DISGOMOJI Malware Used to Target Indian Government

In 2024, Volexity detailed a cyber-espionage operation attributed to the Pakistan-based threat actor UTA0137, delivering the DISGOMOJI GoLang malware on Linux targets (primarily Indian government entities) and using Discord as its C2 channel. The campaign includes staged payloads, persistence on Linux, USB data collection, and post-infection tooling, with several variations and evolving C2 resilience tactics. #DISGOMOJI #UTA0137 #Volexity #IndianGovernment #BOSS #DiscordC2 #DirtyPipe

Keypoints

UTA0137 is identified as a suspected Pakistan-based threat actor targeting Indian government entities, with campaigns assessed as espionage-focused.
DISGOMOJI is a Golang ELF malware for Linux that uses Discord for C2 and is a fork of the public discord-c2 project.
Initial access involves a ZIP-delivered, UPX-packed ELF that loads a lure PDF (DSOP.pdf) displayed to the target.
Second-stage payload vmcoreinfo is downloaded from clawsindia.in and dropped in a hidden .x86_64-linux-gnu folder in the user’s home directory.
Persistent presence is achieved via cron (crontab) and a USB data collection script (uevent_seqnum.sh) to exfiltrate from connected devices.
Discord-based C2 uses emoji commands in a dedicated victim channel, with a check-in message exposing victim details on startup.

MITRE Techniques

[T1566.001] Phishing: Spearphishing Attachment – The UPX-packed ELF is delivered within a ZIP file and displays a lure PDF (DSOP.pdf) to the victim. ‘The malware then downloads the next-stage payload, named vmcoreinfo, from a remote server, This payload is an instance of the DISGOMOJI malware.’
[T1105] Ingress Tool Transfer – The malware downloads the next-stage payload (vmcoreinfo) from a remote server. ‘The malware then downloads the next-stage payload, named vmcoreinfo, from a remote server.’
[T1071.001] Web Protocols – DISGOMOJI uses Discord for C2 and emoji-based command channels. ‘DISGOMOJI uses Discord for C2.’
[T1053.005] Scheduled Task/Job: Cron – Persistence via cron; the malware ‘maintains persistence on the system using cron.’
[T1120] Peripheral Device Discovery – USB device checks and copying files from connected devices for exfiltration. ‘check if any USB devices are connected and, if so, copy files from these connected devices to a local folder.’
[T1547.013] Launch Daemon/Boot Autostart Execution: XDG Autostart – Autostart persistence by dropping GNOME_Core.desktop in the user’s autostart folder. ‘drops a file named GNOME_Core.desktop … in the /home//.config/autostart directory.’
[T1567.002] Exfiltration to Cloud Storage – Exfiltration via osh i.at; uses oshi.at to host data. ‘Upload a file from the victim’s device to Oshi (oshi.at), a remote file-storage service.’
[T1572] Protocol Tunneling – Network tunneling using Chisel and Ligolo. ‘Use of both Chisel and Ligolo for network tunneling.’
[T1046] Network Service Discovery – Nmap used to scan victim networks. ‘Use of Nmap to scan victim networks.’
[T1068] Exploit Public-Facing or Privilege Escalation: DirtyPipe – Exploitation for privilege escalation against the target OS. ‘DirtyPipe (CVE-2022-0847) privilege-escalation exploit against a system.’
[T1059.004] Command and Scripting Interpreter: Bash – LAN_Conf.sh is a BASH script used by the malware. ‘LAN_Conf.sh is a BASH script …’

Indicators of Compromise

[Domain] clawsindia.in, ordai.quest – Public infrastructure used for hosting payloads and C2-related components.
[URL] https://ordai[.]quest/ADMIN_CONTROL/BID1.txt, https://ordai[.]quest/ADMIN_CONTROL/GID1.txt – Endpoints used to retrieve the Discord bot token and server ID.
[Hash (MD5)] 1443e58a298458c30ab91b37c0335bdadbacd756, 0d4111ab5471c7f5b909bff336ba8cd66f9d8630, and 4 more hashes – MD5 values for DISGOMOJI samples and related components (from Appendix notes).
[File name] DSOP.pdf, vmcoreinfo, uevent_seqnum.sh – Lure and script files involved in deployment and data collection.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print