Unveiling Members Hub: A Large-Scale Campaign to Artificially Boost Discord Server Metrics

During a routine threat feed review, our security team stumbled upon a package named worker-czda with suspicious activity involving the download and execution of code from a specific URL. Upon deeper investigation, this led to the discovery of Members Hub, a sophisticated Discord "server boosting" service. This service is capable of artificially inflating server metrics by simulating user activity.

While not malicious in the traditional sense, this Discord server boosting service poses significant threats to the integrity of the Discord platform and its community. By artificially inflating server metrics and simulating user activity, this service undermines the authenticity of Discord communities and violates the platform's Terms of Service. The sophisticated nature of this operation raises concerns about the scale at which server statistics can be manipulated, potentially affecting user trust, server rankings, and the overall Discord ecosystem.

Moreover, the collection and use of user tokens, even if provided willingly, presents serious security and privacy risks. If this service were to be compromised, thousands of Discord accounts could be at risk of unauthorized access or misuse.

Summary of the Code#

The investigation has uncovered a multi-component system designed to boost Discord server metrics. The system includes a main client for managing operations, a token management module, and several activity simulation scripts. These components work together to control multiple Discord accounts simultaneously, simulating user activity to inflate server engagement metrics.

The code demonstrates a high level of sophistication, with features such as:

• Centralized control through a WebSocket server
• Dynamic activity simulation for multiple popular games
• Automated token management and authentication
• Error handling and reconnection logic to ensure persistent operation

POC#

The domain https://members-hub[.]store appears to be part of a broader campaign offering "server boosting as a service." The sophisticated nature of this code suggests it may be one of several similar operations. The market for artificially boosting online metrics is unfortunately quite large, spanning multiple platforms beyond just Discord.

• Main Client (client.js):

class Main {
  constructor(_0x475a1a, _0x3c3be5) {
    this._files = {};
    this.cache = {};
    this.fs = new FILESYSTEM__(this);
    console.log(_0x475a1a, _0x3c3be5);
    this.pass = _0x475a1a;
    this.id = _0x3c3be5;
    this._request_Files();
  }
  ["handleError"](_0x21b038) {
    console.log(_0x21b038);
    process.exit(0);
  }
  async ["_request_Files"]() {
    console.log(this.pass);
    let _0xa38144 = await AXIOS__.get("https://members-hub.store/linkbyauth?pass=" + this.pass).then(_0x38df70 => _0x38df70.data)["catch"](_0x566de7 => this.handleError(_0x566de7?.["response"]?.["data"]));
    if (!_0xa38144) {
      return;
    }
    const _0x69fde6 = await AXIOS__.get(_0xa38144[this.id], {
      'headers': {
        'authentication': _0xa38144[3]
      }
    }).then(_0x5a0a18 => _0x5a0a18.data)['catch'](_0x51b50b => this.handleError(_0x51b50b.response?.["data"]));
    if (!_0x69fde6) {
      return;
    }
    console.log(_0x69fde6['index.js']);
    this._files = _0x69fde6;
    console.log("Files Loaded!");
    this.start_();
  }
}

This Main class is the core of the operation. It initializes the system and fetches necessary files from the control server. The _request_Files method is particularly interesting as it shows how the system authenticates and retrieves operational data.

The system's operation begins with the Main class, which:

1. Initializes with a password and ID.
2. Connects to "https://members-hub[.]store/linkbyauth" to authenticate.
3. Retrieves operational files based on the provided ID.
4. Loads these files into memory and begins operations.

This process allows the system to dynamically load its operational code, making it highly flexible and potentially difficult to detect or analyze.

On debugging the code, we found that the code fetches an activities.js file

which simulates gaming activity to make controlled accounts appear active and legitimate.

• Various activities used to simulate a live user.

activities = {
  '8ball.js': '\n\nconst events = require("events");\nconst WebSocket = require("ws");\n\n\nclass ball8 extends events {\n  constructor(tokenWS) {\n    super();\n    this.tokenWS = tokenWS;\n    \n ...',
  'badlion.js': '\n\nconst events = require("events");\nconst WebSocket = require("ws");\n\n\nclass Badlion extends events {\n  constructor(tokenWS) {\n    super();\n    this.tokenWS = tokenWS;\n    \n ...',
  'brawlhalla.js': 'const events = require("events");\nconst WebSocket = require("ws");\n\n\nclass Brawlhalla extends events {\n  constructor(tokenWS) {\n    super();\n    this.tokenWS = tokenWS;\n    ...',
  'callofduty_mw.js': 'const events = require("events");\nconst WebSocket = require("ws");\n\n\nclass callofduty_mw extends events {\n  constructor(tokenWS) {\n    super();\n    this.tokenWS = tokenWS;\n ...',
  'crossfire.js': '\n\nconst events = require("events");\nconst WebSocket = require("ws");\n\n\nclass crossfire extends events {\n  constructor(tokenWS) {\n    super();\n    this.tokenWS = tokenWS;\n ...',
  'csgo.js': '\n\nconst events = require("events");\nconst WebSocket = require("ws");\n\n\nclass csgo extends events {\n  constructor(tokenWS) {\n    super();\n    this.tokenWS = tokenWS;\n    \n ...',
  'custom.js': 'const events = require("events");\nconst WebSocket = require("ws");\n\n\nclass Custom extends events {\n  constructor(tokenWS) {\n    super();\n    this.tokenWS = tokenWS;\n    \n ...',
  'fifa22.js': 'const events = require("events");\nconst WebSocket = require("ws");\n\n\nclass fifa extends events {\n  constructor(tokenWS) {\n    super();\n    this.tokenWS = tokenWS;\n    \n  thi...',
  'garry.js': '\n\n\nconst events = require("events");\nconst WebSocket = require("ws");\n\n\nclass garry extends events {\n  constructor(tokenWS) {\n    super();\n    this.tokenWS = tokenWS;\n    \n...',
  'gtasa.js': '\n\nconst events = require("events");\nconst WebSocket = require("ws");\n\n\nclass gtasa extends events {\n  constructor(tokenWS) {\n    super();\n    this.tokenWS = tokenWS;\n    \n ...',
  'gtav.js': 'const events = require("events");\nconst WebSocket = require("ws");\n\n\nclass gtav extends events {\n  constructor(tokenWS) {\n    super();\n    this.tokenWS = tokenWS;\n    \n  this...',
  'lunar_client.js': 'const events = require("events");\nconst WebSocket = require("ws");\n\n\nvar versions = ["1.8.9", "1.12.2", "1.19.2", "1.18.2"];\n\nclass Lunar extends events {\n  constructor(toke...',
  'minecraft.js': 'const events = require("events");\nconst WebSocket = require("ws");\n\n\nclass Minecraft extends events {\n  constructor(tokenWS) {\n    super();\n    this.tokenWS = tokenWS;\n    \n ...'
}

• E.g.:- 8ball.js

const events = require("events");
const WebSocket = require("ws");

class ball8 extends events {
  constructor(tokenWS) {
    super();
    this.tokenWS = tokenWS;
    this.start = Date.now();
    this.timestamp;
    this.execute();
  }

  getRandomMs() {
    return Math.floor(Math.random() * 1800000) + 600000;
  }

  execute() {
    if(!this.tokenWS) return;
    this.timestamp = this.start - this.getRandomMs();
    let updateData = {
      "type": 0,
      "timestamps": {
        "party": {},
        "name": "BlueStacks 5",
        "id": "6a508b55e4a598f8",
        "details": "8 Ball Pool",
        "created_at": this.timestamp,
        "assets": {
          "small_text": "BlueStacks 5",
          "small_image": "897378534438359060",
          "large_text": "8 Ball Pool",
          "large_image": "892382904582295642"
        },
        "application_id": "963655517939875850"
      }
    }
    this.tokenWS.updateStatus(updateData);
  }

  destroy() {
    this.tokenWS = undefined;
  }
}

module.exports = ball8;

BlueStacks Emulator:

The above code incorporates BlueStacks, a popular Android emulator that allows users to run Android applications on a PC or Mac. BlueStacks might be involved in facilitating gaming activity, such as playing "8 Ball Pool," which could make Discord accounts appear active and legitimate. The boosting service can create the illusion of user engagement, as if real players are using the platform.

Details of the Threat#

The system operates by:

1. Collecting Discord tokens from willing participants or bulk-created accounts.
2. Connecting to a central control server (wss://alwaysonline.members-hub.store/).
3. Simulating user activities like playing games to appear legitimate.
4. Potentially interacting with Discord messages to simulate engagement.
5. Maintaining persistent connections to boost server member counts.

The system's modular design allows for easy scaling and adaptation. Its use of WebSocket connections ensures real-time control and updates. The activity simulation modules make detection challenging by mimicking normal user behavior across various popular games.

Exploitation potential includes:

• Artificial inflation of server metrics (member count, activity levels)
• Potential for spam or targeted message campaigns
• Manipulation of server rankings or discovery algorithms
• Undermining of genuine community engagement

While not directly malicious towards users, this service violates Discord's Terms of Service and can negatively impact the platform's ecosystem. It also poses security risks to participating accounts and could potentially be misused for more harmful purposes if compromised.

IOCs (Indicators of Compromise)#

1. WebSocket Connection: wss://alwaysonline.members-hub.store/
2. Domain: members-hub.store
3. Discord Application IDs:
   • 821361671729709086 (associated with "8 Ball Pool" simulation)
   • 631914894446297148 (associated with "Call of Duty: Modern Warfare" simulation)
   • 356875057940791296 (associated with "Counter-Strike: Global Offensive" simulation)
   • 356876176465199104 (associated with "Grand Theft Auto V" simulation)
4. Authentication URL: https://members-hub[.]store/linkbyauth