Skip to content

// #discord-abuse

2 articles

← All tags
🛡️ SecOps

MicroStealer Infostealer Targets Education and Telecom via Discord Webhook Exfiltration

ANY.RUN analysts have documented MicroStealer, an infostealer active since December 2025 that specifically targets education and telecommunications sector organisations. MicroStealer uses multi-stage delivery, harvests browser credentials, session tokens, cryptocurrency wallets, and screenshots, and exfiltrates data exclusively via Discord webhooks — making it invisible to traditional network monitoring that blocks dedicated C2 domains. Detection rates on VirusTotal remain low.

#infostealer +7
⚖️ Risk Mgmt

KidsProtect Stalkerware Abuses VS Code Tunnels and Discord Webhooks as Covert C2 Infrastructure

A commercially marketed Android application called KidsProtect, presented as a parental control tool, has been analysed and found to function as stalkerware — secretly recording device location, SMS messages, call logs, and browser history without consent. The tool evades conventional network monitoring by routing command-and-control traffic through legitimate VS Code Remote Tunnels and Discord webhook endpoints. Its developer explicitly markets it as an undetectable monitoring solution on underground forums.

#stalkerware +7

Commentary tagged #discord-abuse

Opinion

Attackers Discovered That Developer Tools Make Better C2 Infrastructure Than Their Own Servers

KidsProtect's use of VS Code Remote Tunnels and Discord webhooks for command-and-control is not a stalkerware quirk — it is the latest example of a systematic shift toward legitimate cloud services as attack infrastructure. When defenders cannot block VS Code tunnels without breaking developer workflows, the standard network-layer controls that security architecture depends on stop working.

CipherWatch Editorial

Security Intelligence Platform