I Think My Token Was Stolen (CosmicDriftTrojan)

I think someone has my token
I need help making sure I’m clean, not too sure what to do to keep my acc safe

Someone had me download a game from a site, but the site looked clean, it was secure, TLD or whatever
but as I was installing, my discord logged out.
I immediately changed my password, which if I’m not mistaken, changes my token too.

VirusTotal says the file is clean, but the file reports back to an ip that leads to the domain superfuniestindianparty.rip
I searched that up and it looks like it was also used in a discord trojan attack, seen here
the download site (DO NOT TRUST): https://cosmicdrifts.tech/

Any help would be greatly appreciated!

Registered by Team Kevin in India via DotServe, Inc. on March 28, 2022 - Whois cosmicdrifts.tech

VirusTotal (DETECTED BY KASPERSKY) - VirusTotal - File - 3c133cce56f0b79a4898d6b9642ae87a6771549dbf3d1f705909301ff7c19a5d

image

I AM UNABLE TO PERFORM AN ANY.RUN, AS THE DOMAIN ONLY ACCEPTS US IP ADDRESSES

Program contains UDS:Trojan-PSW.Win32.Disco, which is a type of ransomware designed to steal Discord tokens.

The domain superfuniestindianparty.rip actually redirects to iloveyoubby.ru, which is registered in the Russian Federation via RuCenter-Ru on February 18, 2022 - Whois iloveyoubby.ru

Associated Discord Server - Cosmic Drift (discord.com)

OWNERS:
Shoto#0009 (UID: 835365423893315634)
VIGI#6699 (UID: 928971744113463326)
KEvin#6699 (UID: 953495282753081394)

Associated Instagram Account (BANNED) - Page Not Found • Instagram

Associated YouTube Channel - https://videos.ctfassets.net/9tpgu2u9anrt/4DRmmCtZWQrBzxT4wdzKnz/9d1b70c1b31be6e2b3521dc423f05285/SP_thub_roll_B.mp4

1 Like

Nice work, I appreciate you looking into this

it is indeed a token stealer for discord

ANY.RUN Analysis - https://cosmicdrifts.tech/ - Interactive analysis - ANY.RUN

image

Intezer Report - https://analyze.intezer.com/analyses/8c7b3435-8ba5-4640-9b2e-94e61228ed5d/dynamic-ttps

Steals Google Chrome Cookies as well