codec’ is actually is malicious and detected by us as Trojan-Dropper.Win32.Drooptroop.ipl.

Be careful with current twitter trends because other popular topics may also lead to malicious messages!

UPD: number of messages with each malicious trend has grown to almost 3000 in about 40 minutes

Malicious Twitter trends

Your email address will not be published. Required fields are marked *



Focus on DroxiDat/SystemBC

An unknown actor targeted an electric utility in southern Africa with Cobalt Strike beacons and DroxiDat, a new variant of the SystemBC payload. We speculate that this incident was in the initial stages of a ransomware attack.

APT trends report Q2 2023

This is our latest summary of the significant events and findings, focusing on activities that we observed during Q2 2023.

Meet the GoldenJackal APT group. Don’t expect any howls

GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher.

Subscribe to our weekly e-mails

The hottest research right in your inbox