In the wake of multiple cyber-attacks happening around the globe, with WannaCry and Fireball being the latest ones, cyber-security firms and researchers are tirelessly upping various methods to discover hacks to curb them or some such. Now, researchers at ESET Security have found a new kind of malware that uses platforms like Instagram to connect to its controllers. It is said to be linked to a Russian group, Turla, which is known to operate a larger cyber espionage network.
The malware was unearthed by ESET Security, a Slovak IT security company. Instagram is popular amongst people who love sharing videos and photos, along with numerous and innocuous comments and likes flooding the photo or video posts. The researchers say the encoded command was masquerading as a normal comment, having tucked itself in plain sight amongst other comments on a Britney Spears Instagram photo. The comment posted by an account named 'asmith2155', with no posts and followers and now deactivated, hid a Web address to be deciphered step-by-step by the actual malware involving a Firefox extension and a JavaScript-based backdoor, reports Popular Mechanics.
Photo Credit: ESET Security/ Britney Spears/ Instagram
However, the steps required to encode it are said to be immensely high-level and incremental in nature. The malware hidden under the Firefox extension would scan the post and turn each comment into a number, known as 'hash'. It will then look for the comments translating to the hash number 183. In this case, the number 183 would match with just one comment that was linked with the encoded command.
Having found the one, the malware will then start looking for particular characters containing hashtags and an invisible 'Zero Width Joiner', which is a code to combine two emoji parts into a single one 'combo-moji'. Post this, it would take the letters to use them to form a Bit.ly link, which will be used by the malware to connect to its controllers. This kind of a method enables the controllers to change the arcane destinations without making any contact with the malware itself. To do that, they just require to delete the original comment and create a new one having the same hash number but a new encoded URL link.
The researchers have further said, "Instead of giving the malware a specific key to a specific lock, programmers told the malware how to find places where keys would be hidden, leaving them free to change either lock or key on a whim." Furthermore, they have also emphasised how the vulnerability of open Internet can be used to an extent where cyber spies can conduct and mask their hacking business.
Incidents of this kind repeatedly iterate the importance of a better and sustainable Internet security paradigm so that our social media profiles elsewhere (like Facebook and Twitter) do not act as a conduit for cyber espionage.
Catch the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2026 hub.