Discord Phishing Kit ee3f9f72

Detects a Discord phishing kit targeting Discord users.

This kit proxies all requests made by the original Discord website to the domain the kit is running on.

References

Recent Detections

hxxps://guildjoinwelcome[.]in/

urlscan.io
hxxps://defifrensguild[.]in/

urlscan.io
hxxp://guidemaple[.]click/login

urlscan.io
hxxps://guidemaple[.]click/

urlscan.io
hxxp://guidemaple[.]click/

urlscan.io
hxxp://defifrenswelcome[.]xyz/

urlscan.io
hxxp://defifrenswelcome[.]xyz/login

urlscan.io
hxxp://defifriendswelcoming[.]xyz/login

urlscan.io
hxxp://overworldguild[.]click/login

urlscan.io
hxxps://overworldguild[.]click/login

urlscan.io

IOK Rule (edit)

title: Discord Phishing Kit ee3f9f72
description: |
    Detects a `Discord` phishing kit targeting Discord users.
    
    This kit proxies all requests made by the original Discord
    website to the domain the kit is running on.
    
references:
    - https://urlscan.io/result/a0823bf6-9814-44ce-9517-271904fa7eed
    - https://urlscan.io/result/ee3f9f72-fe13-4729-b11e-ebcf51a02ed8

detection:

    proxyOpenCall:
        js|contains: 'oldXHROpen'
        
    proxyFetchCall:
        js|contains: 'oldFetch'

    originCheck:
        js|contains: "url.includes('://discord.com/api/')"
        
    condition: proxyOpenCall and proxyFetchCall and originCheck
    
tags:
  - target.discord