Keypoints
- Attackers leveraged Twitterâs rebranding to X as a social engineering lure and renamed compromised accounts to variations like âtwitter-xâ and âtwitter fund.â
- Initial access often came from spearphishing emails with attachments containing passwordâstealing malware.
- Executed password stealers harvested influencersâ session cookies (unique access tokens) and uploaded them to attackerâcontrolled systems.
- Stolen cookies were used as valid credentials to take over accounts, rename channels, and start livestreams impersonating Elon Musk to increase credibility.
- Compromised accounts posted links to scam websites (notably twitter-x[.]org) and videos demonstrating how to download and run malware disguised as apps/games.
- Scam sites included cryptocurrency payment addresses (ETH, BTC, USDT, DOGE) to collect funds from victims.
- McAfee detected and blocked many of these malicious URLs via WebAdvisor and produced heatmaps highlighting scam URL and passwordâstealer activity.
MITRE Techniques
- [T1566.001] Spearphishing Attachment â Attackers delivered passwordâstealing malware as email attachments to influencers. (âpasswordâstealing malware as email attachmentsâ)
- [T1539] Steal Web Session Cookie â The malware extracted influencersâ session cookies (access tokens) and exfiltrated them to attacker systems. (âthe influencerâs session cookies (unique access tokens) are stolen and uploaded to attackerâcontrolled systemsâ)
- [T1078] Valid Accounts â Stolen session cookies were used to access and operate compromised social accounts (rename channels, livestream, post links). (âAfter the influencerâs account has been compromised, the scammer starts to rename channels⌠then the scammers start to live streamâ)
- [T1204] User Execution â Victims were induced to download and execute files from compromised accounts/videos that instruct how to install malware disguised as legitimate software or games. (âThese videos demonstrate how to download and execute files, which are common passwordâstealing malwareâ)
Indicators of Compromise
- [Domain] Scam landing pages used for phishing/fake giveaways â twitter-x[.]org
- [Crypto wallets] Payment addresses used by scam pages â 0xB1706fc3671115432eC9a997F802aC79CD7f378a, 1KtgaAjBETdcXiAdGsXJMePT4AEGWqtsug, and 2 more wallets
Attack flow: attackers first phish highâprofile targets (influencers) with spearphishing emails carrying passwordâstealer attachments. When executed, the malware harvests browser session cookies and other credentials, then uploads them to attackerâcontrolled infrastructure.
Account takeover and dissemination: stolen session cookies are used as valid account credentials to log into victimsâ social accounts, rename channels (e.g., to impersonate corporate/CEO identities), and initiate livestreams that post chat links to scam pages. Compromised accounts also publish videos and screenshots instructing viewers how to download and run files that are actually passwordâstealing malware, increasing spread via trusted channels.
Triage and remediation notes: defenders should block identified scam domains (e.g., twitter-x[.]org), monitor for unauthorized account name changes and unusual livestream activity on highâsubscriber channels, hunt for cookie exfiltration artifacts and suspicious outgoing connections from endpoints, and treat any downloaded executables from these campaigns as malicious. Maintain detection for spearphishing attachments and educate highâvalue users to avoid executing unsolicited attachments.