Hackers Are Using Discord Emojis To Command Linux Malware

Cybersecurity firm Volexity has recently identified a cyber espionage marketing campaign targeting Indian government agencies in 2024 using a custom Linux malware.

The newly discovered Linux malware, DISGOMOJI, has been attributed to a Pakistan-based threat actor known as UTA0137. It is written in Golang and compiled for Linux systems.

“In 2024, Volexity identified a cyber-espionage campaign undertaken by a suspected Pakistan-based threat actor that Volexity currently tracks under the alias UTA0137,” explains Volexity in a blog post.

“Volexity assesses with high confidence that UTA0137 has espionage-related objectives and a remit to target government entities in India. Based on Volexity’s analysis, UTA0137’s campaigns appear to have been successful.”

DISGOMOJI, is a modified version of the public project Discord-C2, which utilizes the messaging service Discord for command and control (C2) operations, making use of emojis for its C2 communication.

The malware only targets Linux systems, specifically government entities in India, who use a custom Linux distribution named BOSS as their daily desktop.

This malware is the same “all-in-one” espionage tool that Blackberry referenced in a May 2024 blog post used by the Transparent Tribe actor, a Pakistani-based threat group to target the Indian government, Defense, and Aerospace sectors.

Volexity also uncovered that UTA0137 used DirtyPipe (CVE-2022-0847) privilege escalation exploits against vulnerable “BOSS 9” systems.

The infection chain started with a UPX-packed ELF written in Golang and delivered within a ZIP file. This ELF downloaded a benign lure file, DSOP.pdf, which is the acronym for India’s Defence Service Officer Provident Fund, to trick the victim.

The malware then downloads the next-stage payload, named vmcoreinfo, from a remote server, clawsindia[.]in., which is dropped in a hidden folder named .x86_64-linux-gnu on the user’s system.

Once started, DISGOMOJI sends a check-in message in the channel containing the victim’s information, such as the internal IP, username, hostname, operating system, and current working directory. It maintains persistence and can survive system reboots.

DISGOMOJI preserves persistence on the system using cron jobs and can survive system reboots.

However, additional payloads will be downloaded in the background, including the DISGOMOJI malware and a script named uevent_seqnum.sh that is used to check if any USB devices are connected and, if so, steal data from them so the attacker can retrieve it later.

“DISGOMOJI listens for new messages in the command channel on the Discord server. C2 communication takes place using an emoji-based protocol where the attacker sends commands to the malware by sending emojis to the command channel, with additional parameters following the emoji where applicable,” Volexity continued.

While DISGOMOJI is processing a command, it reacts with a “Clock” emoji in the command message to let the attacker know the command is being processed.

Once the command is fully processed, the “Clock” emoji reaction is removed and DISGOMOJI adds a “Check Mark Button” emoji as a reaction to the command message to confirm the command was executed.”

Nine different emoji commands are available to the attacker that can be executed on an infected device:

emoji commands malware


Volexity’s analysis revealed that UTA0137 has also been using legitimate and open-source tools post-infection, which include network scanning with Nmap, network tunneling with Chisel and Ligolo, and stage tooling and exfiltrating data using file-sharing services like oshi[.]at.

Another post-exploitation activity is UTA0137’s use of the Zenity utility to display malicious dialog boxes and socially engineer users into giving up their passwords.

“The attacker successfully managed to infect a number of victims with their Golang malware, DISGOMOJI. UTA0137 has improved DISGOMOJI over time,” the cybersecurity firm said.

Volexity adds that DISGOMOJI has exfiltration capabilities supporting an espionage motive, including convenient commands to steal user browser data and documents and to exfiltrate data.

It also attributes this malicious activity to a Pakistan-based threat actor “with moderate confidence” based on targeting patterns and hardcoded artifacts, particularly targeting Indian government entities.

Subscribe to our newsletter

To be updated with all the latest news

Kavita Iyer
Kavita Iyerhttps://www.techworm.net
An individual, optimist, homemaker, foodie, a die hard cricket fan and most importantly one who believes in Being Human!!!


Please enter your comment!
Please enter your name here

Subscribe to our newsletter

To be updated with all the latest news

Read More

Suggested Post