Osama’s death in Twitter

Continuing our investigation on the Osama’s death campaign, we were especially concerned about the potential distribution of malware on social networks, because of their speed of propagation. So we have been monitoring Twitter, getting some million tweets and a huge number of URLs too. No surprise here as during the last 24 hours the average was 4.000 tweets per second related to this topic. Here you can see how even Internet traffic was affected.

Analyzing these URLs, we found some interesting stuff.

The first one is a Facebook scam campaign posing as Osama’s death video:

We have found this link being distributed in several tweets, especially among Brazilian users.

The second is malware being distributed, again as Osamas death video. In this case the link is not so subtle, including a .rar file in the URL.

It is interesting how the Twitter user distributing it also tried to do that posing as Fast and the Furious movie. In this case the distribution is very low.

This malware is detected by our heuristic engine.

But the point is how malware reacts quickly to use major events for its distribution, registering domains and using social networks in the first hours. We will keep monitoring and analyzing them in order to protect our customers, but we urge you to be very careful to avoid these scams.


We have detected a new infection trend. In this case is a click-fraud-like campaign intended to redirect traffic to a site with publicity on it.

Below you can see an example showing how the campaign is being propagated. It is interesting to see how the trend topic changes in order to keep the campaign successful but below the radar. Also all the shortened URLs are different:

When you follow the URL, the destination page poses as a Youtube video. In this case instead of asking the victim to download a binary, when clicking the button a new malicious tweet will be created in the victims account, “replicating” itself.

Again, the purpose of the fraud is just to redirect traffic to a page with publicity, allowing the attackers to get some money thanks to a trending topic.

Osama’s death in Twitter

Your email address will not be published. Required fields are marked *



Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

What did DeathStalker hide between two ferns?

While tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware “PowerPepper”.

Subscribe to our weekly e-mails

The hottest research right in your inbox