Russian-backed hackers used Twitter posts combined with data hidden in photos to control US government and defence industry computers.
In a report released today, cyber-security firm FireEye describe how the previously infected machines were found to have been given an algorithm for checking a different Twitter account every day.
Human agents were then able to use these accounts to tweet a message containing a link to a website featuring photos that had instructions hidden in the data used to display them on the website.
FireEye discovered the technique during an investigation at an unnamed victim organization and it has briefed law enforcement on what it found, but the firm says it shows how government-backed hackers can shift tactics on the fly after they are discovered.
"It's striking how many layers of obfuscation that the group adopts," said FireEye Strategic Analysis Manager Jennifer Weedon. "These groups are innovating and becoming more creative."
Along with the web address, the information tweeted by human agents included a number that signified the size of image the computer should search for on the website and a handful of letters that were part of a key for decoding the instructions hidden within the photo's metadata.
The technique of hiding data in photos is known as steganography, and Vikram Thakur, a senior manager at Symantec, said his team had also found it combined with Twitter controls.
FireEye has identified the campaign as the work of a group it has been internally calling APT29, for advanced persistent threat, but other security firms use different names for the same or allied groups.
Symantec recently reported another data-stealing tool used in tandem with steganography, which it calls Seaduke and Thakur said both tools were employed by the group it knows as the Duke family.
Thakur said another tool in that kit is CozyDuke, which Russian firm Kaspersky Lab says is associated with recent breaches at the State Department and the White House.
In April, FireEye said another Russian-government supported group, APT28, had used a previously unknown flaws in Adobe Systems' Flash software to infect high-value targets.