New RAT malware gets commands via Discord, has ransomware feature
By Lawrence Abrams
Published: 2020-10-23 · Archived: 2026-04-05 15:58:40 UTC
The new 'Abaddon' remote access trojan may be the first to use Discord as a full-fledged command and control server that
instructs the malware on what tasks to perform on an infected PC. Even worse, a ransomware feature is being developed for
the malware.
Threat actors abusing Discord for malicious activity is nothing new.
In the past, we have reported on how threat actors use Discord as a stolen data drop or have created malware that modifies
the Discord client to have it steal credentials and other information.
https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/
Page 1 of 4

0:00
https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/
Page 2 of 4

Visit Advertiser websiteGO TO PAGE
RAT uses Discord as a full C2 server
A new 'Abaddon' remote access trojan (RAT) discovered by MalwareHunterTeam, though, could be the first malware that
uses Discord as a full-fledge command and control server.
A command and control server (C2) is a remote host that malware receives commands to execute on an infected computer.
When started, Abaddon will automatically steal the following data from an infected PC:
Abaddon will then connect to the Discord command and control server to check for new commands to execute, as shown by
the image below.
Receive a task from the Discord server
These commands will tell the malware to perform one of the following tasks:
Steal a file or entire directories from the computer
Get a list of drives
Open a reverse shell that allows the attacker to execute commands on the infected PC.
Launch in-development ransomware (more later on this).
Send back any collected information and clear the existing collection of data.
The malware will connect to the C2 every ten seconds for new tasks to execute.
Using a Discord C2 server, the threat actor can continually monitor their collection of infected PCs for new data and execute
further commands or malware on the computer.
Developing a basic ransomware
One of the tasks that can be executed by the malware is to encrypt the computer with basic ransomware and decrypt files
after a ransom is paid.
This feature is currently in development as its ransom note template contains filler as the developer works on this feature.
https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/
Page 3 of 4

In-development ransomware component
With ransomware being extremely lucrative, it would not be surprising to see this feature completed in the future.
Automated Pentesting Covers Only 1 of 6 Surfaces.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the
other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic
questions for any tool evaluation.
Source: https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/
https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/
Page 4 of 4