Rankiteo Logo
Rankiteo
Leader in Cyber Underwriting
Loading...
NEWRankiteo Cyber Underwriting Desktop - Score, price, and bind from your desktop
WindowsmacOSLinux
Download
Analyze » Discord Developers » DIS1768835600

Incident Score: Analysis & Impact (DIS1768835600)

The details regarding individual company incidents & reports gives you full view from every side.

Rankiteo Score Impact Analysis

Rankiteo Incident Impact-31
Company Score Before Incident767 / 1000
Company Score After Incident736 / 1000
Company LinkView Discord Developers Profile
INCIDENT NUMBERDIS1768835600
Type of Cyber IncidentCyber Attack
ATTACK VECTORMalware (Python-based executable)
DATA EXPOSEDCredentials, documents, keystrokes, screenshots
INCIDENT DATE18/01/2026
STATUSOngoing (discovery by Cyfirma)

Key Highlights From The Incident Analysis

  • Timeline of Discord Developers's Cyber Attack and lateral movement inside company's environment.
  • Overview of affected data sets, including SSNs and PHI, and why they materially increase incident severity.
  • How Rankiteo’s incident engine converts technical details into a normalized incident score.
  • How this cyber incident impacts Discord Developers Rankiteo cyber scoring and cyber rating.
  • Rankiteo’s MITRE ATT&CK correlation analysis for this incident, with associated confidence level.

Full Incident Analysis Transcript

In this Rankiteo incident briefing, we review the Discord Developers breach identified under incident ID DIS1768835600.

The analysis begins with a detailed overview of Discord Developers's information like the linkedin page: https://www.linkedin.com/company/discord-developers, the number of followers: 1123, the industry type: Technology, Information and Internet and the number of employees: None employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 767 and after the incident was 736 with a difference of -31 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Discord Developers and their customers.

A newly reported cybersecurity incident, "New Python-Based Infostealer 'SolyxImmortal' Leverages Legitimate APIs for Stealthy Data Theft", has drawn attention.

Cybersecurity firm Cyfirma has uncovered *SolyxImmortal*, a Python-written information stealer targeting Windows systems with evasive data harvesting and surveillance capabilities.

The disruption is felt across the environment, affecting Windows systems, and exposing Credentials, documents, keystrokes, screenshots.

Formal response steps have not been shared publicly yet.

The case underscores how Ongoing (discovery by Cyfirma), teams are taking away lessons such as Growing trend of mid-tier threat actors exploiting legitimate platforms (e.g., Discord, Python) and third-party libraries to deploy surveillance tools without dedicated infrastructure.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

MITRE ATT&CK® Correlation Analysis

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified User Execution: Malicious File (T1204.002) with moderate to high confidence (80%), supported by evidence indicating python-written information stealer targeting Windows systems. Under the Execution tactic, the analysis identified Command and Scripting Interpreter: Python (T1059.006) with high confidence (90%), supported by evidence indicating python-written information stealer SolyxImmortal. Under the Persistence tactic, the analysis identified Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) with high confidence (90%), supported by evidence indicating registers under the Run key to launch at logon and Create or Modify System Process: Windows Service (T1543.003) with moderate confidence (50%), supported by evidence indicating designed for persistent background operation. Under the Defense Evasion tactic, the analysis identified Hide Artifacts: Hidden Files and Directories (T1564.001) with high confidence (90%), supported by evidence indicating copies itself into AppData directory, renames executable, marks as hidden, Valid Accounts (T1078) with moderate to high confidence (70%), supported by evidence indicating abuses Discord’s webhooks for data exfiltration, Obfuscated Files or Information (T1027) with moderate confidence (60%), supported by evidence indicating python-based malware with evasive data harvesting, and Indicator Removal: File Deletion (T1070.004) with moderate to high confidence (80%), supported by evidence indicating deletes temporary files to cover its tracks. Under the Credential Access tactic, the analysis identified Credentials from Password Stores: Credentials from Web Browsers (T1555.003) with high confidence (90%), supported by evidence indicating extracts master encryption key from Local State file to decrypt Chrome login data and Input Capture: Keylogging (T1056.001) with high confidence (90%), supported by evidence indicating captures keystrokes in an in-memory buffer. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (90%), supported by evidence indicating scans user’s home directory for files based on extensions and size, Screen Capture (T1113) with high confidence (90%), supported by evidence indicating takes screenshots when active windows match predefined titles, and Input Capture: Keylogging (T1056.001) with high confidence (90%), supported by evidence indicating keylogging captures keystrokes in an in-memory buffer. Under the Command and Control tactic, the analysis identified Web Service (T1102) with high confidence (90%), supported by evidence indicating abuses Discord’s webhooks for structured data exfiltration and Application Layer Protocol: Web Protocols (T1071.001) with moderate to high confidence (80%), supported by evidence indicating exfiltrates data via HTTPS POST requests. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), supported by evidence indicating exfiltrates data via Discord webhooks and HTTPS POST requests and Exfiltration Over Web Service: Exfiltration to Code Repository (T1567.001) with moderate to high confidence (70%), supported by evidence indicating abuses Discord’s webhooks for data exfiltration. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.

Initial Access
User Execution: Malicious File (80%)
Execution
Command and Scripting Interpreter: Python (90%)
Persistence
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (90%)
Create or Modify System Process: Windows Service (50%)
Defense Evasion
Hide Artifacts: Hidden Files and Directories (90%)
Valid Accounts (70%)
Obfuscated Files or Information (60%)
Indicator Removal: File Deletion (80%)
Credential Access
Credentials from Password Stores: Credentials from Web Browsers (90%)
Input Capture: Keylogging (90%)
Collection
Data from Local System (90%)
Screen Capture (90%)
Input Capture: Keylogging (90%)
Command and Control
Web Service (90%)
Application Layer Protocol: Web Protocols (80%)
Exfiltration
Exfiltration Over C2 Channel (90%)
Exfiltration Over Web Service: Exfiltration to Code Repository (70%)

Sources & References