27 Unique Malware Deliverables Discovered from Discord CDN Abuse

Published on October 22, 2021
Written by:
Supriyo Chatterji
Supriyo Chatterji
Cybersecurity News Writer

Discord is arguably the most popular VoIP, instant messaging, and digital distribution platform for gaming, animation, and other related entertainment industries. Recent discoveries in cybersecurity have indicated that Discord's 140 million users might be in danger of targeted malware attacks.

Discord users are allowed to sort channel by topic and attach all types of files. This includes images, docs, other files, and even executables. All this data is stored on Discord's Content Delivery Network (CDN) servers. Studies have shown that a lot of these files are malicious in nature, and some channels are created simply to distribute these corrupted files.

RiskIQ aggregated the number of channels and hashes marked as VirusTotal. An investigation included 100 into the malicious content deliverable category. They also detected over eighty files from seventeen malware families, with the most common belonging to trojan families. Most channels will have one file for distributing malicious content.

According to Microsoft's detection and further research, Discord has 27 unique malware families basically divided into four types.

One example is a channel's ID associated with zoom-download[.]ml which prompts users to download a Zoom plugin for MS Outlook but sends over Dcstl password stealer instead. Another channel hosted a Raccoon password stealer file from a Taplink domain which is used for hosting micro landing pages used for directing individuals to Instagram or other social media pages. AsyncRAT backdoor tricks the user into downloading what they believe as Discord Nitro to enhance text chat, voice, and video, but they end up getting infected.

 AsyncRAT hosted on Discord's CDN.


For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: