Take a Product Tour Request a Demo Cybersecurity Assessment Contact Us


The latest cybersecurity trends, best practices, security vulnerabilities, and more

JAVA-Based Sophisticated Stealer Using Discord Bot as EventListener

Executive Summary:

In mid-November 2023, Trellix Advanced Research Center team members observed a Java-based stealer being spread through cracked software zip files using JDABuilder Classes to create an instance of the EventListener to easily register. The Stealer uses Discord bot channel as an EventListener.

Delivery Mechanism:

Figure 1: Infection Mechanism
Figure 1: Infection Mechanism

Threat Analysis:

The Malicious ZIP File #1:

Let’s inspect the zip file to see what we have:

Figure 2: Inspecting the ZIP
Figure 2: Inspecting the ZIP

The LNK File #2:

While inspecting the LNK file, we learned one of the JAR files has been targeted by the LNK file with cmd.exe.

Figure 3: Inspecting LNK file.
Figure 3: Inspecting LNK file.

The Malicious JAR File #3:

Main class “org.reallyworld.proverka.CheatDetector”.

The first thing the malware does is create a folder named “NS-<11-digit_random_number>” for storing the exfiltrated data. Later zipping it.

Figure 4: Creating NS-<11_random_num>
Figure 4: Creating NS-<11_random_num>



The first thing the threat looks for is the screenshot of the active window using the API - “GraphicsEnvironment.getLocalGraphicsEnvironment”.

Figure 5: Taking screenshot
Figure 5: Taking screenshot.


Stealing cookies from the browsers supported, shown below:

Opera Stable
Opera GX Stable
Microsoft Edge
Google Chrome & Beta
Comodo Dragon
Epic Privacy Browser
CocCoc Browser
uCozMedia Uran
Mail.Ru Atom

#Cookies & Autofill:

Figure 6: Cookies Export
Figure 6: Cookies Export

The malware supports certain browsers, including chrome, edge, opera, etc. The cookies were queries through JDBC driver “select * from cookies;”, taking the “encrypted_value” having the password in encrypted format has been decrypted using “Crypt32Util.cryptUnprotectData” API by searching the folders " \Cookies, \Network\Cookies” with cookie details.

Figure 7: Querying for cookies
Figure 7: Querying for cookies

The details crawled from the cookies include:

  • host_key (domain)
  • is_httponly
  • path
  • is_secure
  • expires_utc
  • name
  • decrypted_password

It also crawls for Autofill credentials, which users often use to save their passwords to eliminate having to type their credentials every time they visit the site. This has been queried using “select * from autofill;” by searching the folder \Web Data" with the autofill details. The details crawled from Autofill include “name, value, count”.

Figure 8: Querying for Autofill
Figure 8: Querying for Autofill

#Credentials (username, password):

Usernames & passwords were exfiltrated from the supported browser’s folder “Login Data” and queried with “select * from logins;” where all the usernames & passwords are stored.

Figure 9: Querying for credentials.
Figure 9: Querying for credentials.


The malware fetches various information, such as:

  • OS Name & Arch
  • JAR file path
  • System Username
  • IP Address
  • System Time zone
  • Monitor's screen size
  • System's language and located country
Figure 10: System Info.
Figure 10: System Info.

#Installed Programs:

The threat also looks for programs installed in the victim’s machine through the sub-registry path “SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\**\DisplayName” of both HKLM and HKCU,.

Figure 11: Installed Programs
Figure 11: Installed Programs


The malware looks for tokens specifically from discord with filter “roaming” and “discord” from the DB \User Data\Default\Local Storage\leveldb” where all the session tokens are stored.

Figure 12: Discord tokens
Figure 12: Discord tokens


The sessions of Telegram & Steam are hijacked with Registry key path and file path. Telegram sessions are crawled if “%appdata%\Telegram Desktop\Telegram.exe” exists in the system. Steam sessions will be searched only if the registry path “HKCU\SOFTWARE\Valve\Steam” exists.

Figure 12.1: Telegram sessions
Figure 12.1: Telegram sessions

Figure 12.2: Steam sessions
Figure 12.2: Steam sessions

Zipping all the Data #4:

Once all the information is exfiltrated into the folder ““%LOCALAPPDATA%\NS-<11-digit_random_number>”, the malware has a zip call where the folder is zipped with the name of “%LOCALAPPDATA%\NS-<11-digit_random_number>.zip”, which we found earlier. Once the zip function completes, the folder is deleted from the location.

Figure 13: Zipping the folder
Figure 13: Zipping the folder

Sending data to Discord Bot #5:

The final stage of this malware is to send the zip file containing all the collected data to the Discord bot channel – ID “1135690821988012052” with the title “***@here NS-STEALER*** $$$” followed by uploading the zip file. Figure 14: Sending data to Discord Bot
Figure 14: Sending data to Discord Bot


Considering the highly sophisticated function of gathering sensitive information and using X509Certificate for supporting authentication, this malware can quickly steal information from the victim systems with JRE. TheDiscord Bot channel as an EventListener for receiving exfiltrated data is also cost-effective. Discord webhook bot’s are more often used by Threat Actors for stealer activities and to form a URL for sending messages. Taking all of this into account, this threat will likely spread more in the wild, with additional users falling victim.



Discord Bot Channel’s ID:

  • 1135690821988012052
  • 1157615140024365119
  • 1166717820332159097
  • 1167760743488311387
  • 1146788754883891243
  • 1156247828516061325

JAR Package Name:


Trellix HX Detections:


Protecting Against These Threats:

  • Avoid proxy software as it may contain additional scripts leading to these attacks.
  • Use strong cyber security solutions to ensure you are protected against these types of malicious behaviors.
This document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers.

Get the latest

We’re no strangers to cybersecurity. But we are a new company.
Stay up to date as we evolve.

Please enter a valid email address.

Zero spam. Unsubscribe at any time.