Hammertoss malware; Russians to take down Twitter, Cloud and Github

Hammertoss malware

The modern world is so advanced that day-by-day a new malware pops up. Technical advancement is the root cause of these happenings. Cyber criminals are so keen in putting their efforts to discover or create a new malware. First the threat actors conduct a deep study about the latest cyber prevention tools available in the market. They would analyse its characteristics and note how will they react if a malware was detected. After getting clear cut knowledge about the prevention criteria, the hackers will incorporate the withstanding capacity in the new malware such they doesn’t get easily detected or destroyed.

Hammertoss was first discovered by FireEye. They explained that this was the latest strain of malware which has the capability to hide itself inside the network traffic to avoid exposure. Malwares have technologically improved so well. In a way the creators of these malwares deserve an appreciation as they are creating malwares with variant characteristics and super powers.

Hammertoss mainly uses net traffic to function. They extract the personal data of the target by using the traffic from online sources like cloud, Twitter and Github. Using these traffic they could monitor your actions for a long period of time without being detected.

Hiding between the traffic is the backdoor feature of Hammertoss malware which is also known as ‘dubbed hammertoss’. These malwares doesn’t stay constant in one traffic. They keep on changing the traffic to hide in different network streams so that they cannot be easily detected.

Developing such complex malware is a difficult task. So, the security researchers suspects that some advanced cyber groups are behind the development of these malicious malware. They seem to doubt the Russian APT groups since they were launching APT campaigns across different countries. It takes a lot of time and effort to create such a threat using more sophisticated tools.

As the investigation progressed, the officials came to know that the Russian APT 29 group were behind this malware. These groups use social media platforms to create an extra layer of protection for these malwares. Even if malicious happenings are taking place in these networks, they are made to look normal adding some extra configurations to the malware.

Even though the Hammertoss had a backdoor feature, this isn’t the actual backdoor used by the APT groups. They use this malware as a backup to keep the main back door to perform its activities.

FireEye has a different opinion about this malware. They say that it uses social media platforms and cloud storage to use the commands and hijack personal information from the infected network.

Hammertoss is basically a shield or mask to protect the actual backdoor and also execute the command given by them. Hammertoss doesn’t have a constant characteristic since they get evolved after every infection and attain new attributes.

APT groups can communicate with the malware using images. Images released by these groups contain hidden encrypted data, which is the order given by the cyber groups. The malware decodes the command and functions according to the instructions.

As Hammertoss can hide in different traffics, if one network traffic is blocked, they use a different traffic of any social media platforms like Twitter and receive instructions from their developers through them.

Once the malware successfully infects a system, it leaks the personal data of the victim and uploads them to the cloud storage of the hacker. All these activities are performed undetected.

Some the security researchers tried to track these malwares to find their source of origin. While collecting the datas, they came to know that the action plan of Hammertoss matched with those of the Russian malwares. Also while inspecting the working time, they seem to match with the time zone in Moscow.


Once the Hammertoss deceives your system, it starts to infect your Twitter account. It filters the posts and messages of the target. After infiltrating the required information, it then jumps to the GitHub account of the target and then searches for an image. The image is then forwarded to its developer. The creator returns the image by embedding secret code in them about what to do next. Finally, the code is decrypted and the malware leaks the data secretly and uploads them into the hacker’s cloud storage.

How to prevent Hammertoss?

  • First, install a security product which can detect the variations in the network traffic and provide alert.
  • Monitor your data regularly. If you find any information leaking from your account, report them immediately.
  • Keep yourself updated about the current cyber-attack news and which malware is flooding the cyber world.

1 comment

  1. Your article made me suddenly realize that I am writing a thesis on gate.io. After reading your article, I have a different way of thinking, thank you. However, I still have some doubts, can you help me? Thanks.

Leave a comment

Your email address will not be published. Required fields are marked *