Cyber Security News

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits the popular social platform Discord to maintain persistence on infected systems.

Discord, known for its real-time communication features, has become a hub for various communities beyond its gaming origins. However, its API capabilities have also made it a target for malicious activities.

Discord bots are automated programs that perform specific server tasks, ranging from server management to music playback.

As per reports by ASEC Lab, these bots are typically developed using programming languages like Python and JavaScript and interact with servers through the Discord API.

While they enhance user experience, they can also be manipulated for nefarious purposes.

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

PySilon Rat Abusing Discord

PySilon represents a concerning case where RAT malware is implemented using a Discord bot.

The full source code of this malware is available on GitHub, raising alarms about its potential spread. Communities on platforms like Telegram further facilitate its distribution and customization.

RAT Malware Builder Program

The PySilon builder allows users to customize the malware by specifying details such as the Server ID and bot token required for creating a Discord bot. This information is embedded into pre-written Python code and converted into an executable file using PyInstaller.

When executed on a victim’s PC, the malware creates a new channel on the attacker’s server. It sends initial system information, including IP address details, via chat. Each infected PC gets a dedicated channel, enabling the attacker to control it individually.

System Information Transmission

Upon execution, PySilon self-replicates in the user folder to ensure persistence. It adds to the system’s RUN registry key, guaranteeing execution at startup. The malware can also customize the folder name used for replication.

PySilon contains anti-virtual machine (VM) logic, which allows it to detect virtual environments and avoid execution within them.

Screen and audio recording files sent to the threat actor

Attackers can execute various commands through the created channels, enabling them to perform malicious activities such as:

  • Information Collection: The “Grab” command extracts personal data, including Discord tokens, browsing history, cookies, and passwords.
  • Screen and Audio Recording: The malware captures screen and audio data using Python modules like pyautogui and sound device.
  • Keylogging: It logs keystrokes and transmits them when the user presses “Enter.”
  • Folder Encryption: PySilon encrypts files using the Fernet algorithm, storing decryption keys in user folders without leaving ransom notes.
Encryption/decryption commands

PySilon’s open-source nature makes it easy for threat actors to integrate its code into seemingly benign bots. Since data transmission occurs via official Discord servers used for legitimate bot functions, detecting such malware becomes challenging for users.

The rise of open-source projects like PySilon highlights a growing trend of exploiting popular cybercrime platforms.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Google Announces Vanir, A Open-Source Security Patch Validation Tool

Google has officially launched Vanir, an open-source security patch validation tool designed to streamline and automate…

8 hours ago

New Transaction-Relay Jamming Vulnerability Let Attackers Exploits Bitcoin Nodes

A newly disclosed transaction-relay jamming vulnerability has raised concerns about the security of Bitcoin nodes,…

10 hours ago

Raspberry Pi 500 & Monitor, Complete Desktop Setup at $190

Raspberry Pi, a pioneer in affordable and programmable computing, has once again elevated its game…

10 hours ago

Qlik Sense for Windows Vulnerability Allows Remote Code Execution

Qlik has identified critical vulnerabilities in its Qlik Sense Enterprise for Windows software that could…

12 hours ago

QNAP High Severity Vulnerabilities Let Remote attackers to Compromise System

QNAP Systems, Inc. has identified multiple high-severity vulnerabilities in its operating systems, potentially allowing attackers…

14 hours ago

Healthcare Security Strategies for 2025

Imagine this: It's a typical Tuesday morning in a bustling hospital. Doctors make their rounds,…

15 hours ago