Hackers Using Emojis for Command and Control Communication: Disgomoji Malware Targeting Indian Government

Hackers are stepping up their game by using emojis as commands in their communication with command and control servers, a new report from cybersecurity firm Volexity reveals. Rather than typing out traditional commands, hackers are utilizing emojis like the ‘camera with flash’ to take screenshots on victims’ devices, the ‘fox’ to zip Firefox profiles, the ‘pointing finger’ to exfiltrate files, and the ‘skull’ to terminate malware processes.

In a recent incident in 2024, the Indian government fell victim to malware named Disgomoji, attributed to a suspected Pakistani threat actor known as UTA0137. The malware specifically targets Linux systems running the custom BOSS distribution used by the Indian government. Researchers believe that phishing attacks were used for initial access, with decoy documents serving as lures.

Disgomoji operates through Discord, creating dedicated channels for each victim to interact individually. The malware sends check-in messages with detailed system information and maintains persistence even after system reboots. Communication is conducted through an emoji-based protocol, with various emojis serving as commands.

The malware includes features like network scanning, tunneling, and exfiltration capabilities for espionage purposes. Volexity attributes this malicious activity to a Pakistan-based threat actor, citing evidence like hardcoded time zones, infrastructure links, language usage, and target organizations.

Despite efforts to disrupt its operations, Disgomoji has mechanisms to restore itself using updated Discord credentials from the C2 server. The malware poses a significant threat with its advanced capabilities and stealthy communication methods.