Britney Spears’ Instagram Used By Russian Hacker Group

The social media giants like Instagram, which is on its way to hitting a billion users this years, surely have a number of harmless comments posted each day. But, will be there some occasional moments when some clever hacker posts some comments that instructing a malware how to get in touch with its controllers or servers?! A latest report says a Big yes! The Slovakian security company ESET said on Tuesday that a Russian espionage hacker group called, Turla has created such cleverly hidden comment. The interesting thing is that it was on the popular American singer Britney spears.

Instagram comments on the American singer just got used to store the location of a C&C server (command & control server) of the ‘Turla’ hackers. The shocking operation was made by using a Mozilla firefox extension, in which a hidden backdoor in it. The team said it is one of the tool owned by the group, which is believed to be funded by the Russian government.

Off course, The singer might not be aware of that one of the comments on her photo were doing something weird that it could pave a path to establish a communication between the hackers and the malware they created.

What Just Happened?!

The infamous Hacker group ‘Turla’ created a backdoor pretending to be a firefox extension and made the users to trickly download it. The Turla group’s method of attack is through a malicious site that forcibly makes the users to downloads files and allowing to execute the malicious codes in it, which is known as ‘Drive-By download method’. This drive-by download method is commonly used by exploit kits, malvertising campaigns and espionage groups.

Firefox Extension source: ESET

Here in Britney’s case, their attack were through a compromised Swiss security site. but, instead of drive-by download, this time the visitors of the compromised site were asked to install a firefox extension. The extension is called HTML5 Encoding. It was a javascript based backdoor which tracks user activities to its operators. As a part of tracking the user data, the malware should be connected with  command and control server( C&C Server), which is used to provide commands to the victim computer. So it must be linked with the URL of that server. What they did was something intelligent.

Read More: Warning! You Are Being Watched Without Your Knowledge

An account from the attacking group posted a random( spam look alike) comment on Britney’s Instagram post. There was a trackable hash that contained a string of characters hidden in that comment .

The comment is given below.

“#2hot make loved to her, uupss #Hot #X,” user asmith2155 wrote.

The comment, now deleted (account also deleted), was actually a web address that required a fairly complicated, multi-step process to decipher. When decrypts, it will become  ‘2kdhuHX’. The URL of the C&C server was resolved through a short URL. So the string combined with link and made itself a URL link that would in turn connect with its command-and-control (C&C) server. Strange but unbelievable right?!


In this case, the malware went through all of the comments on Spears’ Instagram photo and computed a number, or a “hash,” for each one, while it looked for a specific hash. When it found the comment with the right hash, it would check it out for particular characters, grab the letters that came after those characters and turn them it into a link. That link would then let the malware connect to its controllers.

Through the ESET team’s Explanation,

“Looking at the photo’s comments, there was only one for which the hash matches 183. This comment was posted on February 6, while the original photo was posted in early January. Taking the comment and running it through the regex, you get the following URL:

Looking a bit more closely at the regular expression, we see it is looking for either @|# or the Unicode character \200d. This character is actually a non-printable character called ‘Zero Width Joiner’, normally used to separate emojis. Pasting the actual comment or looking at its source, you can see that this character precedes each character that makes the path of the URL:

smith2155< 200d >#2hot ma< 200d >ke lovei< 200d >d to < 200d >her, < 200d >uupss < 200d >#Hot < 200d >#X

When resolving this shortened link, it leads to , which was used in the past as a watering hole C&C by the Turla crew.”

Why This Method?

Hiding this sensitive information out in the open isn’t just a funny trick, but would have several uses. Since this information isn’t included into the malware itself, researchers have to go and find out the information themselves in the wild, assuming it is still comments there to be found. But more importantly, it means the malware’s controllers can change the secret destination without touching the malware itself. All they would have to do is delete the original comment and create a new one with the same hash and a new encoded URL. Instead of giving the malware a specific key to a specific lock, hackers told the malware how to find places where keys would be hidden, leaving them free to change either lock or key.


Its on a post of a popular celebrity, right. but, the main part is it demonstrates us the extend to which the cyber space could be spied. If the attackers could this through the instagram, what types of methods/spies might be happening in facebook, twitter etc?!

Leave a Reply

Your email address will not be published. Required fields are marked *