Threat Actors Utilize Emojis for Stealthy Cyber Communications

Severity: Low (Score: 36.9)

Sources: Darkreading, Cybernews

Summary

Threat actors are increasingly using emojis as a coded language on platforms like Telegram and Discord to enhance communication and evade detection. This trend allows them to signal intent, categorize activities, and obscure meanings from outsiders. According to an analysis by Flashpoint, emojis serve as a functional overlay in high-volume environments, enabling faster and clearer communication among cybercriminals. Commonly used emojis include those related to financial fraud, access credentials, and tooling services. For example, symbols like 💰 indicate financial success, while 🔑 denotes access credentials. The strategic use of emojis is particularly prevalent in fraud channels and illicit marketplaces, where minimal text is preferred. This development highlights the need for threat intelligence teams to adapt their analysis methods to include emoji usage for better detection and attribution of malicious activities. Key Points: • Emojis are now used by threat actors as a coded language to enhance stealthy communication. • Common emojis signal financial activities, access credentials, and tooling services. • Understanding emoji usage is critical for threat intelligence teams to improve detection capabilities.

Key Entities

• Uta0137 (apt_group)
• Data Breach (attack_type)
• Malware (attack_type)
• Phishing (attack_type)
• Pakistan (country)
• Disgomoji (malware)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1071 - Application Layer Protocol (mitre_attack)
• T1113 - Screen Capture (mitre_attack)
• T1566 - Phishing (mitre_attack)
• Dark Web (platform)
• Discord (platform)
• Telegram (platform)