Malware targeting Indian govt agencies discovered using emojis on discord, ET CISO
Linux malware, dubbed ‘DISGOMOJI‘, has been discovered using emojis through Discord to control infected devices. Cybersecurity firm Volexity identified the malware, linking it to a Pakistan-based threat actor known as ‘UTA0137’, which targets Indian government agencies.
“In 2024, Volexity identified a cyber-espionage campaign undertaken by a suspected Pakistan-based threat actor that Volexity currently tracks under the alias UTA0137,” the firm reported. “We assess with high confidence that UTA0137 has espionage-related objectives targeting government entities in India. Based on our analysis, UTA0137’s campaigns have been successful.”
The malware, found within a UPX-packed ELF executable in a ZIP archive likely distributed via phishing emails, targets the BOSS Linux distribution used by Indian agencies, though it can also infect other Linux distributions.
Upon execution, the malware displays a decoy PDF—purportedly a beneficiary form from India’s Defence Service Officer Provident Fund—while secretly downloading additional payloads, including the DISGOMOJI malware and a shell script named ‘uevent_seqnum.sh’ designed to steal data from USB drives.
continued below
DISGOMOJI exfiltrates system information such as IP address, username, hostname, operating system, and current working directory, sending this data back to the attackers. The malware uses the open-source discord-c2 project for command and control, allowing attackers to issue commands using emojis through Discord channels, potentially evading security software that scans for text-based commands.
