UNC5174 Group’s Discord Bot Backdoor Malware

Recently, AhnLab SEcurity intelligence Center (ASEC) has identified an attack leveraging a backdoor malware that uses the Discord API to establish a Command and Control (C2) infrastructure, linked to the UNC5174 threat group [1]). UNC5174 employs an operational strategy designed to maintain long-term control after initial compromise by sequentially deploying multiple types of backdoors. In fact, the analysis of a security breach revealed that the threat actor first accessed the target system using a previously used backdoor such as vshell. After some time, they would install a new, stealthier backdoor to reduce detection risk. This tactic was repeated multiple times, indicating a deliberate effort to sustain persistence while minimizing exposure.

Figure 1. Compromised regions by UNC5174 group’s attack (Source: ATIP)

 

During the transition phase of UNC5174’s attack operations, evidence was found indicating the additional deployment of a backdoor malware based on a Discord Bot. This malware was identified through disk artifacts and network logs collected during the attacker’s activity. Notably, the threat actors leveraged the Discord API as their C2 channel instead of building a dedicated C2 infrastructure. This approach allowed them to mimic legitimate user traffic patterns and evade existing security policies. Such an operational method aligns with UNC5174’s persistence strategy—ensuring an immediate fallback communication channel whenever their primary C2 servers are detected or blocked.

 

Discord is a voice, video, and text-based community platform that started as a gamer-focused service but has since become widely used across various interest groups. Users can create servers around specific topics and set up text channels, voice channels, and threads for communication. Additionally, bots can be added to enable automation, and developers can leverage the Discord API (REST + Gateway) to build custom functionalities.

Attackers have exploited these features of Discord to develop backdoor-type malware. Analysis revealed that the malware was built using the discordgo module, which is publicly available as open source on GitHub. As of November 24, 2025, the file has a VirusTotal score of 1/64, meaning it is detected only by AhnLab products and remains undetected by most other security solutions.

Figure 2. VirusTotal Score

 

Discordgo is an open-source library written the Go programming language (Golang) that is used to develop applications or bots interacting with the Discord API. It supports both the REST API and WebSocket Gateway, enabling developers to implement features such as message transmission, channel management, and event handling. Additionally, it provides voice channel connectivity and audio streaming capabilities, making it well-suited for building real-time communication bots. Through Discordgo, developers can easily create bots using authentication tokens and implement command processing or automation functions. However, due to its open-source nature and unrestricted accessibility, attackers have abused this library to conveniently develop malware.

Discordgo Github repo : https://github.com/bwmarrin/discordgo 

Figure 3. Discordgo

 

Below is a detailed analysis of malware developed by abusing the open-source Discordgo library. As the first step in implementing a Discord Bot, the malware attempts to connect to the attacker’s server using a token and server ID. These token and server ID values are encrypted within the file and are decrypted at runtime using Base64 and AES decryption. After obtaining the decrypted values, the malware proceeds to establish a connection to the attacker’s server. While using the Discord API directly is common practice, leveraging the Discordgo library allows for more convenient session creation—simply by calling the discordgo.New() function.

Figure 4. Calling discord.New()

 

Discord provides a variety of bot features beyond being a simple chat platform. One notable feature is that when a bot receives a message from a server, it triggers a specific event, one of which is the MessageCreate event. Threat actors exploited this event to implement their backdoor feature.

In the Discordgo library, users can register callback functions to be executed when events occur by using the AddHandler() function. Threat actors utilized this feature to configure their commands to be processed by the bot in the following manner:

1. Receive command: The threat actor enters a command into the Discord channel.
2. Trigger event: When the bot receives a message, the MessageCreate event is triggered.
3. Execute callback: The registered callback function is executed to interpret and execute the command.

Figure 5. Registering the function to handle the MessageCreate event by calling AddHandler()

 

The backdoor malware created in this way has the following features.

• Run command
• Upload file
• Download file
• Collect system information

 

When a message is received from the threat actor to execute a command, the message is received through the MessageCreate event, and the registered handler processes the command. The payload is then appended to bash -c to complete the execution string and perform the system command. The execution result is saved in a temporary file such as /tmp/message.txt, and the content is then sent back to Discord. After sending the execution result to the threat actor, the file is deleted to minimize traces.

Figure 6. Executing the threat actor’s command with bash

Figure 7. Save the command execution result to message.txt

 

The following system information can be collected from the victim. Another Golang open-source is used in the process of collecting this information.

 

Figure 8. Information that can be stolen from the system

 

Attackers typically rely on open-source libraries for implementation, meaning the custom code they write is estimated to be fewer than 100 lines. This demonstrates how short and simple methods can produce fully functional backdoor malware that is extremely difficult to detect—making the threat even more realistic. Recently, adversaries have increasingly leveraged open-source components to craft malware that masquerades as legitimate files. In particular, using Discord as a Command-and-Control (C2) channel makes detection significantly harder because malicious traffic blends seamlessly with normal user activity. This approach eliminates the need to build dedicated C2 infrastructure, as both authentication and communication occur entirely through the Discord platform, allowing attackers to easily bypass security solutions.

index	Bot Token	Server ID
1	MTM5MzE4Mzg4NjYwMjkzMjI2NA.G6ooB1.zBdzA0XNv0k219EbJsXgxuR7N_X_H3beHgz_iM	1393184594974474344
2	MTQxMzQyNzA1Nzc2MDY2NTcyMQ.Golp3b.yc5Z1_qjtKJxwsznCRc5k2KCB2_BARLMUGqqNs	1413435292970647596

Table 1. Bot token and server ID used in the attack

 

As a result, attackers can execute remote commands, exfiltrate data, and perform various malicious activities through simple message events. With the growing trend of exploiting open-source tools and collaboration platforms, users must remain vigilant and exercise extreme caution when handling files from unknown or untrusted sources.

MD5

c193742412e98f1d46953f1ee73841b9