Discord as a C2 and the cached evidence left behind

This report explains how Discord webhooks can be abused as a lightweight C2 and data exfiltration channel using PowerShell, then details the persistent forensic artifacts left in Discord’s Chromium cache (attachments, webhook URLs, thumbnails, timestamps) that enable post-incident reconstruction. It introduces a purpose-built Discord Forensic Suite (CLI/GUI) that automates cache parsing, artifact extraction, hashing, and timeline/HTML/CSV reporting, helping DFIR teams recover evidence and rebuild attacker timelines even after servers or messages are deleted.