A new malware is targeting Discord users by modifying the Windows Discord client so that it is transformed into a backdoor and an information-stealing Trojan. The malware will then terminate and restart the Discord app in order for the new JavaScript changes to be executed.

Once started, the JavaScript will execute various Discord API commands and JavaScript functions to collect a variety of information about the user that is then sent via a Discord webhook to the attacker. After sending the information, the Discord malware will execute the fightdio() function, which acts as a backdoor.

While it is not 100% sure how it is being spread, researchers think the attacker is using Discord messaging to spread the malware. If the installer is detected and removed, the modified Discord files will still remain infected and continue to be executed each time you start the client.

How to see if you're infected

In order to check to see if you are infected, open the following: %AppData%\Discord\[version]\modules\discord_modules\index.js in notepad.exe

Confirm this data only says"module.exports = require('./discord_modules.node');".

Also check %AppData%\Discord\[version]\modules\discord_desktop_core\index.js to ensure it only includes "module.exports = require('./core.asar');" string.

*you will have to enable "view hidden folders" on Windows in order see the AppData folder.

If either of these files display something else, you should uninstall and reinstall the Discord client.

Ready to get started?

Contact us to discuss your security needs.

Let's Talk