New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits the popular social platform Discord to maintain persistence on infected systems.

Discord, known for its real-time communication features, has become a hub for various communities beyond its gaming origins. However, its API capabilities have also made it a target for malicious activities.

Discord bots are automated programs that perform specific server tasks, ranging from server management to music playback.

As per reports by ASEC Lab, these bots are typically developed using programming languages like Python and JavaScript and interact with servers through the Discord API.

While they enhance user experience, they can also be manipulated for nefarious purposes.

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

PySilon Rat Abusing Discord

PySilon represents a concerning case where RAT malware is implemented using a Discord bot.

The full source code of this malware is available on GitHub, raising alarms about its potential spread. Communities on platforms like Telegram further facilitate its distribution and customization.

RAT Malware Builder Program

The PySilon builder allows users to customize the malware by specifying details such as the Server ID and bot token required for creating a Discord bot. This information is embedded into pre-written Python code and converted into an executable file using PyInstaller.

When executed on a victim’s PC, the malware creates a new channel on the attacker’s server. It sends initial system information, including IP address details, via chat. Each infected PC gets a dedicated channel, enabling the attacker to control it individually.

System Information Transmission

Upon execution, PySilon self-replicates in the user folder to ensure persistence. It adds to the system’s RUN registry key, guaranteeing execution at startup. The malware can also customize the folder name used for replication.

PySilon contains anti-virtual machine (VM) logic, which allows it to detect virtual environments and avoid execution within them.

Screen and audio recording files sent to the threat actor

Attackers can execute various commands through the created channels, enabling them to perform malicious activities such as:

  • Information Collection: The “Grab” command extracts personal data, including Discord tokens, browsing history, cookies, and passwords.
  • Screen and Audio Recording: The malware captures screen and audio data using Python modules like pyautogui and sound device.
  • Keylogging: It logs keystrokes and transmits them when the user presses “Enter.”
  • Folder Encryption: PySilon encrypts files using the Fernet algorithm, storing decryption keys in user folders without leaving ransom notes.
Encryption/decryption commands

PySilon’s open-source nature makes it easy for threat actors to integrate its code into seemingly benign bots. Since data transmission occurs via official Discord servers used for legitimate bot functions, detecting such malware becomes challenging for users.

The rise of open-source projects like PySilon highlights a growing trend of exploiting popular cybercrime platforms.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and their…

2 hours ago

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS environments…

14 hours ago

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling them…

18 hours ago

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases from…

18 hours ago

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting abuse…

19 hours ago

Metasploit Framework Released with New Features

The Metasploit Framework, a widely used open-source penetration testing tool maintained by Rapid7, has introduced…

21 hours ago