The number of URLs hosting malware on Discord's CDN increased by 140% year-on-year during the second quarter of 2021, according to Sophos.
Threats include information stealing malware, spyware, backdoors, and ransomware resurrected as 'mischiefware.'
"Discord provides a persistent, highly-available, global distribution network for malware operators, as well as a messaging system that these operators can adapt into command-and-control channels for their malware – in much the same way attackers have used Internet Relay Chat and Telegram," said Sophos senior threat researcher Sean Gallagher.
Discord's vast user base also provides an ideal environment for stealing personal information and credentials through social engineering.
"These scams are not harmless – we found one malware that can steal private images from the camera on an infected device, as well as ransomware from 2006 that the attackers have resurrected to use as 'mischiefware.' The mischiefware denies victims access to their data, but there's no ransom demand and no decryption key.
"Further, adversaries have caught on that companies increasingly use the Discord platform for internal or community chat in the same way they might use a channel like Slack. This provides attackers with a new and potentially lucrative target audience, especially when security teams can't always inspect the Transport Layer Security-encrypted traffic to and from Discord to see what's going on and raise the alarm if needed.
"Discord users, whoever they are and whatever they use the platform for, should remain vigilant to the threat of malicious content that's lurking within the service and not just leave it to the Discord platform to identify and remove suspicious files. In addition, IT security teams should never consider any traffic from an online cloud service as inherently 'safe' based on the trusted nature or legitimacy of the service itself. Adversaries could be hiding anywhere."
Malware distributed via Discord is often disguised as gaming-related tools and cheats, but may also purport to be cracked versions of popular commercial software such as Photoshop.
The most common type of malware aims to steal information from victims. That includes password hijacking, keystroke logging, and image capturing from the screen or camera.
Android malware distributed this way includes code designed to steal access to online bank accounts and cryptocurrency.
Sophos recommends that organisations using Discord for work purposes adopt multi-factor authentication, ensure all devices used for work purposes have up-to-date malware protection, and use security products such as Sophos Intercept X and Sophos Firewall that can respectively detecting the actions and behaviors of malware, and inspect TLS-encrypted traffic.
Sophos also advises consumers to install a security solution such as Sophos Home on the devices that they and their families use for online communications and gaming, and to avoid downloading and installing unlicensed software from any source.
More details about Sophos' Discord research can be found here.