Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Discord CDN: A Popular Choice for Hosting Malicious Payloads

February 09, 2021 - 10 min read


Since the onset of the pandemic, the internet has become a central part of our lives. People of all ages turned online for school and work, to stream videos, to play video games, have virtual get-togethers, shop, talk to their doctor, and engage in any number of other activities.

During 2020, research showed a sharp increase in game downloads, and this activity did not go unnoticed by cybercriminals. Attackers have often exploited the popularity of certain games (Among Us was a recent example) to lure players into downloading fake versions that served malware. Recently, the Zscaler ThreatLabZ team noticed new campaigns in which cybercriminals are targeting gamers.

The key findings of our research include:

  • Multiple campaigns relying on the service for their infection chain.
  • Cybercriminals are using Discord CDN to host malicious files as well as for command-and-control (C&C) communication.
  • Malicious files are renamed as pirated software or gaming software to trick gamers.
  • File icons are also related to gaming software to trick gamers.
  • Multiple categories of malware are being served through the Discord app’s CDN infrastructure - ransomware, stealers, and cryptominers.

The attack usually starts with spam emails in which users are tricked with legitimate-looking templates into downloading next-stage payloads. It’s worth noting, however, that using Discord to host payloads is not new. This campaign uses Discord services to form a URL to host malicious payloads as follows:


Figure 1: Malicious files blocked in the Zscaler cloud served via

Technical Analysis

Discord is a chat application that allows users to chat with each other in real time. Users can communicate with voice calls, chat messages, and video calls as well as send files to one another. But attackers also use Discord, often to distribute malicious files and steal information. This CDN service was actually started as a content distribution network for serving static content to users, but it has revealed some considerable risks. For example, an attacker can upload a malicious file on a Discord channel and share its public link with others—even non-Discord users can download it. Worse, a file sent from Discord is there forever, so even if an attacker deletes a file within Discord, its link can still be used to download the malicious file. 



Figure 2: Infection chain of different malware on

We have seen multiple payloads being used in recent campaigns, primarily consisting of these four:

  1. Epsilon ransomware
  2. Redline stealer
  3. XMRig miner
  4. Discord token grabbers

Epsilon Ransomware

(MD5: f509bd9e1fbd7721c95d0d19ba317b03)

We have analyzed the Epsilon ransomware loader in which execution starts with dropping an .inf file and .exe file in the Windows/Temp folder.

The dropped payload performs the following actions upon execution. 

Payload functionality

Figure 3: Payload functionality

  • persistence() - Establishes persistence on the victim machine
  • encryptionStage() - Encrypt files
  • wallpap() - Download ransom image from Discord
  • extract() - Download ransom note from Discord
  • sapi() - Display ransom note
  • x3() - Delete shadow copy(Recovery File)
  • clearmem() - Clean Memory
  • Exit() - Quit application

The malware establishes persistence by creating the follow registry key on the victim's machine:

Run key entry for persistence

Figure 4: Run key entry for persistence

It will enumerate through the the system drives to encrypt the files using double encryption. First, it encrypts the files with AES encryption using a randomly generated 32-bit key. Then, those encrypted files will again be encrypted with the RC4 algorithm with a randomly generated 256-bit key.

Searching Drives for file encryption

Figure 5: Searching drives for file encryption

The custom AES algorithm using 256-bit encryption.

Figure 6: Custom AES algorithm

It also uses custom RC4 encryption that has a 2048-bit variable-length key, whereas actual RC4 encryption uses a 256-bit variable-length key. 


Figure 7: Custom RC4 algorithm

It downloads the ransom note image from the link to show on the victim’s machine upon successful encryption.
hta file

Figure 8: Downloading READ_ME.hta file

The ransom note contains an email ID EpsilonCrypt@tutanota[.]com to communicate with the attacker for further information on payment and decryption key/software. There is no C&C used by this ransomware variant.
ransomware note

Figure 9: Epsilon ransomware note with email ID to contact attacker

The ransomware deletes the shadow copies as well as the catalog to prevent victim from recovering the original files which are now encrypted.

Deleting Shadow copy and catalog

Figure 10: Deleting shadow copy and catalog


Redline Stealer

(MD5: 67A29EF483B6A9485269D5B15A900119)

The next file we saw during our analysis is a Redline stealer. This stealer has been available on Russian underground forums since the first quarter of 2020 and is fairly new. It’s available as a standalone application and on a subscription basis with prices ranging from $100 to $300, depending upon the version and capabilities. We have seen multiple samples of the Redline stealer blocked in the Zscaler cloud sandbox, and below is our analysis of a recent sample written in .NET.

Redline Stealer Functionalities

  • Collects login and passwords, cookies, autocomplete fields, credit cards
  • Data collection from FTP clients, IM clients
  • Customizable file-grabber based on path, extension
  • Customizable to not work in a country that is on a denylist
  • Collects information from the victim's machine: IP, country, city, current username, HWID, hardware information (video cards, processors), screenshot, screen resolution, keyboard layout, operating system, UAC settings, administrative privileges, user-agent, installed antiviruses
  • Downloads file from the URL to a specified location on the victim's machine
  • Process injection 
  • Download and execute the file
  • Supports all browsers based on Chromium
  • Supports all Gecko-based browsers

Execution starts with dropping a copy of itself into the AppData/Roaming folder. Unpacked binary shows the author making use of several popular gaming application names for internal functions.

Parent file disguised as Gaming File

Figure 11: Redline stealer .NET function names using popular gaming applications.

The stealer is capable of collecting data form several FTP and IM clients installed on the victim's machine as seen below:

igure xx: Data collection from FTP clients, IM clients

Figure 12: Data collection from FTP clients, IM clients

Figure 13 shows a module that is responsible for collecting information from browsers, such as stored cookies and credit card information.

Stealing Credit card info

Figure 13: Stealing credit card info

In addition to the functions to grab data from browser, FTP, and IM clients, the malware also steals victim's cryptocurrency wallet and collects victim's geolocation, hardware information, and Client IP address. 

SOAP over HTTP for C&C

Redline stealer uses SOAP over HTTP for C&C communication. The malware is developed in .NET framework where the use of SOAP becomes very easy and also provides the additional advantage of being independent of an underlying protocol.
Figure xx: Getting Config setting from CnC

Figure 14: Getting config setting from C&C

All the data being collected according to configuration settings is sent back to the C&C server.
Sending stolen client info

Figure 15: Sending stolen client info

After sending the collected data to the C&C server, the stealer is tasked with downloading and executing additional payloads based on the victim's machine information.

Gets a Task from CnC server.

Figure 16: Receiving a task from the C&C server

The remote task action module is used to download and execute the files as instructed by the C&C server.

Remote Task Action

Figure 17: Remote task action

XMRig miner


The next malware we have been seeing in this ongoing campaign is XMRig miner. The miner’s execution starts by dropping a copy of itself at


The malware also changes the file permissions using the following command:

  • %ProgramData%\RealtekHDUpdater" & ATTRIB +h +s +r
  • %ProgramData%\RealtekHDUpdater\cuda-helper.dll"& ATTRIB +h +s +r
  • %ProgramData%\RealtekHDUpdater\nvrtc-builtins64_100.dll"& ATTRIB +h +s +r 

This is done to use the miner capabilities without user permissions.

The malware connects to C&C server using the following command:

  • Cmd open (class="de1">)(.*)(</div></li>).https://pastebin(.)com/VKRXfjxX, which yields

Notice the usage of PasteBin URL to store the C&C server location.

The malware then creates a scheduled task:

  • /CREATE/SC MINUTE /MO 1/TN "Realtek Updater"

The miner also tries to delete some programs that can be used to detect the miner or impact its efficiency, such as games.

The following is the list of programs the miner tries to delete:

Process Hacker, Task Manager, Windows, Windows Task Manager, AnVir Task Manager, Taskmgr.exe, taskmgr.exe, procexp64.exe, procexp32.exe, perfmon.exe, procmon.exe, csgo.exe, dota2.exe, RainbowSix_Vulkan.exe, RainbowSix.exe, FortniteClient-Win64-Shipping.exe, EscapeFromTarkov.exe, Rust.exe, VALORANT.exe, Overwatch.exe, gta_sa.exe, GTA5.exe, Radeon, NVIDIA GeForce

After this, the miner is launched using the following Monero address:



Discord token grabbers


Cloud apps have become a mainstay for gamers just as they have for business and individual users. Cloud apps are great for interactivity, but they can also be leveraged for malicious attacks. The Discord token grabber is a broad term used to describe attacks that use Discord tokens to steal user information.

In this case, the stealer uses Discord app to steal data from the user and send it to a predetermined C&C server. Below is the screenshot of token grabber code extracted from a recent payload:

Stealer code

Figure 18: Stealer code

Here, the program collects user information, for example, Environment.UserName, and sends it over using a webhook defined in the dcWebHook.WebHook variable.

Json when the URI is visited

Figure 19: JSON response when the URI is visited


(MD5: 2c178066d48d69dd56923343d338a376)

This is a known stealer that uses Discord tokens to steal and send user data to its C&C. This stealer both spreads and communicates through Discord app, using Discord URLs for attachments like cdn[.]discordapp[.]com/attachments/[0-9]{18}/[0-9]{18}/Nameofattachment.rar.

The name of the attachment can vary from being the name of a software application used by most users or cracked versions of games or tools, such as Discord Server Tool.exe, Galaxy Security Panel.exe, Vron Software.exe, CrackHub 2021.exe, or Vape V4 Cracked.exe.

TroubleGrabber fetches payloads from https://github[.]com/Itroublve/Token-Browser-Password-Stealer-Creator to begin its next stage after being executed in the victim's machine.

These files are as follows:






The malware payloads observed in these campaigns were successfully blocked by the Zscaler Cloud Sandbox.

Zscaler Cloud Sandbox report of Epsilon Ransomware

Figure 20: Zscaler Cloud Sandbox report of Epsilon ransomware

Zscaler Cloud Sandbox report of Redline Stealer

Figure 21: Zscaler Cloud Sandbox report of Redline stealer

Zscaler Cloud Sandbox report of XMRig miner

Figure 22: Zscaler Cloud Sandbox report of XMRig miner







Discord is primarily a chatting platform built for gamers and is becoming increasingly popular among other professional communities for sharing information. We’re observing an increase in the usage of the Discord app to deliver malicious files by attackers. Due to the static content distribution service, it is highly popular among threat actors to host malicious attachments that remain publicly accessible even after removing actual files from Discord. 

The Zscaler ThreatLabZ team will continue to monitor Discord-based malware campaigns to share the information with the community and to keep our customers safe.








Valid Accounts

It uses valid account to access email 


File Deletion

Self delete


User Execution

User interaction


Conduct social engineering

Uses social eng to install payload


Service Stop

Stop critical services


Steal Application Access Token

Steal access token for valid account


Inhibit System Recovery 

Delete shadow copies on a system


File Directory Permissions Modification

Change directory permission to hide its file 


Credentials from password store

Steal stored password



Keylog of infected machine 


Process Injection

Inject code into other process


Indicators of Compromise 


Malware Name

Malicious URLs / C&C


Epsilon Ransomware



Epsilon Ransomware



Epsilon Ransomware



Redline Stealer



Redline Stealer



XMRig Miner



XMRig Miner



XMRig Miner



XMRig Miner



Trouble Grabber



Discord Token Grabbers


form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.