It is highly unusual for any type of cyber attack to get public attention because of its creative approach. The majority of known malware campaigns involve the use of standard techniques including phishing, persistence scripts, credential stealing, and remote command execution capabilities. But in case with DISGOMOJI, it became notorious since attackers utilized a highly creative C2 technique: they used emojis delivered via Discord to control victims' Linux servers within a cyber-espionage campaign targeting India.
This innovation does not take away anything from the potential danger of this malware. This activity was attributed by researchers to threat actors that belong to the UTA0137 group, and according to Volexity, it is very likely that it could be a Pakistan-based threat actor attacking India's government organizations.
Features that distinguish DISGOMOJI
From a technical perspective, DISGOMOJI is one of the Linux malware families and acts as a remote access trojan or backdoor. The malware allows command execution, screenshotting, searching and stealing files, delivering additional payloads and helping to extend activity on the affected computer. All those features are nothing novel per se; however, what distinguishes DISGOMOJI is its command channel.
Unlike the classic custom-made command server, the actors involved resorted to the Discord service, where they were able to control their operations with this particular piece of malware. According to Volexity reports, DISGOMOJI uses a Discord server controlled by attackers and listens for messages in the specified command channel, where emojis serve as the code of actions to be performed. While processing a command, DISGOMOJI responds with the clock emoji, while upon completing the action, it replaces it with a tick emoji.
These functions were performed based on certain emojis used during the communication between the bot and the C&C server: the camera emoji caused screenshots; the running man emoji was used to perform commands on the host machine; the fox emoji was responsible for compressing the Firefox-related profiles; the fire emoji made it possible to search for sensitive data files with particular file extensions; and the pointing-finger emojis served as commands to upload and exfiltrate files in various ways. Therefore, the use of emojis is not just a fancy feature but another way for cybercriminals to exploit common applications that users would not expect.
How the campaign operated
As for the malware, it was found inside a UPX-packed ELF executable stored inside a ZIP archive. It is believed that the campaign was conducted using phishing emails. Once activated, it presented a decoy PDF document in the form of a beneficiary form provided by India’s Defence Service Officer Provident Fund in case of an officer’s death, and other malicious files were deployed secretly at the same time.
Scholars believe the operation aimed at a custom-built version of Linux operating system named BOSS, allegedly used by Indian governmental agencies as a desktop operating system; however, the malware could easily be modified for use on other versions of Linux. After installation, DISGOMOJI collected basic information about the attacked device, such as its IP address, username, hostname, operating system, and current directory. Using the information collected during the process, the perpetrators were able to identify features of each infected computer.
Additionally, CyberPeace emphasizes that each of the infected computers could have been controlled through a dedicated Discord channel for communication with the computer directly. For better coordination and management of the cyberattack campaign, DISGOMOJI was accompanied by additional tools, namely Nmap, Chisel, and Ligolo.
Why defenders should care
DISGOMOJI is important because it is part of a larger trend in attacker tradecraft. Attackers are increasingly using legitimate services and publicly accessible infrastructure to blend into regular traffic patterns. Discord, being a communication channel like any other, does not immediately raise red flags in many contexts, particularly when organizations have developers or employees using the service for work. This makes it easier to confuse abuse with legitimate activities.
Additionally, this malware illustrates how simple alterations to protocols could open vulnerabilities. Security solutions are still largely focused on looking for signatures, which includes string patterns and domains or commands. With DISGOMOJI, attackers were able to obscure some of these by using emoji symbols and a public chat service. Even while the unique approach to controlling the malware garners much of the attention, the real takeaway is the ability to embed malicious logic in normal digital interactions.
Persistence capabilities increase the threat factor. According to BleepingComputer, the use of the @reboot cron entry by DISGOMOJI allowed the malware to maintain persistence on compromised systems, while further variants even utilized the XDG autostart for both the malware and the USB data stealing script. This shows that apart from gaining a temporary foothold into a system, the attacker intended for the malware to maintain persistence in order to be able to remain on the system even after subsequent reboots – something that would interest any espionage agent.
Espionage perspective
The targets associated with the campaigns put this malware under the scope of cyber espionage activities. The operators of UTA0137 are described by Volexity as having espionage goals and being tasked with targeting Indian government organizations, saying that the campaigns have been successful. CyberPeace, too, describes this activity as cyber espionage against Indian government organizations.
The context is important because espionage-related malware is designed to be stealthy, persistent, flexible and efficient in data collection. Features of DISGOMOJI, such as file search capability, exfiltration features, browser profile compression, screenshot capture and use of tunneling utilities make the malicious tool more suitable for espionage tasks rather than destructive cybercriminal activity. In other words, the use of emoji in DISGOMOJI is its most visible feature, while the overall strategy behind it is quite traditional for state-sponsored cyber espionage operations.
Recommendations to organizations
The protection against attacks such as DISGOMOJI will require more than using malware signature detection tools. Phishing prevention should be strengthened, as well as detection of unusual communication activities directed at third-party services (e.g., Discord). Linux persistence mechanisms used by the malware (e.g., cron jobs, XDG autostart scripts) should also be analyzed. Organizations working in Linux environments, particularly those dealing with defense, government, R&D, or critical infrastructure, should realize that Windows-oriented strategies might not suffice.
CyberPeace suggests a multi-level strategy including software and firmware updates, multi-factor authentication, advanced malware protection, network segmentation, monitoring and reviewing access controls, educating users about phishing, and testing your incident response plan. Threat intelligence is another factor to consider because it's likely that such an attack campaign is subject to change and will reuse accounts, servers, and payloads.
This incident reinforces the notion that defenders must approach cyber incidents in a mindset that considers the adversary as constantly adapting. Malware no longer requires an unknown, suspicious server to function. It can exist within popular applications, employ emojis instead of written commands, and still conduct espionage effectively. DISGOMOJI is an example of why atypical tradecraft should not be disregarded as merely novel. In today's cyber conflicts, it likely is.
Find more threat intelligence resources related to cybersecurity and other types of digital risk here at IntelligenceX. IntelligenceX assists organizations in understanding new threats through focused analysis and investigations in digital intelligence.
Top comments (0)