A sophisticated new phishing campaign targeting Discord users is raising serious alarms across the cybersecurity community.
Unlike conventional phishing attacks that rely on bulk, generic lures, this threat actor first compromises a victim’s Discord account, studies their activity and interests, then sends personalized malware disguised as a Minecraft modpack directly to the victim’s trusted contacts.
The campaign was publicly flagged by @Yahiamice on April 17, 2026, who discovered that a friend’s compromised Discord account had been used to send a rogue Minecraft modpack embedding a credentials stealer.
What makes this attack particularly alarming is the attacker’s reconnaissance phase, before distributing the malicious file, the threat actor reviewed the compromised account’s chat history and gaming activity to craft a believable, context-aware lure, a tactic security researchers define as spear phishing.
According to Check Point Research, similar campaigns use a multi-stage infection chain beginning with a malicious Java-based file disguised as a game mod.
Token Theft: Chain Reaction
Once executed on a real user’s machine, the initial loader performs virtual machine (VM) checks to avoid sandbox detection, then retrieves a second-stage payload from a remote source such as Pastebin.
A final .NET-based stealer is then deployed, capable of exfiltrating browser-saved credentials, cryptocurrency wallet data, and session tokens across platforms such as Discord, Steam, and Telegram.
A key technical component of this attack is Discord token hijacking. Discord tokens act as authorization codes that bypass standard login protections, including two-factor authentication (2FA).
Once stolen, an attacker can silently access the victim’s account, impersonate them to friends, and repeat the distribution cycle, creating a self-propagating infection chain.
Security researchers have confirmed that such stealers can execute fast enough to capture tokens before endpoint protection tools can intervene.
Discord’s Official Warning
Discord’s Trust and Safety team issued a public advisory urging all users to remain vigilant:
- Do not immediately click links or download files sent unexpectedly, even from contacts on your friends list
- Right-click or long-press on mobile to select “Report Message” if something feels off
- If you suspect a friend’s account is compromised, guide them to submit a ticket at dis.gd/hackedaccount
- Immediately change your password and regenerate a new Discord token by logging out and back in
Mitigation Steps
Security professionals recommend the following protective actions:
- Enable two-factor authentication (2FA) on Discord and all linked gaming accounts
- Never download modpacks, .jar files, or executables received via Discord DMs, regardless of the sender
- Verify unexpected file requests off-platform via call or text
- Regularly audit authorized apps connected to your Discord account
- Use endpoint security tools capable of detecting credential dumping and session token theft behaviors
This campaign fits into a growing pattern of gaming-platform-targeted malware. Check Point Research’s Stargazers Ghost Network report documented a “Distribution as a Service” (DaaS) operation specifically targeting Minecraft players via GitHub-hosted malicious mods, with stolen data exfiltrated through Discord webhooks.
Meanwhile, Discord itself confirmed a separate third-party vendor breach in late 2025, exposing user IDs, underscoring the platform’s elevated threat surface.
The convergence of social engineering, account takeover, and gaming community trust makes this campaign one of the more advanced threats targeting everyday users in 2026.
No Comment! Be the first one.