APT 29 use Twitter to control its Hammertoss data stealer

Experts at FireEye discovered a new APT group dubbed APT 29 that is exploiting Twitter to mask the activities of their data-stealer malware.

Experts at FireEye uncovered a group of alleged Russian hackers, dubbed APT 29, that is exploiting Twitter to mask the activities of their data-stealer malware.

The hackers belonging to the APT 29 exploited Twitter in order to send commands to their malware, but according to the researchers from FireEye, the crew has improved its technique making hard the detection of its activities.

The experts at FireEye discovered that the APT 29 used a specific strain of malware dubbed Hammertoss, which has infected the systems of one of the company customers.

APT 29 has taken several steps to try to mask its communication with Hammertoss to avoid detection, according to a new report.

Hammertoss implements an algorithm that generates new Twitter handles every day, in this way the C&C server can communicate with Hammertoss by using specific Twitter accounts managed by the APT 29.


We have already discovered in the past threat actors using Twitter and other social media as Command and Control systems, the technique results very effective because many companies are unlikely to block outbound connections the social media platforms.

“Using a variety of techniques—from creating an algorithm that generates daily Twitter handles to embedding pictures with commands—the developers behind HAMMERTOSS have devised a particularly effective tool. APT29 tries to undermine the detection of the malware by adding layers of obfuscation and mimicking the behavior of legitimate users. HAMMERTOSS uses Twitter, GitHub, and cloud storage services to relay commands and extract data from compromised networks.” states the report from FireEye.

The hackers include the command for Hammertoss instances in a tweet containing a URL and a hashtag. The URL leads to an image on a different server that contains data hidden through a steganographic technique.


The hashtag is used to encode the file size of the image and a few characters that should be added to the decryption key stored within Hammertoss in order to allow the extraction of the hidden data.

“The HAMMERTOSS backdoor generates and looks for a different Twitter handle each day. It uses an algorithm to generate the daily handle, such as “234Bob234”, before attempting to visit the corresponding Twitter page. If the threat group has not registered that day’s handle, HAMMERTOSS will wait until the next day and look for a different handle” continues the report.

The experts noticed that APT 29 adopted several techniques to remain under the radar, for example Hammertoss is usually only active during the normal working day for infected organization, in this way the malicious traffic results quite difficult to detect.

The experts attributed Hammertoss to Russian hackers because it appears to be active during normal working hours in Moscow. The APT 29 did not work on Russian holidays.

Who are the targets of the APT 29 hacking campaigns?

Experts from FireEye speculate that APT 29 is primarily focused on compromising government organizations and collecting geopolitical information related to Russia, a circumstance that lead them to believe that it is a state-sponsored group.

“That’s why we believe they are in some way associated with the Russian government or working with Russia,” concludes the report.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase