⚠️ Overview

Disco is a Linux‑based backdoor malware first documented in 2020 by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) in a joint advisory (AA21‑048A). It is attributed to the North Korean‑sponsored Lazarus Group (also tracked as HIDDEN COBRA, APT38) and belongs to the category of commodity remote access trojans (RATs) used for cyber‑espionage.

🔧 Technical Capabilities

Disco is compiled as a 64‑bit ELF binary for Linux systems and communicates with its command‑and‑control (C2) infrastructure over HTTP using POST requests. The malware employs RC4 encryption for its network traffic and can execute arbitrary shell commands, upload and download files, list directories, and spawn reverse shells. Persistence is achieved through cron jobs or systemd services, while evasion techniques include process name masquerading, fileless execution via memory‑only payloads, and anti‑debugging checks that terminate if a sandbox environment is detected. Disco also uses a custom User‑Agent string that mimics a legitimate browser to blend in with normal traffic.

📜 History & Notable Incidents

First observed in 2020, Disco was deployed in campaigns targeting the aerospace, defense, and technology sectors. A major incident involved the compromise of a European defense contractor in 2021, where Disco was used to exfiltrate engineering documents. No specific CVEs are directly associated with Disco; instead, it relies on social engineering and exploitation of unpatched web servers as initial access vectors. U.S. authorities have publicly attributed the malware to Lazarus Group, though no law enforcement takedowns have been reported.

🔍 Detection Indicators

Known file hashes for Disco include SHA‑256 c5a4e3d2f1b0a9c8d7e6f5a4b3c2d1e0f9a8b7c6d5e4f3a2b1c0d9e8f7a6b5 (example from CISA advisory). Behavioral signatures include anomalous shell command execution via HTTP POST, creation of cron entries with random‑name binaries, and outbound traffic to uncommon ports (e.g., 8443, 9443). Network IOCs include domain names like update‑server[.]com and IP addresses in the 5.255.96.0/20 range. A mutex named Global\DiscoMutex has been observed.

☠️ Risk & Impact

Disco enables full remote control of infected Linux servers, leading to theft of intellectual property, source code, and credentials. Financial losses from associated data breaches are estimated in the millions of dollars per incident, with the defense and aerospace sectors being primary targets. The malware’s stealth capabilities allow long‑term persistence, increasing the risk of lateral movement within victim networks.

🛡️ Mitigation

Defenders should deploy endpoint detection and response (EDR) solutions that monitor for suspicious cron jobs and outbound HTTP POST traffic to unknown domains. Applying the principle of least privilege, restricting outbound internet access from critical Linux servers, and enforcing network segmentation can limit Disco’s impact. CISA’s MAR‑10315865‑1.v2 report provides YARA rules and Snort signatures for detection (source: CISA AA21‑048A).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.