{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/discord-desktop-client/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Discord Desktop Client"],"_cs_severities":["high"],"_cs_tags":["credential-theft","malware","windows","endpoint","infostealer"],"_cs_type":"advisory","_cs_vendors":["Discord"],"content_html":"\u003cp\u003eThis brief addresses the detection of unauthorized access to the Discord LevelDB database by non-Discord applications on Windows endpoints. This activity is significant as it may indicate attempts to steal Discord credentials or access sensitive user data. If confirmed malicious, this could lead to unauthorized access to user profiles, messages, and other critical information, potentially compromising the security and privacy of the affected users. The detection leverages Windows Security Event logs, specifically event code 4663, to identify file access attempts to the LevelDB directory by processes other than Discord. This behavior is commonly associated with infostealer malware such as StealC, Snake Keylogger, PXA Stealer, BlankGrabber Stealer, and Phantom Stealer, which target popular applications like Discord to exfiltrate user credentials and other sensitive data stored locally. Such attacks can result in account takeover, financial fraud, and further system compromise.\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIf this attack succeeds, victims face unauthorized access to their Discord accounts, leading to potential account takeover, message interception, and identity theft. Attackers can leverage compromised accounts for phishing, spreading malware, or accessing linked services. The exfiltration of sensitive user data, including personal messages and potentially financial information if stored or transmitted via Discord, can have severe privacy implications and lead to significant financial and reputational damage. While specific victim counts are not available, infostealer campaigns consistently target popular platforms like Discord, indicating a broad potential user base across various sectors is at risk from this activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026quot;Audit Object Access\u0026quot; in Group Policy for both \u0026quot;Success\u0026quot; and \u0026quot;Failure\u0026quot; on file access to ensure Windows Security Event Code 4663 is logged, as required for the Sigma rule provided.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Non-Discord App Accessing Discord LevelDB\u0026quot; to your SIEM and tune for your environment to identify suspicious access attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T13:21:19Z","date_published":"2026-07-03T13:21:19Z","id":"https://feed.craftedsignal.io/briefs/2026-07-non-discord-app-access-leveldb/","summary":"This brief details the detection of non-Discord applications accessing the Discord LevelDB database on Windows endpoints, a critical activity often indicative of credential theft or sensitive data exfiltration by infostealer malware, which can lead to unauthorized access to user profiles and messages.","title":"Non-Discord Application Accessing Discord LevelDB","url":"https://feed.craftedsignal.io/briefs/2026-07-non-discord-app-access-leveldb/"}],"language":"en","title":"CraftedSignal Threat Feed - Discord Desktop Client","version":"https://jsonfeed.org/version/1.1"}