That awkward moment when cybercriminals use memes to hide malicious code

Researchers from Trend Micro have reported the discovery of two Twitter posts containing malicious memes that feature hidden code that acts like a command-and-control service for downloaded malware.

In a blog post published late last week, the researchers said the tweets were posted on Oct. 25 and 26, respectively, using a Twitter account created back in 2017. Abusing the meme this way is essentially a unique form of steganography, a technique used by malware developers to conceal malicious code inside images in order for it to go undetected.

In this case, the memes hid a "/print" command, which tells the malware to take screenshots of the infected machine and then exfiltrate images to an attacker-controlled server whose address is available via a hard-coded URL on

Trend Micro identities the corresponding malware as TROJAN.MSIL.BERBOMTHUM.AA. Researcher and blog post author Aliakbar Zahravi said the threat is "notable because the malware’s commands are received via a legitimate service (which is also a popular social networking platform), employs the use of benign-looking yet malicious memes, and it cannot be taken down unless the malicious Twitter account is disabled."

This malware supports other commands besides "/print," including commands for capturing clipboard content, and collecting host machine information, including usernames, running processes and file names. It is not clear, however, what the method or vector is through which the malware infects its victims.

Twitter removed the offending account on Dec. 13, Trend Micro added. A screenshot provided by the cybersecurity company shows that one of the memes featured an image of Laurence Fishburne in The Matrix, with words that read: "WHAT IF I TOLD YOU THE RESOURCES ARE NOT REAL". The user's display name in the screenshot was "bomber".

Twitter's shares fell seven percent yesterday following the Trend Micro report, as well as a public disclosure from the social media giant that it was investigating unusual online support forum traffic that could have been the work of state-sponsored hackers.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.