{
	"id": "17aa9b5a-55df-488c-8190-748b6ccd8325",
	"created_at": "2026-04-06T00:19:11.136458Z",
	"updated_at": "2026-04-10T03:33:15.882736Z",
	"deleted_at": null,
	"sha1_hash": "0a065e3a21bc747aab8c0d46b55fe4ec1d94bb5b",
	"title": "Reversing DISGOMOJI with Malcat like a BOSS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 9698382,
	"plain_text": "Reversing DISGOMOJI with Malcat like a BOSS\r\nBy RJM\r\nPublished: 2022-02-12 · Archived: 2026-04-05 22:53:07 UTC\r\nCover: BOSS is an Indian-based Linux distribution used by the Indian government\r\nDisclaimer: The views, methods, and opinions expressed at Anchored Narratives are the author’s and do not\r\nnecessarily reflect my employer’s official policy or position.\r\nIt has been a while since I last wrote an anchored narrative on my substack; the reason for it is that I have been\r\nquite busy with my Volexity job. The past year, I was part of the investigation team that led to the discovery of the\r\nIvanti zero-day, and a bit later, the investigation led to the zero-day detection of the Palo Alto GlobalProtect\r\nfirewalls. In April 20204, ForensicFocus interviewed me about the importance of memory forensics. In June, I\r\nwrote a peer-reviewed article for the IT-Auditor organization, NOREA, about the significance of memory\r\nforensics for auditors in determining the maturity of the CyberDefence capabilities of organizations. So, it was a\r\npretty busy time.\r\nBut since the beginning of February 2024, I have found a new tool called Malcat, which has made my job much\r\nmore convenient. It’s a binary analysis software for threat analysts and reversers. It provides all the features I need\r\nfor my daily work, including analyzing malware and creating Yara rules or other detection opportunities. I favor\r\nMalcat over disassemblers like IDA or Ghidra because it has many built-in features and fits me like a glove.\r\nRecently, our threat intelligence team published an excellent investigation into a Pakistani threat actor that\r\nsuccessfully compromised multiple Linux BOSS systems of the Indian government. BOSS stands for Bharat\r\nOperating System Solutions and is a custom version of Linux widely used by the Indian government. The\r\ninvestigation was fascinating, as the Linux GO malware, dubbed DISGOMOJI, listens for new messages in the\r\ncommand channel on the Discord server as the C2 server. Communication with it takes place using an emoji-based protocol. The attacker sends commands to the malware by sending emojis to the command channel, with\r\nadditional parameters following the emoji where applicable.\r\nThis anchored narrative briefly demonstrates some Malcat features on a Go Linux malware sample that these\r\nthreat actors used. Why this sample? It is a Linux sample and not a Windows sample, highlighting some of the\r\nhttps://anchorednarratives.substack.com/p/reversing-disgomoji-with-malcat-like\r\nPage 1 of 10\n\nfeatures of Malcat discussed in this article. This anchored narrative is based on a lightning talk about Malcat and\r\nDISGOMOJI during a threat meetup at Google/Mandiant I presented in Amsterdam on July 18, 2024. I asked a\r\nfilled room of threat analysts/reversers (70 or 80 folks) if they were familiar with Malcat, but nobody knew about\r\nthis tool, and that has to change. Are you interested in the tool's capabilities? Let’s go!\r\nDisclaimer: I have no financial interest in the tool; I am just a Malcat fan!\r\nThe threat actor that developed DISGOMOJI is currently being tracked as UTA0137 and seen as a Pakistani threat\r\nactor. After compromising multiple BOSS systems, the threat actors used an old privilege escalation exploit called\r\nDirtyPipe to gain root access. NIST tracked the vulnerability under CVE-2022-0847. Once exploited, they would\r\nexfiltrate relevant information from the BOSS systems via the DISGOMOJI malware. From an outside\r\nperspective, it appears that the cyber maturity of the Indian government has some opportunities, namely\r\nvulnerability management, but also the unrestricted access of BOSS users who can connect to Discord services\r\nfrom their network.\r\nScreenshot 1: The logo of Malcat\r\nAccording to its website, Malcat is a feature-rich hexadecimal editor/disassembler for Windows and Linux\r\ntargeted at IT security professionals. For me, that does not cut it. It is a complete binary analysis platform that can\r\nbe used in an isolated network without the Internet. Malcat runs natively on Linux and Windows, where its\r\nreversing power lies. It’s not that great at reversing macOS binaries. One of the things I enjoy is the tremendous\r\namount of binary file support. For example, when you want to reverse a malicious Microsoft installer package, it\r\nis natively supported, and you can navigate to the malicious stuff immediately. But here it comes: Malcat has full\r\nsupport from Yara. This means you can use your Yara rule base to determine if rules already cover a piece of\r\nmalware or if you need to write an intelligent rule to cover the new sample.\r\nMalcat also has built-in Python support, handy for writing a config extractor for certain malware families. A great\r\nexample of Qakbot can be found here.\r\nRecently, a new feature called Kesakode has been implemented, a remote hash lookup service that checks\r\nunpacked malware samples against an indexed library of known malware samples from Malcat and Malpedia. The\r\nfollowing information is listed about it on the Malcat website:\r\nhttps://anchorednarratives.substack.com/p/reversing-disgomoji-with-malcat-like\r\nPage 2 of 10\n\n“a remote hash lookup service exclusive to Malcat users and tightly integrated inside Malcat's UI. It\r\ncan be used to match known functions, strings and constant sets against a database of known clean,\r\nmalware and library files. The Kesakode service can be used in various situation, such as:\r\nidentify unpacked (e.g. a memory/sandbox dump) malware samples\r\nshow similarities shared between malware families\r\nassist in the creation of better Yara rules\r\nspeed up reverse engineering by identifying know libraries / runtime code“\r\nOne of the other things I often use in Malcat is the ability to look up pieces of data (bytes or string patterns) in a\r\ndefined corpus with your own or public repositories of malware samples. I use the samples I encounter in my\r\ndaily casework and the VXunderground dataset.\r\nMalcat also has code decompilation and built-in support for threat intelligence providers like Intezer, Malware\r\nBazar, VirusTotal, and others.\r\nMalcat has many features, but we will only focus on Transforms today. Transforms is a built-in CyberChef\r\nfunctionality where you can stack recipes and manipulate or convert data to strings.\r\nRenaud Tabary is a French person who actively develops Malcat. Since I’m an active user of Malcat, I have been\r\nin touch several times. He responded to my questions quickly and fixed a Yara error immediately, where our Yara\r\ndataset would match very slowly against a sample.\r\nThe sample we will examine, India_Emerging_Global_Economy, with Malcat, has been uploaded from the\r\nNetherlands to VirusTotal since May 2024 and can be found here. As of the writing of this anchored narrative in\r\nAugust 2024, the sample is still not detected by any of the leading anti-virus engines.\r\nScreenshot 2: Zero anti-virus detection in August 2024\r\nNow, let’s load the sample in Malcat. You can configure Malcat to integrate it into the Explorer context menu.\r\nhttps://anchorednarratives.substack.com/p/reversing-disgomoji-with-malcat-like\r\nPage 3 of 10\n\nScreenshot 3: DISGOMOJI loaded into Malcat\r\nOnce you’ve loaded the sample, you’ll see the above screen, where files embedded in the sample will be presented\r\non the left upper side. On the left bottom side, relevant code sections will be displayed. In this example, the\r\nsample is not loaded with a custom Yara rule base but only those supported in Malcat. On the top right, you can\r\neasily navigate between different tool functionalities. There is a hexadecimal view, assembly, code decompilation,\r\nstrings, Kesakode, threat intelligence, etc. Malcat also detects strings pushed on the stack during runtime in the\r\nstrings view and has very decent string support for GO-lang binaries.\r\nDuring the sample's loading, Malcat also detects relevant anomalies and presents them to the user in the\r\n“Anomalies” section of the initial screen. In the screenshot above, “HugeStringBase64” is detected. The anomaly\r\nwill be displayed on the bottom left screen if you click on it.\r\nScreenshot 4: A large block of Base64 is automatically detected\r\nBy clicking on the bytes, the entire selection will be displayed in the hexadecimal view, as seen below.\r\nhttps://anchorednarratives.substack.com/p/reversing-disgomoji-with-malcat-like\r\nPage 4 of 10\n\nScreenshot 5: Transform the selected base64\r\nOnce the bytes have automatically been selected, you can right-click to display Malcat's context menu. In this\r\ncase, I have chosen Transform because we want to decode the base64-encoded blob.\r\nScreenshot 6: Base64 decode\r\nAs you can see in the screenshot above, the selected data is automatically decoded, and you can see a piece of a\r\nbash script with some base64 encoded data. Then, you can choose to have the file presented “In Place” or as a\r\n“New File.” If you enabled your own Yara rule set, the rule set is matched against the new file. In this case I will\r\nchoose for “New File”.\r\nhttps://anchorednarratives.substack.com/p/reversing-disgomoji-with-malcat-like\r\nPage 5 of 10\n\nScreenshot 7: Transformed file in Malcat\r\nIf you examine the obfuscated bash script, you’ll see that it’s base64 encoded data which is then piped against\r\n“bu\"\"'n'zip“. Let’s select the base64 data and transform it once more.\r\nScreenshot 8: BZip2 header revealed\r\nNow, we can see that after decoding the base64, the data is still encoded, but it is now bzip2 compressed data, as\r\nthe header starts with “BZh9”. The next step would be decompressing the data with another Transform in Malcat.\r\nhttps://anchorednarratives.substack.com/p/reversing-disgomoji-with-malcat-like\r\nPage 6 of 10\n\nScreenshot 9: The final bash payload is displayed in Malcat\r\nAs you can see in the screenshot above, you can stack decoding recipes just like in CyberChef. Malcat also\r\nprovides Transform functionality for AES and RC4 decoding, for example. The next step is to display the entire\r\nconfiguration of the DISGOMOJI malware.\r\nScreenshot 10: The final payload configuration of DISGOMOJI\r\nWith a few simple actions, Malcat transforms data to display the final configuration of the DISGOMOJI malware.\r\nLet’s briefly zoom in on some of the features if you customize Malcat with your Yara rule set.\r\nMalcat's documentation clearly describes how you can leverage your own Yara rule set. I have configured the rule\r\nset on my host system to update it with new Yara rules.\r\nhttps://anchorednarratives.substack.com/p/reversing-disgomoji-with-malcat-like\r\nPage 7 of 10\n\nScreenshot 11: Own Yara dataset enabled\r\nOnce I have enabled the custom Yara rule base, all relevant detections will be displayed in the “Other” view under\r\n“Yara signatures,” as seen in the screenshot above.\r\nAnother feature I would like to share is the ability to look up relevant strings or byte patterns of a new sample\r\nagainst a corpus of malware samples.\r\nhttps://anchorednarratives.substack.com/p/reversing-disgomoji-with-malcat-like\r\nPage 8 of 10\n\nScreenshot 12: Configuration of the Malware Corpus\r\nIn the screenshot above, you can see that I have enabled the VXUnderground dataset and my own dataset.\r\nhttps://anchorednarratives.substack.com/p/reversing-disgomoji-with-malcat-like\r\nPage 9 of 10\n\nWhenever you find interesting strings or byte patterns that you want to check against your configured malware\r\ncorpora, you can select the strings and select “Search in corpus” via the context menu of Malcat. If a sample is\r\nmatched, it will be displayed in the search results.\r\nI have highlighted some of Malcat's great functionalities in this anchored narrative based on a known\r\nDISGOMOJI sample we encountered in an active breach of the Indian government by Pakistani hackers. If you\r\ncannot find your way in IDA or Ghidra, Malcat might be yours. It will also increase the quality of your Yara\r\nsignature writing as it has some great features I have not yet highlighted. Malcat is a time saver as it drastically\r\nimproved my static analysis speed.\r\nI will update you on the Bhima Koregaon case in the subsequent anchored narrative. The defendants are still in jail\r\nbecause a hacker group dubbed ModifiedElephant planted manipulated digital evidence on their computers.\r\nA la prochaine!\r\nSource: https://anchorednarratives.substack.com/p/reversing-disgomoji-with-malcat-like\r\nhttps://anchorednarratives.substack.com/p/reversing-disgomoji-with-malcat-like\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://anchorednarratives.substack.com/p/reversing-disgomoji-with-malcat-like"
	],
	"report_names": [
		"reversing-disgomoji-with-malcat-like"
	],
	"threat_actors": [
		{
			"id": "67e56ffa-aad6-4a0d-89fe-ac443dfb2f1b",
			"created_at": "2023-01-06T13:46:39.364262Z",
			"updated_at": "2026-04-10T02:00:03.302769Z",
			"deleted_at": null,
			"main_name": "ModifiedElephant",
			"aliases": [],
			"source_name": "MISPGALAXY:ModifiedElephant",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434751,
	"ts_updated_at": 1775791995,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0a065e3a21bc747aab8c0d46b55fe4ec1d94bb5b.pdf",
		"text": "https://archive.orkl.eu/0a065e3a21bc747aab8c0d46b55fe4ec1d94bb5b.txt",
		"img": "https://archive.orkl.eu/0a065e3a21bc747aab8c0d46b55fe4ec1d94bb5b.jpg"
	}
}