EMOJIS are increasingly being used by threat actors to signal, obfuscate, and coordinate across global networks on platforms such as Telegram and Discord, as well as in underground forums. The piece notes a broad shift toward faster, more visual communication, with threat actors leveraging emojis to bypass basic keyword filters and to operate in high-volume environments.
In a notable campaign, the Pakistan-linked APT group UTA0137 used [Disgomoji] malware that translates simple emojis sent over Discord into operational commands, including a camera emoji to capture screenshots, a fire emoji to exfiltrate files, and a skull emoji to terminate processes. The report also highlights emoji-based C2 operations and the embedding of malicious payloads in seemingly harmless emojis to evade security controls, a tactic described as part of emoji smuggling.
According to Flashpoint, emojis enable multi-lingual communication and can create a layered obfuscation that complicates large-scale monitoring, while also offering a detectable pattern for threat hunters to track actors across channels and aliases.