A Russian cyber espionage operation camouflages its nefarious activity by employing a combination of legitimate services such as Twitter, Github, and cloud storage. The group dubbed APT29 uses Twitter for command and control and uses images embedded with encrypted command information. Hammertoss malware looks for a different Twitter handle each day — automatically prompted by a list generated by the tool — to get its instructions. Attackers also recruit legitimate web servers that they infect as part of the command/control infrastructure. “It’s a very difficult malware tool to detect,” says FireEye’s threat intelligence analyst.”]