China APT UNC5174 Hijacks Discord API as Covert C2 Channel to Evade Detection and Conduct Espionage
Ddos 
A sophisticated cyber-espionage campaign linked to the Chinese state-sponsored threat group UNC5174 has been discovered utilizing the popular communication platform Discord as a makeshift command-and-control (C2) infrastructure. The AhnLab Security Intelligence Center (ASEC) reports that the group, known for its strategic targeting of government and critical infrastructure sectors, has deployed a new backdoor malware that masquerades as a Discord bot to evade detection and maintain persistent access to compromised systems.
The malware’s most striking feature is its abuse of the legitimate Discord API to manage infected machines. Rather than relying on traditional C2 servers, which are easily blocked by security firewalls, the threat actors configured a Discord bot to issue commands and receive data.
“This approach eliminates the need to build dedicated C2 infrastructure, as both authentication and communication occur entirely through the Discord platform,” the report explains. Because Discord traffic is typically trusted in many network environments, the malicious activity “blends seamlessly with normal user activity,” allowing the attackers to bypass standard security monitoring.
The malware is built using DiscordGo, an open-source Go library designed for creating Discord bots. By encrypting the bot token and server ID within the binary, the attackers ensure that only they can control the bot.
Once executed, the malware connects to the attackers’ Discord server and listens for commands via the MessageCreate event handler. This allows the threat actors to:
- Run arbitrary system commands.
- Upload and download files.
- Collect sensitive system information.
Remarkably, the malware is incredibly lightweight. “Attackers typically rely on open-source libraries for implementation, meaning the custom code they write is estimated to be fewer than 100 lines,” ASEC researchers noted. This simplicity contributes to its stealth; as of late November 2025, the malware had a VirusTotal detection rate of just 1/64.
UNC5174 employs a calculated strategy to maintain long-term access. The group often begins with a known backdoor, such as vshell, to gain initial entry. However, to avoid detection over time, they “sequentially deploy multiple types of backdoors.”
The Discord-based malware serves as a stealthy fallback. “This approach allowed them to mimic legitimate user traffic patterns and evade existing security policies,” ensuring that even if their primary access tools are discovered, they retain a hidden foothold in the network.
The abuse of legitimate platforms like Discord is becoming an increasingly common tactic for threat actors looking to hide in plain sight. “With the growing trend of exploiting open-source tools and collaboration platforms, users must remain vigilant and exercise extreme caution,” ASEC warned.
UNC5174, believed to be a contractor for China’s Ministry of State Security (MSS), has previously been linked to exploits targeting F5 BIG-IP and ScreenConnect vulnerabilities.
Donate