Good day everyone, we where given a copy of the script from one of the users that was affected by this attack. After review of the script we found that this is a token hijacking attack. The script will scan Chrome, Opera, Brave. Yandex, and all known data directories for the discord client for tokens then try these tokens against the discord API endpoints. Once it finds one that works, it will then proceed to check if your account has a credit card attached to it and if so buy as much nitro as it can. After that finishes it will then scan your friends list and send DMs to each friend asking them to help them test the game.
A few things to note is this script has been around since 2019 and is still circulating. Also, it sends all scrapped data back to the attackers discord via a webhook. Its unknown if its still active but since it scrapes all data from your browsers it should be assumed that other accounts have been compromised. It is highly suggested you change any passwords as well as enable two factor authentication if able. Also, the script specifically targets windows systems in its current form so Linux and Mac users should be safe.
The file also copies itself to your startup folder as
system.py . You can find the startup directory here:
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ By removing the
system.py and restarting your PC you should be able to fully remove the script.
We will be reporting this script to discord for further investigation.