Skip to main content

Discord 'Spidey Bot' Malware Is Stealing Usernames, Passwords

(Image credit: Sharaf Maksumov/Shutterstock)

Hey, gamers and alt-right trolls -- a new Discord piece of malware is coming to get ya!

Called "Spidey Bot" by its discoverers, the Windows malware injects itself into Discord's code and steals your username, email address, IP address, phone number and Discord user token. 

The malware also copies the first 50 characters of your Windows clipboard, which might contain your password if you've copied and pasted it recently, and creates a "backdoor" so that more malware can be installed. Macs don't seem to be affected.

If you're not familiar with Discord, it's chat software often used by PC gamers that has also been picked up lately by people who've been kicked off Reddit and Twitter for particularly unsavory comments. 

It's not totally clear yet how the Discord malware gets on your machine. Malware researcher Vitali Kremez suspects it's being passed around in Discord chats as cheats for Roblox and other games. Kremez told Bleeping Computer two files names he'd seen were "Blueface Reward Claimer.exe" and "Synapse X.exe". 

Unfortunately, you won't be able to tell if your Discord application is infected. [UPDATE: It turns out you can -- see the end of this story.] Even if you do, you'll have to delete the Discord software and reinstall it to make sure you're clean. All you can do is make sure you're running the best antivirus software, which should block the malware.

Discord itself doesn't seem to be too helpful in responding to user concerns.

But sadly, Discord is right. There's not that much the software maker can do from its end at the moment, except maybe to tell people to access Discord on their phone or gaming console instead of on a PC or Mac. 

Discord's Windows and Mac client is built on Electron, a open-source framework that creates applications out of the Chromium web-browser engine and JavaScript. 

Like the desktop clients of other Electron-built apps such as Slack, Signal and Skype, the Discord desktop application is really just a big web browser, and it's going to run whatever JavaScript you feed it.

A couple of the Twitter complainers with whom Discord corresponded pointed out that Discord might want to encrypt certain parts of its JavaScript library. That might be a long-term solution, but it's not going to help anyone right now.

UPDATE: Bleeping Computer updated its own article on Spidey Bot with a method by which Discord users can check to see if their Discord desktop installations have been infected.

Spidey Bot targets only two files in the Discord application folder:

 %AppData%\Discord\[version]\modules\discord_modules\index.js 

and 

%AppData%\Discord\[version]\modules\discord_desktop_core\index.js

Open each of these files in Notepad. Each should have only a single line of code. If either has more than one line, your Discord build is compromised and should be uninstalled.

Bleeping Computer also proposed that Discord perform a file-integrity check every time the application is launched to prevent against further compromise. That feature doesn't seem to exist in the application right now, but it wouldn't be hard to add in a future software update.