{
	"id": "2890acbf-ccd4-4988-bb02-294e3430ab0e",
	"created_at": "2026-04-06T00:12:28.674475Z",
	"updated_at": "2026-04-10T03:20:58.312267Z",
	"deleted_at": null,
	"sha1_hash": "2d2326c231a2afd9c2e82126fb833cbb716edd4e",
	"title": "Malicious Memes that Communicate with Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46562,
	"plain_text": "Malicious Memes that Communicate with Malware\r\nBy By: Aliakbar Zahravi Dec 14, 2018 Read time: 3 min (753 words)\r\nPublished: 2018-12-14 · Archived: 2026-04-05 18:08:20 UTC\r\nSteganography, or the method used to conceal a malicious payload inside an image to evade security solutions, has\r\nlong been used by cybercriminals to spread malware and perform other malicious operations. We recently\r\ndiscovered malicious actors using this technique on memes. The malware authors have posted two tweets\r\nfeaturing malicious memes on October 25 and 26 via a Twitter account created in 2017. The memes contain an\r\nembedded command that is parsed by the malware after it's downloaded from the malicious Twitter account onto\r\nthe victim’s machine, acting as a C\u0026C service for the already- placed malware. It should be noted that the\r\nmalware was not downloaded from Twitter and that we did not observe what specific mechanism was used to\r\ndeliver the malware to its victims. The malware connected to this malicious meme has been proactively blocked\r\nby Trend Micro machine learning and behavioral detection technology at the time of discovery.\r\nThis new threat (detected as TROJAN.MSIL.BERBOMTHUM.AA) is notable because the malware’s commands\r\nare received via a legitimate service (which is also a popular social networking platform), employs the use of\r\nbenign-looking yet malicious memes, and it cannot be taken down unless the malicious Twitter account is\r\ndisabled. Twitter has already taken the account offline as of December 13, 2018.\r\nHidden inside the memes mentioned above is the “/print” command, which enables the malware to take\r\nscreenshots of the infected machine. The screenshots are sent to a C\u0026C server whose address is obtained through\r\na hard-coded URL on pastebin.com.\r\nAnalyzing the Malware\r\nWe found that once the malware has been executed on an infected machine, it will be able to download the\r\nmalicious memes from the Twitter account to the victim’s machine. It will then extract the given command. In the\r\ncase of the “print” command hidden in the memes, the malware takes a screenshot of the infected machine. It then\r\nobtains the control server information from Pastebin.  Afterwards, the malware sends out the collected information\r\nor the command output to the attacker by uploading it to a specific URL address.\r\nA screen capture of the malware’s code showing the Pastebin URL\r\nFigure 1. A screen capture of the malware’s code showing the Pastebin URL\r\nDuring analysis, we saw that the Pastebin URL points to an internal or private IP address, which is possibly a\r\ntemporary placeholder used by the attackers.\r\nPrivate IP address that a Pastebin URL points to\r\nFigure 2. Private IP address that a Pastebin URL points to\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-use-malicious-memes-that-communicate-with-malware/\r\nPage 1 of 3\n\nThe malware then parses the content of the malicious Twitter account and begins looking for an image file using\nthe pattern: “![](\\(.*?):thumb\\\")” on the account.\nA screen capture of the malicious Twitter account\nFigure 3. A screen capture of the malicious Twitter account\nA screen capture of one of the malicious memes posted on the Twitter account\nFigure 4. A screen capture of one of the malicious memes posted on the Twitter account\nAt the time of analysis, the two memes (DqVe1PxWoAIQ44B.jpg and DqfU9sZWoAAlnFh.jpg) contained the\ncommand “print”. The embedded commands instruct the malware to perform various operations on the infected\nmachine, such as capture screenshots, collect system information, among others, as described below.\nOnce the malware downloads the image, it attempts to extract the command that starts with the ‘/’ character.\nA screen capture of code snippet to locate a command string\nFigure 5. A screen capture of code snippet to locate a command string\nThe following is the list of commands supported by this malware:\nCommands Description\n/print Screen capture\n/processos Retrieve list of running processes\n/clip Capture clipboard content\n/username Retrieve username from infected machine\n/docs Retrieve filenames from a predefined path such as (desktop, %AppData% etc.)\nA screen capture of code featuring the commands supported by the malware\nFigure 6. A screen capture of code featuring the commands supported by the malware\nA screen capture of code showing the details of the“/print” command\nFigure 7. A screen capture of code showing the details of the“/print” command\nTrend Micro Solutions\nUsers and businesses can consider adopting security solutions that can protect systems from various threats, such\nas malware that communicate with benign-looking images, through a cross-generational blend of threat defense\ntechniques. Trend Micro endpoint solutions such as the Smart Protection Suitesproducts and Worry-Free\nBusiness Security solutions can protect users and businesses from threats by detecting malicious files and\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-use-malicious-memes-that-communicate-with-malware/\nPage 2 of 3\n\nmessages as well as blocking all related malicious URLs. Trend Micro™ Deep Discovery™products has an\r\nemail inspection layer that can protect enterprises by detecting malicious attachments and URLs.\r\nThese solutions are powered by Trend MicroTM XGenTM security, which provides high-fidelity machine learning\r\nthat secures the gateway and endpoint, and protects physical, virtual, and cloud workloads. With technologies that\r\nemploy web/URL filtering, behavioral analysis, and custom sandboxing, XGen security offers protection against\r\never-changing threats that bypass traditional controls and exploit known and unknown vulnerabilities.\r\nIndicators of Compromise\r\nRelated Hashes (SHA-256)\r\n003673cf045faf0141b0bd00eff13542a3a62125937ac27b80c9ffd27bb5c722\r\n3579d609cf4d0c8b469682eb7ff6c65ec634942fa56d47b666db7aa99a2ee3ef\r\n88b06e005ecfab28cfdbcab98381821d7cc82bb140894b7fdc5445a125ce1a8c\r\n8cdb574ba6fcaea32717c36b47fec0309fcd5c6d7b0f9a58fc546b74fc42cacd\r\nTags\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-use-malicious-memes-that-communicate-with-malware/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-use-malicious-memes-that-communicate-with-malware/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-use-malicious-memes-that-communicate-with-malware/"
	],
	"report_names": [
		"cybercriminals-use-malicious-memes-that-communicate-with-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434348,
	"ts_updated_at": 1775791258,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2d2326c231a2afd9c2e82126fb833cbb716edd4e.pdf",
		"text": "https://archive.orkl.eu/2d2326c231a2afd9c2e82126fb833cbb716edd4e.txt",
		"img": "https://archive.orkl.eu/2d2326c231a2afd9c2e82126fb833cbb716edd4e.jpg"
	}
}