VDB
GCVE-110-OSM-2026-654
GCVE-110-OSM-2026-654
Advisory PublishedCVSS 9.6/10
Skuld is a "Discord-oriented" stealer that targets Windows systems. Despite the "educational purposes" disclaimer, it's a fully-functional piece of malware with extensive data exfiltration capabilities.
Key Capabilities
Credential & Data Theft
Steals logins, cookies, credit cards, history from 37 Chromium-based browsers and 10 Gecko/Firefox browsers
Extracts Discord tokens from 4 Discord applications plus browsers
Captures data from 10 local crypto wallets and 55 browser wallet extensions
Steals Epic Games, Uplay, Minecraft (14 launchers), and Riot Games sessions
Grabs sensitive files from common locations and saved Wi-Fi credentials
Discord-Specific Attacks
Injects into Discord client to intercept login/2FA requests, email/password changes, and payment additions
Captures 2FA backup codes
Blocks QR code login (likely to force credential entry for interception)
Persistence & Evasion
Uses fodhelper.exe UAC bypass for privilege escalation across all user accounts
Anti-debugging: terminates debugging tools
Anti-VM: detects and exits in virtual machine environments
Anti-AV: disables Windows Defender and blocks AV websites
Hides console, adds itself to startup, displays fake error messages
Crypto Clipper
Monitors clipboard and replaces copied crypto addresses with attacker-controlled addresses
Exfiltration
Data is sent via Discord webhook to the attacker.
Technical Notes
The malware is modular, allowing cherry-picking of specific capabilities. It compresses to ~3MB with UPX packing. The codebase draws from multiple existing stealers (Empyrean, Blank-Grabber, HackBrowserData, etc.).
This is a fairly standard but well-organized modern infostealer—useful to understand for detection rule development or threat modeling in your supply chain security work.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | all (affected), * (affected), all (affected), all (affected), * (affected), all (affected), * (affected) | — | |
| unknown | azure-eventhub-checkpointstoretable | all (affected) | — |
| unknown | all (affected) | — |
Aliases
Browse GCVE Records
72,921 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.