A suspected Russian state-sponsored cyber group is using a sophisticated strain of malware that mimics normal internet use to evade detection, according to security firm FireEye.
The Hammertoss malware uses Twitter, GitHub and cloud-based storage systems to relay commands and extract data from compromised networks, the company said.
FireEye has named the group APT29, and said in a report that the hackers add "layers of obfuscation" and copy the behaviour of legitimate users while lifting data from image files to cloud servers.
The security firm suspects that the group is sponsored by the Russian government because of the organisations it targets and the type of data that is stolen.
"APT29 appeared to cease operations on Russian holidays, and their work hours seem to align with the UTC +3 time zone, which contains cities such as Moscow and St Petersburg," the report explained.
The malware works by searching for a different Twitter account every day in order to receive instructions from the group. If the handle is active, the Hammertoss malware searches the tweet for a URL and hashtag and follows the link.
At this stage a seemingly legitimate image, that contains encrypted instructions, is opened by the malware and decrypted.
The commands include instructions on how to hack into the victim's network or files, and the information is then uploaded to a cloud-based storage system.
The FireEye report noted that the malware techniques are not new, but that the combination of different strains makes it difficult to identify the malicious activity on a network.
"Individually, each technique offers some degree of obfuscation for the threat group's activity. In combination, these techniques make it particularly hard to identify Hammertoss or spot malicious network traffic," the report said.
Michael Mimoso, writing for Kaspersky Lab's security website Threatpost, said that the threat is reminiscent of the espionage gang behind the Miniduke backdoor discovered in 2013.
Miniduke targeted government organisations and also used Twitter as an entry point.
Russia has been attempting to increase its cyber capabilities and has been implicated in a number of high-profile attacks in recent years.
Earlier this year, Russian hackers breached the US Department of Defence by exploiting an unpatched flaw in an old "legacy" computer system.
In 2014, continuing the trend of cyber espionage targeted towards the US, Russian hackers breached White House defences and accessed information on president Obama's appointments and movements.
A new RSA report urges coders to sign a 'Hippocratic Oath' before embarking on AI programmes.
IT security vendor believes APT33 is working for the Iranian government
Darktrace pushes machine learning to take some of the pressure off of IT and security teams
Google also gets its hands on HTC's IP in a non-exclusive deal