Java Stealer Hijacks Discord for Secret Theft

Trellix, a cybersecurity firm, has unveiled a new sophisticated Java-based tool for information theft, employing a Discord bot to pilfer confidential data from compromised hosts.

Named NS-STEALER, the malware disseminates via ZIP archives, masquerading as cracked software. The ZIP file harbors a malicious Windows shortcut file (“Loader GAYve”), serving as a conduit for deploying a malicious JAR file. This file initially creates a folder named “NS-<11-digit_random_number>” to store the harvested data.

Into this folder, the malicious program subsequently saves screenshots, cookie files, credentials, and autofill data pilfered from over 20 web browsers, system information, a list of installed programs, Discord tokens, Steam session data, and Telegram. The amassed information is then transmitted to a Discord bot channel.

Researchers highlighted the malware’s intricate function for gathering sensitive information and its use of X509Certificate to support authentication, enabling rapid theft of information from victim systems via the Java runtime environment. The Discord bot channel, acting as an EventListener for receiving filtered data, also proves effective within the campaign’s framework.