New tool allows script kiddies to build botnets via Twitter!

Today i found a new tool which will allow anyone to create a malicious program with just a few simple mouse clicks. When the malicious program is executed the infected computer is connected to a botnet which communicates via Twitter and is used for various illegal purposes.

The tool, which is publically available, is called TwitterNET Builder. It only requires two mouse clicks to create a malicious program which will turn a normal computer into a node in a botnet. TwitterNET Builder will create a profile on Twitter which the infected computer will contact to receive commands and instructions.

This malicious code does not contain any distribution mechanism and must be manually run on the victim computer, but these tools can be executed when combined with a drive-by attack or a worm that spreads via a new-found vulnerability, for instance.

At the time of writing, the tool has been released in two versions; Sunbelt describes the first version ( as a tool with a handful of hard coded commands with static names which can execute functions such as downloading and executing files, performing distributed denial of service attacks, opening websites but also controlling the communication between the infected computer and Twitter. A detailed description of the available commands is mentioned in their original blog post.

The new version of the TwitterNET Builder allows the attacker to specify the names of the command making it much harder to identify which accounts are being used for controlling these botnets.

How do I protect myself against this?

Since this tool does not have its own distribution mechanisms it needs to be manually downloaded and executed – for example, it might arrive as an attachment in an email, or as a file sent via a instant messaging client. You need to be careful executing email attachments or files sent to you in a chat conversation. You also need to be careful that you do not get infected through a drive-by attack, which may exploit vulnerability in for example your browser.

Most of these malicious tools re-use functions and code which is easy to identify by effective antivirus software. Make sure that your anti-virus software is updated and that you have installed all security patches from all third party vendors

New tool allows script kiddies to build botnets via Twitter!

Your email address will not be published. Required fields are marked *



The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox