{ "id": "7ff93a6f-f44b-4be9-b3fe-bc8f2b25c171", "created_at": "2026-04-06T00:08:08.06376Z", "updated_at": "2026-04-10T03:33:36.071172Z", "deleted_at": null, "sha1_hash": "8f277440afba4d8a50402076cfbfa30031fbd2f5", "title": "Russian malware link hid in a comment on Britney Spears' Instagram", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 584565, "plain_text": "Russian malware link hid in a comment on Britney Spears'\r\nInstagram\r\nBy Mallory Locklear\r\nPublished: 2017-06-07 ยท Archived: 2026-04-02 11:18:53 UTC\r\nInstagram is on its way to hitting a billion users this year and with that kind of popularity comes a lot of traffic.\r\nBut lurking among all of many, many harmless comments that get posted each day, there's also the occasional post\r\ninstructing Russian malware how to get in touch with its controllers. Because of course there is.\r\nThe Slovak IT security company ESET Security released a report yesterday detailing a cleverly hidden example of\r\nsuch a post. And its hideout? A Britney Spears photo. Among the nearly 7,000 comments written on the\r\nperformer's post (shown below) was one that could easily pass as spam.\r\nThe malware was situated in a Firefox browser extension pretending to be a security feature and it would search\r\nfor hidden links in order to connect back to its control server. And the comment, now deleted, was actually a web\r\naddress that required a fairly complicated, multi-step process to decipher.\r\nIn this case, the malware went through all of the comments on Spears' Instagram photo and computed a number,\r\nor a \"hash,\" for each one, while it looked for a specific hash. When it found the comment with the right hash, it\r\nwould check it out for particular characters, grab the letters that came after those characters and turn them it into a\r\nhttps://www.engadget.com/2017/06/07/russian-malware-hidden-britney-spears-instagram/\r\nPage 1 of 2\n\nlink. That link would then let the malware connect to its controllers. Such a method allows the controllers to\r\nchange where it meets up with the malware without having to change the malware itself.\r\nESET Security said they thought this particular post was just a test and linked the malware scheme to a group\r\ncalled Turla, a cyber espionage group that the company says has targeted governments, government officials and\r\ndiplomats for some time.\r\nSo, while that weird comment on your latest selfie might look like junk, it could actually be a conduit for some\r\nRussian malware and the subject of some upcoming breaking news. Happy posting.\r\nSource: https://www.engadget.com/2017/06/07/russian-malware-hidden-britney-spears-instagram/\r\nhttps://www.engadget.com/2017/06/07/russian-malware-hidden-britney-spears-instagram/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://www.engadget.com/2017/06/07/russian-malware-hidden-britney-spears-instagram/" ], "report_names": [ "russian-malware-hidden-britney-spears-instagram" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434088, "ts_updated_at": 1775792016, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8f277440afba4d8a50402076cfbfa30031fbd2f5.pdf", "text": "https://archive.orkl.eu/8f277440afba4d8a50402076cfbfa30031fbd2f5.txt", "img": "https://archive.orkl.eu/8f277440afba4d8a50402076cfbfa30031fbd2f5.jpg" } }