Cybercriminals are now using Discord’s CDN to spread malware

Discord, a popular free voice and text chat app for gamers, has recently been hit with a wave of malvertising attacks which are spreading malware and redirecting users to fake web pages. A recent blog article, authored by a security researcher, detailed how the malicious adverts were injected into the app by using Discord’s Content Delivery Network (CDN).

Discord, a popular online chat program, has recently been the target of a worm that spreads via its code libraries, which are used to allow users to connect to Discord servers and interact with their friends. In a recent blog post on the matter, Discord’s own security staff warned users to be wary of suspicious links appearing on users’ computers, which may be a symptom of a phishing attack.

Discord’s CDN is a free host of websites that offer services such as video hosting, audio hosting, and image hosting. The service serves a huge number of users, allowing it to be an important part of the internet. However, according to a recent report, the service has become a target of cybercriminals. In the report, it was discovered that cybercriminals had started using Discord’s CDN to spread malware to other users, and even to serve as a “Trojanized” JavaScript package.

Because of Discord’s growing popularity, its CDN is being used to host, disseminate, and control malware, such as various ransomware versions, game hacks, identity theft malware, and even adware and fake Android apps.

In a study looking at malware’s usage of TLS, security experts Sean Gallagher and Andrew Brandt discovered that Discord is responsible for about 4% of all malware downloads. As a result, malevolent threat actors are becoming more interested in the service.

Because Discord allows users to send files as chat attachments to its CDN, threat actors can send malware and other dangerous files to be used later.

Cybercriminals are now using Discord's CDN to spread malwareA hoax malware that floods the user’s screen with pop-ups, according to Sophos Labs.

Among other spyware and false programs, Discord’s malware-laden CND includes adware that can steal passwords from particularly hijacked Discord accounts, use Discord Bots to steal information, game cheats/hacks, and even ransomware variations.

Discord runs its own CDN and even offers an API that allows developers to design new methods to communicate with it without having to use the Discord client. Users can also upload files (up to 8MB for free accounts) and have them stored on the CDN.

The issue is that most harmful files or malware pass through Discord’s malware checks and remain there indefinitely until expressly reported or destroyed.

Bots on Discord servers can interact with servers and other apps, making it very easy to accidentally drop someone’s login details in your server.

Sophos Labs found that in the last two months, its products blocked or detected about 140 times the amount of malicious traffic recorded in the same period last year. The business also claimed to have notified Discord’s authorities about 9500 distinct URLs carrying malware on the Discord CDN.

“Misuse of Discord, like abuse of any web-based service, is not a new phenomenon,” the report continued, “but it is a rapidly rising one.”

In the second quarter of this year, about 17,000 distinct malicious URL linkages were detected, according to Sophos Labs research. When the report was published, 4700 of those URLs were still live and referring to a malicious Windows.exe file.

Various identity theft malware was discovered on Discord’s CDN, including the frequently used stealer malware known as Agent Tesla. WinLock, Somhoveran / LockScreen, and Petya, a crypto locker first detected in 2016, are all variations of previous ransomware malware.

Cybercriminals are now using Discord's CDN to spread malwareSophos Labs provided a sample of the Somhoveran ransomware hosted on the Discord CDN.

In addition, the CDN hosts 58 different malicious Android apps, including various banking or finance-related adware or malware. A transparent Metasploit framework meterpreter and a clone of the Anubis banker trojan were inserted in one of the apps. The files were disguised as banking or game-update programs that appeared to be authentic.

In the news: Kaseya has a cure for the ransomware assault that happened weeks ago.


When he’s not writing/editing/shooting/hosting all things tech, he streams himself racing virtual vehicles. Yadullah can be reached at [email protected], or you can follow him on Instagram or Twitter.

Discord’s CDN is a CDN (Content Delivery Network) that essentially acts as a proxy to load the Discord app faster. Unfortunately, this has been used in the past by hackers to serve malware via the Discord app and to distribute ransomware. Although the CDN does not allow for any manipulation of the Discord app, the techniques used to distribute malware are similar to what we have seen in the past.. Read more about discord malware check and let us know what you think.

This article broadly covered the following related topics:

  • discord ransomware
  • discord data breach 2021
  • discord malware check
  • malware
  • discord malware 2021
Greg Baskerville
Greg Baskerville
Gaming Blogger & Musician. Playing games since the Amiga days in the 1980's, and a handy guitarist.

Related Articles

Popular Articles