Hackers are abusing Discord, Slack file-sharing to distribute malware

Links from Slack and Discord may not be as benign as they look.
(Photo by S3studio/Getty Images)

Hackers are increasingly using Slack and Discord to distribute malware to unsuspecting victims, according to Cisco Talos research published Wednesday. 

Suspected cybercriminals have been uploading files to the platforms, which are then stored within the apps’ content delivery networks, resulting in a link to malicious content. Attackers then share the links outside of Slack and Discord — over email or on other chat applications, for instance — allowing hackers to share the link wherever they want.

It’s the kind of workaround that could allows hackers to meet targets where they already are — on platforms they trust and need to conduct business or socialize — which could allow them to boost the success of any social engineering efforts. 

Hackers have long abused people’s trust in chat applications to deliver malware to targets. Hackers previously used Discord to distribute Thanatos ransomware, according to Talos. In recent months, a hacking group that targets victims in the Middle East was caught trying to spread malware to targets by impersonating Telegram and other Android messaging applications, according to ESET research.


In this case, hackers are using legitimate infrastructure that otherwise seems trustworthy, Talos researchers noted.

“By leveraging these chat applications that are likely allowed, they are removing several of those hurdles and greatly increase the likelihood that the attachment reaches the end user,” researchers wrote. “The versatility of having a malicious URL that is hosted on a domain unlikely to get blocked is obviously attractive to malicious actors.”

Earlier this year Slack instituted protections to try to prevent this kind of trickery from duping users and non-users, a company spokesperson said.

“Keeping our customers and their data secure is our top priority at Slack,” the spokesperson said, adding that more protections are in the works. “To further prevent phishing scams and spam, we’re building industry-standard malware protection and link scanning, where malicious activity is automatically prevented. These tools will roll out this Spring.”

A Discord spokesperson said the company is working to proactively identify these kinds of issues.


“Platform security is a priority for us. Discord relies on a mix of proactive scanning – such as antivirus scanning – and reactive reports to detect malware and viruses on our service,” the spokesperson said.

Many emails exploiting this approach in recent months have typically been financially-themed, and aim to trick victims by claiming to contain links to documents that are invoices, purchase orders or fax documents, according to Talos. In fact, the documents usually contain malware.

In some cases, attackers have used the bad links to run multi-stage infections, in which the first piece of malware delivered to targets is used to deliver additional payloads, allowing for multiple phases of an attack to take place. Hackers have, for instance, used such a process to deliver Remcos, a remote access trojan that allows scammers to steal data from their victims, Talos researchers said.

In other cases, Talos researchers have observed hackers using Discord to effectively establish command-and-control communications by using webhooks, which allow them to update specific Discord servers with messages and information. In this case, hackers have been using a webhook functionality, which is a means that apps use to communicate with other technologies, as part of their data exfiltration efforts, according to Talos.

Talos did not name any victims explicitly, but noted that emails containing links leveraging Discord were written in multiple languages, including English, Spanish, French, German and Portuguese.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts