Malware Analysis: Discord-Delivered Infostealer (Lapresse)

Executive Summary I investigated a Discord-distributed malware campaign delivering a Python-based infostealer disguised as .zip files. The malware employs Base85 + XOR obfuscation, multiple persistence mechanisms, and a WebSocket-based C2 infrastructure. I performed both static and dynamic analysis to uncover the infection chain, payload behavior, and exfiltration methods. Threat Overview Category Details Malware Type Python-based Infostealer Entry Point Discord server promotion Obfuscation Base85 + XOR Persistence Scheduled tasks Exfil Method Discord Webhooks & WebSocket C2 Primary C2 ws://195.211.190.107:8767 Tools Used pyinstxtractor, pycdc, HxD, Wireshark 1. Initial Vector Delivery Method : Discord server promoted via discordservers.com File Name : Launcher.exe Behavior : Hosted on Discord CDN Attempts to evade detection of payloads by using a .zip extension with an executable file (confirmed by MZ header in HxD) Downloads additional payloads via obfuscated PowerShell script Advert