Cybercriminals are increasingly using emojis as covert signals, where  different emokis denote bot access, hacking tools, and points to high ransom demands. This tactic helps them evade security filters while keeping their communications subtle and concealed. 

For cybercriminals, emojis have moved beyond simple visual add-ons and now serve as functional components within their communication strategies. 

From platforms like Telegram and Discord to hidden online forums, users are increasingly leveraging these elements to communicate covertly, mask their messages, and collaborate across borders. 

A Widespread Transformation  

"Emoji usage reflects a broader shift in how threat actors communicate toward faster, more visual, and more adaptive forms of interaction," Flashpoint said in an analysis this week. 

By incorporating emoji analysis into threat intelligence workflows, organisations can more effectively identify new attack campaigns, uncover critical malicious operations, attribute activity to specific threat actors, and interpret underlying intent. "While emojis alone are not decisive indicators, they provide an additional layer of signal that can strengthen overall analysis," the threat intelligence firm said. 

Leveraging the ubiquity and seemingly benign nature of emojis, threat actors are using them in multiple ways—including hiding C2 communications—to obfuscate malicious operations and bypass defensive systems. 

The Pakistan-linked APT group UTA0137 has demonstrated the growing sophistication of emoji-driven attacks through its “Disgomoji” malware, which interprets emojis sent via Discord as operational instructions. A camera emoji could initiate screenshots, a fire emoji signalled file exfiltration, and a skull emoji terminated running processes. This campaign highlights the rise of emoji-based command-and-control activity, where symbols are used to execute tasks, confirm completion, and coordinate data transfers across infected environments. Beyond this, emojis are increasingly being embedded in malware code and leveraged in “emoji smuggling” techniques to conceal payloads and bypass traditional security mechanisms. 

Flashpoint highlights that emojis serve a dual purpose for threat actors. Substituting emojis for commonly flagged keywords tied to fraud and other malicious operations helps bypass basic filters and limits detection in automated systems. Additionally, emojis streamline communication in fast-paced spaces like Telegram fraud groups, phishing networks, carding forums, and underground marketplaces. They also play a key role in enabling more effective multi-lingual communication across globally distributed cybercriminal networks. 

Typical Use Cases  

Flashpoint found that emojis are most commonly used by threat actors in discussions around financial fraud, monetisation, access credentials, system compromise, and the promotion of tools and services. A card symbol might signal stolen card data, a bag of money can indicate earnings or payouts, a key may represent access credentials, and an unlocked lock can point to a successful compromise. As noted by Flashpoint, these emojis frequently appear in sales listings, fraud records, and claims of success, helping actors rapidly spot financially driven opportunities. 

Beyond general communication, threat actors leverage emojis to showcase their operational capabilities. A robot icon might signal bot or automation services, a gear could refer to setup, configuration, or infrastructure support, and a toolbox may represent packaged tools or service bundles. Emojis are also used to define target categories and regions—for example, a building emoji for enterprise targets and national flags to indicate geographically focused operations. 

Conversely, the predictable nature of emoji usage can work against threat actors. As patterns emerge—such as recurring emoji combinations in sales listings or consistent message formats—researchers and threat hunters can use them to identify, monitor, and track malicious groups. This consistency enables analysts to connect activities across various platforms, channels, and pseudonyms.