Welcome to the ShadowDragon podcast. 

This week, we are going to talk about malware because there's an interesting thing going on, on the internet. On August the eighth, I spotted malicious behavior in that case, specifically related to the UK riots. And they used a very interesting modus operandi because this modus operandi has also been spotted by others. Because they've noticed that for example, the same modus operandi was used for Paris Olympics but also for in general trending topics. So when you look at this phenomenon which mostly happened on the platform X/Twitter, but also on Facebook and on Instagram. So in essence, meta, we've seen that people post pictures or seemingly pictures that could be clicked and that have that sensitive content warning. But once you click that it basically points you to a URL, a shortened URL that starts with app dot link and that by itself forwards you to another URL which basically clicks you and forwards you to pornographic or let's say nudity content. 
  
What makes this even more interesting is that all of these accounts that are doing this are sending out messages with the exact same wording and phrasing in short bursts. We have seen this on the August of eighth, ninth, tenth, eleventh and twelfth, and we have seen people, a bunch of accounts sending these bursts. They are hijacking a trending topic or hashtag with, let's say a phrase that catches the reader their attention and it has a picture on the link and the picture looks like something you can click on. 
  
As soon as you click on it, you expose yourself to what I like to call malicious content. So when you look at that, for example, when you visit one of those URL S and you throw them into a malware analysis suite, in this case, for example, ANY.RUN or VirusTotal, you will see that it actually does some, let's say it shows him a malicious activity. It tries to do something on a windows machine based upon your browser and looking at the behavioral graph, you can see that it's trying to attack your chrome by making you click on certain things and opening certain URLs. 

Proceed with caution every time when you see an account that has, let's say a looks like a normal name, mostly an English name within the username, a bunch of numbers attached to it. But one thing that really stands out is that all these user accounts seem to have a Asian-looking woman as a profile picture. And we have seen it in and around when Kursk was trending. So in the Ukraine and Russian War, Kursk, the region is very trending now and that got hijacked with the same content. And in this case, with Horizon¨ Monitor, we were able to see that there are multiple bursts on different dates on different times trying to take over certain hashtags and trying to lure people into clicking on this. 
 
Interestingly BleepingComputer also talks about this and multiple people are now tracking this. For example, the Twitter account X account, ÒSlava BonkusÓ and ÒCyber TMÓ are using the same approach that I've been using to keep a track on this. They talk, for example, not about the UK riots where the Paris Olympics were Kursk, but they talk about that they have seen this happen during the earthquake in Nankai, Japan. 
So again, the modus operandi is to hijack a trending hashtag on a platform mostly on X but also on Facebook as well as on Instagram, then try to lure people on clicking on that picture. That picture then opens up a URL that forwards you to another URL and it exposes you to a bunch of redirects which end up into a scam site most likely a pornographic orientated. 
  
So that being said again, proceed with caution. Be sure to look out for those usernames that have, let's say English names with a bunch of numbers in the username that will talk about a trending topic with a handful of hashtags in the actual message. And then they show you a picture that says content, warning sensitive content. 
  
That's it for today. Do not forget to like, subscribe and share ShadowDragon podcast and feel free to reach out to me if you want to know anything. My username is Dutch_OSINTGuy. 
 
Thank you and on to the next one.