To add additional clarity on how this works:
1) Bad actor sets up Mastodon accounts with the IP of the site the trojan horse should use to get its data, assuming that because of open registration and nobody regularly reviewing new accounts that don't post objectionable content, they won't get kicked off.
2) Bad actor sets up their copy of the Vidar Stealer trojan to track those Mastodon accounts.
3) Bad actor tries to trick people into installing their trojan horse with the usual tricks (fake download sites, attachments in emails, etc.)
4) The trojan horse looks at those Mastodon accounts to get the IP address it should check to download its payload.
Mastodon itself is not a delivery vector for this trojan horse; the accounts simply exist to provide a trusted source for information for an already-infected computer. You do not have to worry about getting a virus from Mastodon!
Fun fact: a trojan from a few years back used comments on Britney Spears’ Instagram account for the same purpose.
@noelle In the end, all open-posting places can be used for something like that, and moderation doesn't necessarily help.
Relevant data could be embedded stenographically into legit-looking posts and extracted by trojan clients. But of course not needing to do this reduces the implementation complexity for the trojan devs.
Just Ellie (and perhaps some of her toys).