Search results for discord/channel | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have identified several malicious packages across npm, Python, and Ruby ecosystems that leverage Discord as a command-and-control (C2) channel to transmit stolen data to actor-controlled webhooks. Webhooks on Discord are a way to post messages to channels in the platform without requiring a bot user or authentication, making them an attractive mechanism for attackers to exfiltrate data to a channel under their control. "Importantly, webhook URLs are effectively write-only," Socket researcher Olivia Brown said in an analysis. "They do not expose channel history, and defenders cannot read back prior posts just by knowing the URL." The software supply chain security company said it identified a number of packages that use Discord webhooks in various ways - mysql-dumpdiscord (npm), which siphons the contents of developer configuration files like config.json, .env, ayarlar.js, and ayarlar.json to a Discord webhook nodejs.discord (npm...

At least 17 malware-laced packages have been discovered on the NPM package Registry, adding to a  recent barrage of malicious software  hosted and delivered through open-source software repositories such as PyPi and RubyGems. DevOps firm JFrog said the libraries, now taken down, were designed to grab Discord access tokens and  environment variables  from users' computers as well as gain full control over a victim's system. "The packages' payloads are varied, ranging from infostealers up to full remote access backdoors," researchers Andrey Polkovnychenko and Shachar Menashe said in a  report  published Wednesday. "Additionally, the packages have different infection tactics, including typosquatting,  dependency confusion  and trojan functionality." The list of packages is below - prerequests-xcode (version 1.0.4) discord-selfbot-v14 (version 12.0.3) discord-lofy (version 11.5.1) discordsystem (version 11.5.1) discord-vilao (version 1.0.0)...

Cybersecurity researchers have disclosed details of a new Rust-based backdoor called ChaosBot that can allow operators to conduct reconnaissance and execute arbitrary commands on compromised hosts. "Threat actors leveraged compromised credentials that mapped to both Cisco VPN and an over-privileged Active Directory account named, 'serviceaccount,'" eSentire said in a technical report published last week. "Using the compromised account, they leveraged WMI to execute remote commands across systems in the network, facilitating the deployment and execution of ChaosBot." The Canadian cybersecurity company said it first detected the malware in late September 2025 within a financial services customer's environment. ChaosBot is noteworthy for its abuse of Discord for command-and-control (C2). It gets its name from a Discord profile maintained by the threat actor behind it, who goes by the online moniker "chaos_00019" and is responsible for issuin...

A suspected Pakistan-based threat actor has been linked to a cyber espionage campaign targeting Indian government entities in 2024. Cybersecurity company Volexity is tracking the activity under the moniker UTA0137, noting the adversary's exclusive use of a malware called DISGOMOJI that's written in Golang and is designed to infect Linux systems. "It is a modified version of the public project Discord-C2, which uses the messaging service Discord for command and control (C2), making use of emojis for its C2 communication," it said . It's worth noting that DISGOMOJI is the same "all-in-one" espionage tool that BlackBerry said it discovered as part of an infrastructure analysis in connection with an attack campaign mounted by the Transparent Tribe actor, a Pakistan-nexus hacking crew The attack chains commence with spear-phishing emails bearing a Golang ELF binary delivered within a ZIP archive file. The binary then downloads a benign lure document wh...

Cybersecurity researchers have disclosed details of a new distributed denial-of-service (DDoS) attack campaign targeting misconfigured Jupyter Notebooks. The activity, codenamed Panamorfi by cloud security firm Aqua, utilizes a Java-based tool called mineping to launch a TCP flood DDoS attack. Mineping is a DDoS package designed for Minecraft game servers. Attack chains entail the exploitation of internet-exposed Jupyter Notebook instances to run wget commands for fetching a ZIP archive hosted on a file-sharing site called Filebin. The ZIP file contains two Java archive (JAR) files, conn.jar and mineping.jar, with the former used to establish connections to a Discord channel and trigger the execution of the mineping.jar package. "This attack aims to consume the resources of the target server by sending a large number of TCP connection requests," Aqua researcher Assaf Morag said . "The results are written to the Discord channel." The attack campaign has bee...

An ongoing supply chain attack has been leveraging malicious Python packages to distribute malware called W4SP Stealer, with over hundreds of victims ensnared to date. "The threat actor is still active and is releasing more malicious packages," Checkmarx researcher Jossef Harush  said  in a technical write-up, calling the adversary  WASP . "The attack seems related to cybercrime as the attacker claims that these tools are undetectable to increase sales." The findings from Checkmarx build on recent reports from  Phylum  and  Check Point , which flagged 30 different modules published on the Python Package Index (PyPI) that were designed to propagate malicious code under the guise of benign-looking packages. The attack is just the latest threat to target the software supply chain. What makes it notable is the use of steganography to extract a  polymorphic malware  payload hidden within an image file hosted on Imgur. The installation of the pac...

Cybersecurity researchers have discovered a new Java-based "sophisticated" information stealer that uses a Discord bot to exfiltrate sensitive data from compromised hosts. The malware, named  NS-STEALER , is propagated via ZIP archives masquerading as cracked software, Trellix security researcher Gurumoorthi Ramanathan  said  in an analysis published last week. The ZIP file contains within it a rogue Windows shortcut file ("Loader GAYve"), which acts as a conduit to deploy a malicious JAR file that first creates a folder called "NS-<11-digit_random_number>" to store the harvested data. To this folder, the malware subsequently saves screenshots, cookies, credentials, and autofill data stolen from over two dozen web browsers, system information, a list of installed programs, Discord tokens, Steam and Telegram session data. The captured information is then exfiltrated to a Discord Bot channel. "Considering the highly sophisticated functio...

Security, trust, and stability — once the pillars of our digital world — are now the tools attackers turn against us. From stolen accounts to fake job offers, cybercriminals keep finding new ways to exploit both system flaws and human behavior. Each new breach proves a harsh truth: in cybersecurity, feeling safe can be far more dangerous than being alert. Here's how that false sense of security was broken again this week. ⚡ Threat of the Week Newly Patched Critical Microsoft WSUS Flaw Comes Under Attack — Microsoft released out-of-band security updates to patch a critical-severity Windows Server Update Service (WSUS) vulnerability that has since come under active exploitation in the wild. The vulnerability in question is CVE-2025-59287 (CVSS score: 9.8), a remote code execution flaw in WSUS that was originally fixed by the tech giant as part of its Patch Tuesday update published last week. According to Eye Security and Huntress, the security flaw is being weaponized to drop a .N...

Threat actors have published yet another round of malicious packages to Python Package Index (PyPI) with the goal of delivering information-stealing malware on compromised developer machines. Interestingly, while the malware goes by a variety of names like ANGEL Stealer, Celestial Stealer, Fade Stealer, Leaf $tealer, PURE Stealer, Satan Stealer, and @skid Stealer, cybersecurity company Phylum found them all to be copies of  W4SP Stealer . W4SP Stealer primarily functions to siphon user data, including credentials, cryptocurrency wallets, Discord tokens, and other files of interest. It's created and published by an actor who goes by the aliases BillyV3, BillyTheGoat, and billythegoat356. "For some reason, each deployment appears to have simply tried to do a find/replace of the W4SP references in exchange for some other seemingly arbitrary name," the researchers  said  in a report published earlier this week. The 16 rogue modules are as follows: modulesecurity, inform...

The Iranian state-sponsored threat actor known as APT42 has been observed targeting individuals and organizations that are of interest to the Islamic Revolutionary Guard Corps (IRGC) as part of a new espionage-focused campaign. The activity, detected in early September 2025 and assessed to be ongoing, has been codenamed  SpearSpecter by the Israel National Digital Agency (INDA). "The campaign has systematically targeted high-value senior defense and government officials using personalized social engineering tactics," INDA researchers Shimi Cohen, Adi Pick, Idan Beit-Yosef, Hila David, and Yaniv Goldman said. "These include inviting targets to prestigious conferences or arranging significant meetings." What's notable about the effort is that it also extends to the targets' family members, creating a broader attack surface that exerts more pressure on the primary targets. APT42 was first publicly documented in late 2022 by Google Mandiant, detailing its...

Multiple threat actors are weaponizing a design flaw in Foxit PDF Reader to deliver a variety of malware such as Agent Tesla, AsyncRAT, DCRat, NanoCore RAT, NjRAT, Pony, Remcos RAT, and XWorm. "This exploit triggers security warnings that could deceive unsuspecting users into executing harmful commands," Check Point  said  in a technical report. "This exploit has been used by multiple threat actors, from e-crime to espionage." It's worth noting that Adobe Acrobat Reader – which is more prevalent in sandboxes or antivirus solutions – is not susceptible to this specific exploit, thus contributing to the campaign's low detection rate. The issue stems from the fact that the application shows "OK" as the default selected option in a pop-up when users are asked to trust the document prior to enabling certain features to avoid potential security risks. Once a user clicks OK, they are displayed a second pop-up warning that the file is about to execute...

A new botnet called  Dark Frost  has been observed launching distributed denial-of-service (DDoS) attacks against the gaming industry. "The Dark Frost botnet, modeled after Gafgyt, QBot, Mirai, and other malware strains, has expanded to encompass hundreds of compromised devices," Akamai security researcher Allen West  said  in a new technical analysis shared with The Hacker News. Targets include gaming companies, game server hosting providers, online streamers, and even other gaming community members with whom the threat actor has interacted directly. As of February 2023, the botnet comprises 414 machines running various instruction set architectures such as ARMv4, x86, MIPSEL, MIPS, and ARM7.  Botnets are usually made up of a vast network of compromised devices around the world. The operators tend to use the enslaved hosts to mine cryptocurrency, steal sensitive data, or harness the collective internet bandwidth from these bots to knock down other website...

A new deceptive campaign has been observed hijacking GitHub accounts and committing malicious code disguised as Dependabot contributions with an aim to steal passwords from developers. "The malicious code exfiltrates the GitHub project's defined secrets to a malicious C2 server and modify any existing javascript files in the attacked project with a web-form password-stealer malware code effecting any end-user submitting its password in a web form," Checkmarx  said  in a technical report. The malware is also designed to capture GitHub secrets and variables to a remote server by means of a GitHub Action. The software supply chain security firm said it observed the atypical commits to hundreds of public and private GitHub repositories between July 8 and 11, 2023. It has emerged that the victims had their GitHub personal access tokens stolen and used by the threat actors to make falsified code commits to users' repositories by posing as Dependabot. Dependabot  is d...

An unidentified threat actor has been linked to an actively in-development malware toolkit called the "Eternity Project" that lets professional and amateur cybercriminals buy stealers, clippers, worms, miners, ransomware, and a distributed denial-of-service (DDoS) bot. What makes this malware-as-a-service (MaaS) stand out is that besides using a Telegram channel to communicate updates about the latest features, it also employs a  Telegram Bot  that enables the purchasers to build the binary. "The [threat actors] provide an option in the Telegram channel to customize the binary features, which provides an effective way to build binaries without any dependencies," researchers from Cyble  said  in a report published last week. Each of the modules can be leased separately and provides paid access to a wide variety of functions - Eternity Stealer  ($260 for an annual subscription) - An information stealer to siphon passwords, cookies, credit cards, browser cr...

Cybersecurity teams from Microsoft on Saturday disclosed they identified evidence of a new destructive malware operation dubbed " WhisperGate " targeting government, non-profit, and information technology entities in Ukraine amid brewing geopolitical tensions between the country and Russia. "The malware is disguised as ransomware but, if activated by the attacker, would render the infected computer system inoperable," Tom Burt, corporate vice president of customer security and trust at Microsoft, said , adding the intrusions were aimed at government agencies that provide critical executive branch or emergency response functions. Also among those affected by the malware is an IT firm that "manages websites for public and private sector clients, including government agencies whose websites were recently defaced ," Burt noted. The computing giant, which first detected the malware on January 13, attributed the attacks to an emerging threat cluster codenam...

Since at least late 2019, a network of hackers-for-hire have been hijacking the channels of YouTube creators, luring them with bogus collaboration opportunities to broadcast cryptocurrency scams or sell the accounts to the highest bidder. That's according to a new report published by Google's Threat Analysis Group (TAG), which said it disrupted financially motivated phishing campaigns targeting the video platform with cookie theft malware. The actors behind the infiltration have been attributed to a group of hackers recruited in a Russian-speaking forum. "Cookie Theft, also known as 'pass-the-cookie attack,' is a session hijacking technique that enables access to user accounts with session cookies stored in the browser," TAG's Ashley Shen  said . "While the technique has been around for decades, its resurgence as a top security risk could be due to a wider adoption of multi-factor authentication (MFA) making it difficult to conduct abuse, and shif...

Researchers discovered a private Telegram channel-based backdoor in the information stealing malware, dubbed Prynt Stealer , which its developer added with the intention of secretly stealing a copy of victims' exfiltrated data when used by other cybercriminals. "While this untrustworthy behavior is nothing new in the world of cybercrime, the victims' data end up in the hands of multiple threat actors, increasing the risks of one or more large scale attacks to follow," Zscaler ThreatLabz researchers Atinderpal Singh and Brett Stone-Gross  said  in a new report. Prynt Stealer, which  came to light  earlier this April, comes with capabilities to log keystrokes, steal credentials from web browsers, and siphon data from Discord and Telegram. It's sold for $100 for a one-month license and $900 for a lifetime subscription. The cybersecurity firm analysis of Prynt Stealer shows that its codebase is derived from two other open source malware families,  AsyncRAT ...

A new stealthy information stealer malware called Bandit Stealer has caught the attention of cybersecurity researchers for its ability to target numerous web browsers and cryptocurrency wallets.  "It has the potential to expand to other platforms as Bandit Stealer was developed using the Go programming language, possibly allowing cross-platform compatibility," Trend Micro  said  in a Friday report. The malware is currently focused on targeting Windows by using a legitimate command-line tool called  runas.exe  that allows users to run programs as another user with different permissions. The goal is to escalate privileges and execute itself with administrative access, thereby effectively bypassing security measures to harvest wide swathes of data. That said, Microsoft's access control mitigations to prevent unauthorized execution of the tool means an attempt to run the malware binary as an administrator requires providing the necessary credentials. "By usin...