Twitter malware ‘pidoras6 ‘

It seems that the Twitter account ‘Pidoras6’ is being used in a malware campaign. The Twitter account is seen in multiple executable files which has been marked as malicious on Virustotal.

Twitter malware gets info from Twitter
The Twitter malware is seen to perform a HTTP get request

Remarkable connections by pidoras6

The connections made by the malware seem to go to Twitter and Virustotal itself:


The Twitter account ‘Pidoras6’ was registered in June 2014, and since then, it has published a massive score of ‘4‘ tweets.

Virustotal on pidoras6

Once you take a look at collection of files, you will notice that there is a big amount of samples named ‘1.exe’ that are being uploaded to Virustotal. These files have the Twitter account in common.

Malware samples which connect to Twitter
Various samples which connect to Twitter

SHA-256 checksums

The following checksums were found on VirusTotal:


Twitter malware

Malware authors do utilize Twitter as their C&C or communication channel. They publish the commands or actions via (private) tweets, and the malware makes sure that it visits the Twitter page to receive those commands or actions.

Twitter does not host any malicious content, nor do the found tweets result in a malware infection.

Translate the tweet

Base64 tweet

In base64, this Tweet says: The site no longer resolves, but it used to be an underground board where website exploits were offered.

Since 2017

The malware was first reported on by MalwareBytes in 2017.

Share This Message