Imagine you are relaxing on Discord when a friend sends you a link to a cool new game trailer. They tell you their friends are developing it and need beta testers. It sounds like a fun opportunity, right? Unfortunately, this is one of the most effective social engineering traps used by hackers today. Let’s dive deep into how this malware works and how you can prevent your digital life from being compromised.
The scam often starts with a message about a game titled “Soylamos” or “Awaken the Legend.” The website looks professional, featuring high-quality art and a “Download” button. However, the first red flag is the “Quick Setup” gate. The site asks for your Discord username and the name of the person who invited you. This is a technical trick designed to limit the reach of the malware. By requiring specific input, hackers can prevent automated antivirus bots from downloading and analyzing the file. This is why, when analyzed on platforms like VirusTotal, these files often show very low detection rates—sometimes 0 out of 68 engines.
Technically, this malware belongs to a category known as an “infostealer.” Unlike traditional viruses that might delete your files, an infostealer is designed to be quiet and fast. Its primary target on Discord is your Session Token. Think of a session token as a digital key card that the Discord app uses to keep you logged in so you do not have to type your password every time you open the program.
When you run the malicious “game” executable, it immediately searches your computer’s local storage—specifically the Local State and LevelDB files used by Discord and Chromium-based browsers like Google Chrome or Microsoft Edge. Even if you have Two-Factor Authentication (2FA) enabled, it will not stop this attack. This is because the hacker does not need your password or your 2FA code; they simply steal the active “session” you have already authenticated. Once they have your token, they can log into your account from their own computer, bypassing all security prompts.
Furthermore, these modern infostealers are capable of “Credential Dumping.” They target the browser’s internal database where you might have saved passwords for other websites. While browsers encrypt these passwords, the malware can often find the decryption key within the same user profile folders. Once decrypted, the hacker has access to your emails, social media, and even cryptocurrency wallets.
The most dangerous part of this cycle is “Lateral Movement.” Once a hacker gains control of your account, they do not just stop there. They use your account to send the same malicious link to everyone on your friends list. Because the message comes from you, your friends are much more likely to trust it and click the link, continuing the chain of infection like a digital worm.
To protect yourself, you must change how you handle security. First, never save sensitive passwords directly in your web browser. Browsers are the first place malware looks. Instead, utilize a dedicated password manager. Options like Passbolt are excellent because they offer “Self-Hosting” capabilities. Self-hosting means your password database stays on your own private server or hardware rather than a giant cloud server that might be a target for hackers.
Secondly, you should always verify unusual requests. If a friend sends you a link to download a file, reach out to them on a different platform—like a text message or a phone call—to confirm they actually sent it. If you suspect you have already run a malicious file, you must act quickly. Change your Discord password immediately; this usually “invalidates” all current session tokens, kicking the hacker out. After that, run a full system scan using a reputable tool like Malwarebytes to ensure no persistence scripts remain on your machine.
Cybersecurity in 2025 and beyond requires a healthy amount of skepticism. Even if a website looks polished and a friend seems helpful, always remember that your session tokens are the keys to your digital identity. Keep them guarded, keep your software updated, and always think twice before clicking “Run” on an unknown executable.