Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed


New NitroHack Malware Found Infecting Discord Users

Users of the Discord chat client for Windows have yet another malware to look out for with NitroHack. This malware serves itself up as an offer to receive the premium Nitro subscription on Discord, but instead it aims to steal user tokens and saved payment card information and then continue spreading itself by sending direct messages to other Discord users. If a user clicks on a malicious link offering the Discord Nitro premium service, NitroHack modifies a JavaScript file that is part of the Discord client, located at the path “%AppData%\Discord.0.306modulesdiscord_voiceindex.js” and attaches malicious code to the bottom of it. Once the client is modified, the malware has achieved persistence and will steal tokens that are then sent to the attacker’s Discord channel every time the victim runs the Discord client. These tokens allow the attacker to take over the victim’s account. Researchers believe that while some anti-virus software may detect the NitroHack executable, it is likely to not catch the JavaScript client modification which will stay active until a new Discord update causes it to be replaced.

Analyst Notes

Discord users who are concerned they may be infected with the malware can open %AppData%\Discord.0.306modulesdiscord_voiceindex.js on Notepad and make sure there are no additions to the bottom of it. If the file is unmodified, the last line of code will be module.exports = VoiceEngine;. Any code found after that line that refers to contentWindow.localStorage is likely to be malicious. If a user finds that they are infected by NitroHack, the only way to remove it is to remove the added code from the index.js file manually or to completely uninstall the Discord client and then reinstall it.