Silent Watcher: Compromising Windows Systems and Exfiltrating Data via Discord Webhooks

A sophisticated Visual Basic Script (VBS) malware known as “Silent Watcher” has emerged as a persistent threat targeting Windows systems. This malware showcases advanced data exfiltration capabilities through the use of Discord webhooks, representing a concerning evolution in information-stealing tactics that exploit legitimate communication platforms to evade traditional security measures. Silent Watcher operates through a meticulously orchestrated multi-stage attack process, commencing with the execution of a VBS script that establishes persistence on infected systems. Upon initialisation, it systematically gathers comprehensive system information via Windows Management Instrumentation (WMI) queries, collecting critical details about the operating system, user credentials, and computer specifications. Researchers from K7 Security Labs identified this strain through its distinctive operational signature and unique webhook communication patterns, highlighting its ability to remain undetected while continuously monitoring victim systems.

What makes Silent Watcher particularly dangerous is its dynamic creation of multiple PowerShell scripts, such as “vbs_ps_browser.ps1” for browser metadata extraction and “vbs_ps_diag.ps1” for capturing screenshots. These scripts are designed to circumvent PowerShell execution policies and operate with minimal system impact. The malware employs sophisticated exfiltration mechanisms, utilising both WinHttp.WinHttpRequest.5.1 and MSXML2.ServerXMLHTTP objects as fallback options to ensure reliable data transmission, even in restricted network environments. Stolen data is formatted as JSON payloads before being transmitted to Discord webhooks, making the traffic appear as legitimate communication. Silent Watcher also employs a cunning persistence strategy through timed execution cycles, allowing it to continuously capture updated screenshots and system states without raising immediate suspicion. Temporary files are created with randomised names in the system’s temporary folder, and the malware meticulously cleans up after each operation to minimise forensic traces, logging all activities in “vbs_reporter_log.txt.” 

Categories: Malware Analysis, Data Exfiltration Techniques, Persistence and Evasion Strategies 

Tags: Silent Watcher, VBS Malware, Data Exfiltration, Discord Webhooks, Cmimai Malware, System Information, PowerShell Scripts, Persistence Strategy, Evasion Mechanisms, JSON Payloads