<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Discord Desktop Client - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/discord-desktop-client/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 13:21:19 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/discord-desktop-client/feed.xml" rel="self" type="application/rss+xml"/><item><title>Non-Discord Application Accessing Discord LevelDB</title><link>https://feed.craftedsignal.io/briefs/2026-07-non-discord-app-access-leveldb/</link><pubDate>Fri, 03 Jul 2026 13:21:19 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-non-discord-app-access-leveldb/</guid><description>This brief details the detection of non-Discord applications accessing the Discord LevelDB database on Windows endpoints, a critical activity often indicative of credential theft or sensitive data exfiltration by infostealer malware, which can lead to unauthorized access to user profiles and messages.</description><content:encoded><![CDATA[<p>This brief addresses the detection of unauthorized access to the Discord LevelDB database by non-Discord applications on Windows endpoints. This activity is significant as it may indicate attempts to steal Discord credentials or access sensitive user data. If confirmed malicious, this could lead to unauthorized access to user profiles, messages, and other critical information, potentially compromising the security and privacy of the affected users. The detection leverages Windows Security Event logs, specifically event code 4663, to identify file access attempts to the LevelDB directory by processes other than Discord. This behavior is commonly associated with infostealer malware such as StealC, Snake Keylogger, PXA Stealer, BlankGrabber Stealer, and Phantom Stealer, which target popular applications like Discord to exfiltrate user credentials and other sensitive data stored locally. Such attacks can result in account takeover, financial fraud, and further system compromise.</p>
<h2 id="impact">Impact</h2>
<p>If this attack succeeds, victims face unauthorized access to their Discord accounts, leading to potential account takeover, message interception, and identity theft. Attackers can leverage compromised accounts for phishing, spreading malware, or accessing linked services. The exfiltration of sensitive user data, including personal messages and potentially financial information if stored or transmitted via Discord, can have severe privacy implications and lead to significant financial and reputational damage. While specific victim counts are not available, infostealer campaigns consistently target popular platforms like Discord, indicating a broad potential user base across various sectors is at risk from this activity.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable &quot;Audit Object Access&quot; in Group Policy for both &quot;Success&quot; and &quot;Failure&quot; on file access to ensure Windows Security Event Code 4663 is logged, as required for the Sigma rule provided.</li>
<li>Deploy the Sigma rule &quot;Detect Non-Discord App Accessing Discord LevelDB&quot; to your SIEM and tune for your environment to identify suspicious access attempts.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>credential-theft</category><category>malware</category><category>windows</category><category>endpoint</category><category>infostealer</category></item></channel></rss>