Potentially dangerous malware that allows threat actors to communicate with command and control (C2) servers using emojis sent via Discord has been highlighted as a key element of recent cyberespionage attacks on Indian government entities.
The report from cybersecurity firm Volexity reveals the Disgomoji malware is currently used exclusively by a Pakistan-based threat actor that the firm is tracking as UTA0137.
Though Disgomoji is a modification of ‘discord-c2’, a previously known public project, it seems to be specifically targeting the Indian government, owing to its laser-focus on systems running the Linux distribution BOSS.
Emoji and malware
Volexity believes that Initial access to Indian government infrastructure was secured via phishing attacks. From there, UTA0137 could communicate with their target servers via emojis posted in dedicated command channels in a Discord server.
More broadly, Disgomoji can survive reboots, and copy files back and forth between connected USB devices and local system folders so that they can be leveraged by an attacker later.
The emojis used to execute commands on a server are straightforward. For instance, the ‘camera with flash’ emoji takes a screenshot, ‘Backhand Index Pointing Down’ downloads a file, ‘Fox’ zips all firefox profiles on a target device, and so on.
UTA0137’s Disgomoji attack campaigns date back as far as mid-2023. Discord’s ability to bring down the offending servers are hampered by the way the malware manages tokens, allowing the attacker to simply update the client configuration to keep the operation going.
Given this, Disgomoji’s open source nature, and its features that seem tailor-made for espionage, it’s possible that further strains could be used in future attack campaigns aimed at governments.
