Twitter Botnet Update

[Update: Alex Matrosov has posted screenshots of the Twebot update at and]

Juraj Malcho, the Head of our Lab in Bratislava, reports that there have been further developments regarding the tool for creating Twitter-controlled bots described by Jorge Mieres and Sebastián Bortnik, Security Analysts at ESET Latin America, in an earlier blog at

As more information has come in, the detection name has been changed from MSIL/Agent.NBW to MSIL/Twebot.A, in an attempt to use a name that corresponds to one used by other vendors. Unfortunately, the industry has not standardized (no change there, then) on a single name (other names being used include Troj/Tbotcfg-A and Trojan.Twitbot.A), but at least this name should (slightly) reduce potential confusion among customers and others. 

It also reflects the fact that this threat now looks like a significant malware family in its own right: a major MSIL/Twebot.B variant has already crawled out from under its rock.

Research Fellow & Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled):
ESET Threatblog notifications on Twitter:;
ESET White Papers Page:

Securing Our eCity community initiative:

Also blogging at:

Author David Harley, ESET

Follow us

Copyright © 2016 ESET, All Rights Reserved.