June 15, 2024 at 05:18AM
A suspected Pakistan-based threat actor, UTA0137, has conducted a cyber espionage campaign targeting Indian government entities in 2024. They use a malware called DISGOMOJI, a modified version of Discord-C2, to control Linux systems via Discord using emojis. The attacker has also employed various tactics to escalate privileges and socially engineer users.
From the meeting notes, it is evident that a suspected Pakistan-based threat actor identified as UTA0137 has been involved in a cyber espionage campaign targeting Indian government entities using a malware called DISGOMOJI. This malware is written in Golang and designed to infect Linux systems. It uses Discord for command and control communication, utilizing emojis for its C2 communication. The malware is distributed through spear-phishing emails and is capable of various malicious activities such as executing commands, capturing screenshots, and exfiltrating files. The threat actor has also been observed using legitimate and open-source tools for network scanning and tunneling purposes. Additionally, they have exploited the DirtyPipe flaw for privilege escalation and employed social engineering tactics using the Zenity utility. It’s important to note that UTA0137 has continuously improved the DISGOMOJI malware over time.
For more details and exclusive content, I recommend following Volexity on Twitter and LinkedIn.