Skip to content

Cybercriminals are now using Discord’s CDN to spread malware

Discord’s rise in popularity is also causing its CDN to be used for hosting, spreading and controlling malware, including several ransomware variants, game hacks, identity theft malware and even spyware and fake apps for Android phones.

In the course of a study investigating the use of TLS by malware, security researchers Sean Gallagher and Andrew Brandt found that roughly four per cent of all malware download comes from Discord. As a result, the service has become an increased place of interest for malicious threat actors.

Since Discord allows users to upload files on its CDN as message attachments, threat actors can upload various malware and other malicious files only to be used later.

Cybercriminals are now using Discord's CDN to spread malware
A prank malware that fills the user’s screen with pop-ups. | Source: Sophos Labs.

Discord’s malware-laden CND includes malware that can steal passwords of specifically hijacked Discord accounts, leverage Discord Bots to steal information, game cheats/hacks and even variants of ransomware, among other spyware and fake apps.

What’s the play here?

Discord operates its CDN and even has an API for developers to create new ways of interacting with the CDN without necessarily going through the Discord app. The program also lets users upload files (up to 8MB for free accounts) and stores them on the CDN.

The problem is, most malicious files or malware slips by Discord’s malware checks and then stays there indefinitely unless it’s explicitly reported or deleted.

Discord servers have bots that can interact with servers and other apps, making it extremely easy to drop someone’s login credentials in your server casually.

Sophos Labs reported that in the past two months, their products had blocked or detected malicious traffic, which was almost 140 times the detected malware traffic in the same period last year. The company also claimed to have reported 9500 unique URLs hosting malware on the Discord CDN to Discord’s authorities.

“Abuse of Discord, like abuse of any web-based service, is not a new phenomenon, but it is a rapidly growing one”, the report added.

Games of all kinds for gamers of all kinds

According to the Sophos Labs reports, roughly 17,000 unique malware URL links were discovered in the second quarter of this year. 4700 of those URLs were still active and pointing to a malicious Windows .exe file when the report was published.

The malware found on Discord’s CDN includes different identity theft malware, including widely-used stealer malware known as Agent Tesla. There are variants of older ransomware software such as WinLock, Somhoveran / LockScreen and Petya, a crypto locker first seen in 2016.

Cybercriminals are now using Discord's CDN to spread malware
An example of the Somhoveran ransomware hosted on the Discord CDN. | Source: Sophos Labs

The CDN also hosts 58 unique malicious Android apps, including several banking or finance-focused spyware or malware. One of the apps even included a transparent Metasploit framework meterpreter and a copy of the Anubis banker trojan. The files were disguised as legitimate-looking banking or game updating apps.

In the News: Weeks after the ransomware attack, Kaseya has a fix

Hello There!

If you like what you read, please support our publication by sharing it with your friends, family and colleagues. We're an ad-supported publication. So, if you're running an Adblocker, we humbly request you to whitelist us.

Share on facebook
Share on whatsapp
Share on twitter
Share on reddit
Share on linkedin
Share on pocket
Share on pinterest
Share on telegram
Share on stumbleupon
Share on digg
Share on tumblr
Share on email
Share on skype
Share on xing
Share on vk
Share on odnoklassniki
Share on mix








>