Sophos uncovers how cybercriminals use Discord to spread malware

According to the latest report of security firm Sophos, cybercriminals have been using the Discord Content Management Network to spread malware.

Sophos discovered how cybercriminals have been milking the Discord URLs which according to the security researchers has increased by 140% compared to the same period in 2020. The cybercriminals used a variety of malicious software which include information-stealing malware, spyware, and backdoors. They even repurposed ransomware and named it “mischiefware.”

“Discord provides a persistent, highly-available, global distribution network for malware operators, as well as a messaging system that these operators can adapt into command-and-control channels for their malware – in much the same way attackers have used Internet Relay Chat and Telegram,” said Sean Gallagher, senior threat researcher at Sophos. “Discord’s vast user base also provides an ideal environment for stealing personal information and credentials through social engineering.”

Keep ransomware at bay with Sophos Managed Threat Response

Sophos uncovers over a hundred fake Android, iOS trading and cryptocurrency apps

The researchers also warned of malware that can steal private images from the infected device.

With the gaming industry growing bigger and bigger, the criminals found a new scheme to target gamers. They offer cheats — using popular games Fortnite, Grand Theft Auto, Minecraft, and Roblox — that when opened will infect the device. They also exploit the gamers’ appetite for more games by offering “a chance to test a game.”


According to Sophos, 35% of the malware it detected came from information stealers with 10% coming from the “Bladabindi” family of information-stealing backdoors. There are incidents the security company discovered wherein the criminals use token loggers to specifically target Discord users. Once the password is compromised, they could easily get into the victim’s device.

A modified Minecraft installer is actually spyware which installs a “mod” called Saint. Similar to keyloggers, the spyware can capture keystrokes and screenshots and steal camera images.

The repurposed ransomware, backdoors, Android malware packages include several types of Windows ransomware being spread by attackers that block access to data without making a ransom demand or offer victims the chance to get a decryption key.

Transport Layer Security-encrypted traffic

“Adversaries have caught on that companies increasingly use the Discord platform for internal or community chat in the same way they might use a channel like Slack,” Gallagher said. “This provides attackers with a new and potentially lucrative target audience, especially when security teams can’t always inspect the Transport Layer Security-encrypted traffic (TLS) to and from Discord to see what’s going on and raise the alarm if needed.”

Sophos advises Discord users to remain vigilant and be wary of any suspicious and malicious threats.

“IT security teams should never consider any traffic from an online cloud service as inherently ‘safe’ based on the trusted nature or legitimacy of the service itself,” Gallagher said. “Adversaries could be hiding anywhere.”

Categories: Uncategorized

Tagged as: , , , , , ,