Download
Advanced Threat Analysis Platform

The complete guide
to Vortex

Vortex is a multi-layer behavioral threat analysis platform that detects Discord-targeting malware, token stealers, and credential grabbers — before they do damage.

Discord Threat DetectionStatic + YARA + CAPAAI Verdict EngineSandbox AnalysisRisk Scoring
Get StartedDownload Vortex
SCAN PROGRESS
Static ........ DONE
YARA ........ DONE
CAPA ........ DONE
VT ........ DONE
HA ........ DONE
Sandbox ...... RUNNING
AI Models .... WAITING
DETECTION
Verdict: MALICIOUS
Score: 94/100
discord_db_access
token_exfiltration
AI: 4/4 agree
RISK SCORE
94
THREAT DETECTED
01 — Introduction

What is Vortex

Vortex is a desktop threat analysis tool built specifically to identify Discord token stealers, credential grabbers, and malware targeting the Discord ecosystem. It combines seven independent analysis layers into a single scored verdict.

Multi-Layer Analysis

Every scan runs Static, YARA, CAPA, VirusTotal, Hybrid Analysis, Sandbox (dynamic), and AI verdict in sequence. All layers contribute to a composite 0–100 risk score — no single method determines the outcome alone.

Discord-Focused Intelligence

Vortex looks specifically for Discord token access, credential exfiltration, Discord API abuse, and webhook callbacks. It distinguishes genuine threats from false-positive cheat injectors and game trainers using behavioral signatures.

02 — Getting Started

Create Account

Registration takes under a minute. Your account is tied to your hardware on first login to prevent sharing.

1

Register with email, password, and username

Usernames must be 3–24 characters and can only contain letters, numbers, underscores, and dots. VPN use is blocked during registration — disable it before registering. You can change your username later from Profile Settings.

2

Choose your username thoughtfully — but it's not permanent

Your username is editable at any time from your profile settings page. Your display name, bio, avatar, and pronouns are also freely editable. The only fields that cannot be changed are your email and hardware binding.

Username changes are available under Profile → Edit Profile → Username inside the Vortex tool at any time.
3

Account is bound to your hardware on first login

Your account is permanently linked to the hardware ID of the first device you log in from. This prevents account sharing. Contact the Vortex team to transfer to a new device.

4

Configure your API keys and VM setup next

After registration, your account is active. Before scanning, add your API keys and ensure your VM environment is correctly configured. See the API Keys and VM Setup sections of this guide.

One person, one account. Creating multiple accounts is permanently bannable — the system tracks duplicate hardware IDs and registration IPs automatically.
03 — Getting Started

API Keys

Vortex requires three external API keys. You can add them either through the Settings page inside the tool, or by editing config.json directly. Keys are stored locally and only leave your machine to query their services during a scan.

Free Key

VirusTotal

Queries VirusTotal's 70+ engine database for exe/dll file cross-referencing. Results return in under 10 seconds for known files.

1. Create a free account at virustotal.com
2. Go to your profile → API Key
3. Copy the 64-character key
4. Paste in Settings → API Keys → VirusTotal, or add to virustotal_keys array in config.json
500 requests/day · Free tier
Free Key

Hybrid Analysis

Queries the Hybrid Analysis sandbox database for behavioral reports. Results return in under 10 seconds for known files.

1. Register at hybrid-analysis.com
2. Go to profile → API Key
3. Copy your key
4. Paste in Settings → API Keys → Hybrid Analysis, or add to hybridanalysis_keys array in config.json
200 requests/day · Free tier
Free key

OpenRouter

Powers the AI verdict engine. Multiple AI models analyze evidence independently, followed by a final synthesis pass.

1. Create an account at openrouter.ai
2. No need to add credit balance
3. Generate an API key in settings
4. Paste in Settings → API Keys → OpenRouter, or add to openrouter_keys array in config.json
50-per-key-per-day · 0 cost per scan
Preferred method: Settings page. Open Vortex → Settings → API Keys. Enter your keys and click Save. No file editing required — the tool writes directly to config.json for you.
config.json — actual field names
{
"virustotal_keys": ["YOUR_VIRUSTOTAL_KEY_HERE"],
"hybridanalysis_keys": ["YOUR_HYBRID_ANALYSIS_KEY_HERE"],
"openrouter_keys": ["YOUR_OPENROUTER_KEY_HERE"]
}
Never share your config.json. Anyone with your API keys can consume your quota and scan files under your identity. Never screenshot it or include it in support requests.
04 — Getting Started

VM Setup

Vortex's Sandbox (dynamic analysis) requires a specific environment to operate. Without this setup, your original token will at risk — scans still run all other methods with dynamic behavioral detection.

Always run Vortex inside a dedicated Virtual Machine. The Sandbox layer executes suspicious files to observe their behavior. Running this on your main machine risks infecting your real system.
1

Create a dedicated Virtual Machine

Set up a Windows 10/11 VM using VMware, VirtualBox, or similar software. This VM should be considered expendable — it can be restored from a snapshot at any time. Never use your main machine for Sandbox scanning.

2

Install Discord with a throwaway account

Install Discord inside the VM. Log in with a fake, dedicated throwaway account — never use your real account. Sandbox Method 1 (GrabberDetector) requires Discord to be actively running when a scan starts. If Discord is not running, scan will be stopped

3

Install BlueStacks MSI App Player

Download and install BlueStacks MSI App Player (the MSI edition — HD-Player.exe) inside the VM. Vortex's Sandbox uses BlueStacks as an Android emulator during dynamic analysis. Without it, complete scan is stopped.

4

Run Vortex inside the VM for Sandbox scans

Launch Vortex inside the VM with Discord open and logged in. The Sandbox layer will then be able to execute and monitor suspicious files in a safe, contained environment.

If Discord is not running when a scan starts, you will see: "Discord is not running. Please open Discord before starting a scan." — this stops full scan.

Required Software

  • A Windows VM (VMware, VirtualBox, etc.)
  • Discord — installed and logged into a fake account
  • BlueStacks MSI App Player (HD-Player.exe)
  • Vortex installed inside the VM

What Happens Without Setup

  • Without Discord running → Scan never runs
  • Without BlueStacks → Scan stops
  • All other methods (Static, YARA, CAPA, VT, HA, AI) stops
  • Your original token can be grabbed
05 — Getting Started

Profile Setup

Your profile is visible to other users — it shows your stats, equipped badges, and the display name attached to all scan records you've submitted.

Editable Fields

  • Username — changeable from Profile → Edit Profile
  • Display Name — shown on scan records and your profile
  • Avatar URL — direct image link for your profile picture
  • Bio — short description visible to others
  • Pronouns — displayed alongside your name
  • Equipped Badges — choose which earned badges to show
  • Display Badge — single badge shown on scan record cards

Fixed / Auto-Tracked Fields

  • Email — used for login authentication only, cannot change
  • Hardware Binding — device locked on first login
  • Reputation — earned through scanning, never set manually
  • Grabber Detections — auto-tracked confirmed threat count
  • Total Badges — auto-counted from earned milestones
06 — Scanning

How to Scan

Three methods to load a file into Vortex. All three lead to the identical analysis pipeline and produce the same results.

File Browser

Click the upload zone in the Scanner tab. A standard file picker opens — navigate to the target file and click Open to begin analysis.

  1. Click the upload zone on the Scanner tab
  2. Navigate to the file in the dialog
  3. Click Open — scan begins automatically

Drag & Drop

Drag any file from Windows File Explorer and drop it directly onto the Vortex window. Fastest method — zero navigation required.

  1. Open File Explorer alongside Vortex
  2. Drag the target file
  3. Drop onto the Vortex window — instant load

Folder or RAR Archive

Select an entire folder or a RAR archive. Each file inside is scanned through its own pipeline. See Scan Rules for credit deduction details.

  1. Browse to the folder or .rar file
  2. Each file is analyzed individually
  3. Credits deducted per scan rules below
What happens during a scan
1

File is hashed — database checked

Vortex computes a SHA-256 hash of the file. If this exact file has been scanned before by any user, the cached result is returned immediately. Your credit is still used — but the result is instant.

2

Static Analysis + YARA + CAPA run simultaneously

The file is inspected without execution. PE structure, byte patterns, embedded strings, import tables, entropy levels, overlay data, packer detection, and PyInstaller payload extraction are all analyzed.

3

VirusTotal and Hybrid Analysis are queried

VT and HA are queried by hash for their database results. For known files, both services typically respond in under 10 seconds. If a file is unknown to VT or HA, an upload is performed — you can choose to allow or cancel this upload.

4

Sandbox runs dynamic behavioral analysis

For supported executable formats, the file is executed in an instrumented environment (requires Discord running + BlueStacks installed in the VM). Sandbox Method 1 monitors GrabberDetector signals and network connections. Method 2 performs deep scans.

New exe/dll: typically 3–20 min depending on file size
5

AI models produce independent verdicts

Four AI models analyze all gathered evidence independently, each producing a verdict with confidence score and reasoning. A final synthesis pass reviews all prior judgments and produces the definitive classification.

Expected scan time for a new executable: approximately 3 to 20 minutes depending on file size (up to 40 MB). Files larger than 40 MB can exceed 30 minutes. There is no enforced maximum — never close Vortex mid-scan.
07 — Scanning

Scan Rules

Understanding when scan credits are deducted prevents unexpected losses and helps you use your daily allocation efficiently.

FREE

Free Scan Rules

  • Deducted on every scan — new or duplicate
  • Deducted on hash matches too
  • Not deducted if scan fails to start
  • 5 free scans per day per account
  • Resets at 12:00 AM IST daily
  • Free scans are used before premium credits
PREMIUM

Premium Scan Rules

  • Only deducted on files not yet in the database
  • Zero cost to scan files already in the database
  • Credits never expire and never reset
  • Automatically used after free scans run out
  • Stack seamlessly with daily free scans
  • Contact the team for pricing or earn by milestone perks and leaderboard ranks
RAR Archive Scan Deduction
A

RAR container itself is scanned first

Vortex first scans the RAR file as a whole (Static, YARA, VirusTotal, Hybrid Analysis, AI). If the RAR container is flagged as malicious, one scan credit is deducted and the process stops — the files inside are not extracted or scanned.

B

If the RAR is clean, inner files are extracted and scanned individually

No credit is deducted for the Phase A check on a clean RAR. Each extracted inner file then goes through its own complete analysis pipeline. Each inner file that meets its type's completion criteria costs Zero credit.

Summary: If the RAR itself is malicious → 1 credit total. If the RAR is clean → 0 credits for the RAR, then 0 credit per inner file scanned.
What happens when a scan fails
If any analysis method encounters a critical error — including a cancelled VT/HA upload, an API key issue, or a Sandbox failure — the entire scan is immediately aborted. An aborted scan is never saved to the database and never shown in your history. There is no "incomplete" scan state — every scan either completes fully, or is aborted entirely and discarded.
08 — Scanning

Reading Results

Every completed scan produces a Risk Score from 0 to 100 and a detection label. These are the primary verdict — everything else is supporting evidence.

0
Example Score
0–19
Clean
20–39
Low Risk
40–59
Moderate — Caution
60–79
Suspicious
80–100
Threat Detected
Detection LabelScoreMeaning
Clean0–59No significant indicators. File is considered safe.
Suspicious60–79Enough indicators to flag concern. Treat with caution.
Highly Suspicious80–99Strong malicious evidence. Do not open or execute.
Discord Token Stealer100 / RuleConfirmed threat. Delete and report immediately.
ErrorN/AA method encountered an error and the scan was aborted. Re-scan the file. No credit is saved for aborted scans.
A score of 60+ triggers the suspicious flag. A score of 80+ is high‑confidence detection. The AI verdict may override the numeric score in edge cases.
09 — Scanning

Analysis Methods

Seven independent analysis layers run in sequence and combine into a weighted composite risk score. Every layer targets a different class of evidence — no single method is more important than the others.

1
Static AnalysisAlways runs · no key required

The file is inspected without execution. PE structure, byte patterns, embedded strings, import tables, entropy levels, TLS callbacks, overlay data, packer detection, and PyInstaller payload extraction are all analyzed.

2
YARA ScanningAlways runs · no key required

A custom YARA ruleset scans the file's binary content for known Discord stealer behavioral patterns, payload signatures, and obfuscation techniques. YARA matches are weighted in the risk score and passed to the AI models as evidence.

3
CAPA Capability AnalysisAlways runs on PE files · no key required

CAPA identifies what capabilities the file has — network access, file system operations, process injection, encryption usage, and more — by matching against a library of known behavioral signatures. Outputs labeled capability categories.

4
VirusTotal Cross-ReferenceRequires your VT API key

Queries VirusTotal's database using the file's SHA-256 hash to retrieve results from 70+ antivirus engines. For known files, results return in under 10 seconds. Unknown files trigger an upload prompt — you can allow or cancel.

5
Hybrid Analysis IntelligenceRequires your HA API key

Queries Hybrid Analysis's sandbox database by file hash for existing behavioral reports — threat tags, network behavior, verdicts, and classification labels. For known files, results return in under 10 seconds.

6
Sandbox (Dynamic Analysis)Requires Discord running + BlueStacks installed

The file is executed inside an instrumented environment. Method 1 (GrabberDetector) monitors Discord process interactions, file system access patterns, and network connections in real time. Method 2 (Blaze Detector) performs deep scan to catch advanced evasion techniques.

7
AI Verdict EngineRequires your OpenRouter key

Four AI models independently analyze all gathered evidence from every prior method and each produces a verdict with confidence score and written reasoning. A final synthesis pass reviews all prior model judgments and produces the definitive classification label.

10 — Plans

Free vs Premium

All users receive 5 free scans per day. The full analysis pipeline — all seven methods — runs identically for both free and premium. The only difference is how credits are deducted.

Free
5 Scans / day

Every account, every day. No payment. Resets at midnight IST.

  • 5 scans per day — resets at 12:00 AM IST
  • Complete 7-layer analysis pipeline
  • VirusTotal + Hybrid Analysis cross-reference
  • Sandbox dynamic behavioral analysis
  • Full AI verdict engine (4 models + arbiter)
  • Complete risk score and detailed report
  • Deducted on both new and duplicate scans
Premium
Scans never expire

Smart deduction — pay only for genuinely new files.

  • Everything in Free — identical pipeline
  • Credits never expire — no daily reset
  • Zero cost on files already in the database
  • 1 scan only on genuinely new files
  • Auto-used after daily free scans exhaust
  • Stack seamlessly with daily free allocation
  • Ideal for bulk scanning sessions
11 — Plans

Scan History

Every completed scan is stored in the global database and permanently linked to your account. View your full history from the History tab inside Vortex.

Your History

The History tab shows every scan you've submitted — file name, hash, risk score, detection label, and timestamp. Click any entry to open the full detailed report.

Global Database

Once a scan completes successfully, the file enters the shared global database. Any user scanning the same file gets the cached result instantly. The first submitter is permanently credited as the original discoverer.

Only fully completed scans are saved to the database. If a scan is aborted for any reason — API error, cancelled upload, or method failure — it is not saved and does not appear in your history.
12 — Community

Badge System

Badges are milestone awards earned automatically as you scan files and detect threats. Eleven badges across two independent progression tracks.

Analyst TrackEarned by ReputationREP

Reputation grows each time you contribute completed scans to the global database.

Novice Archivist
Novice Archivist
Reach 50 reputation
Data Collector
Data Collector
Reach 100 reputation
Digital Hoarder
Digital Hoarder
Reach 250 reputation
Archive Guardian
Archive Guardian
Reach 350 reputation
Vault Keeper
Vault Keeper
Reach 500 reputation
Master of Archives
Master of Archives
Reach 1000 reputation
Hunter TrackEarned by Grabber DetectionsGRAB

Increases each time one of your scans confirms a Discord token stealer.

Threat Spotter
Threat Spotter
Detect 10 grabbers
Stealer Hunter
Stealer Hunter
Detect 50 grabbers
Malware Slayer
Malware Slayer
Detect 100 grabbers
Grabber Exterminator
Grabber Exterminator
Detect 300 grabbers
Discord Purifier
Discord Purifier
Detect 500 grabbers
Badge Perks

Badges are milestone awards with real visibility benefits. Here's what earning badges gives you:

🏅
Profile Display
Your earned and equipped badges are visible on your public profile page, showcasing your progression to other community members.
🎴
Premium scans
Get free premium scans as per badges perks.
🏆
Leaderboard Ranking
Your total badge count determines your position on the Total Badges leaderboard — a measure of overall milestone achievement.
Badges are fully automatic. The moment you hit a threshold, the badge is queued. A congratulations notification appears on your screen. You can claim the badge by clicking Claim.
13 — Community

Reputation & Stats

Three stats define your community standing. All tracked automatically — you never input them manually.

Reputation

The primary progression metric. Grows as you contribute completed scans to the global database. Determines your rank on the main leaderboard and drives the Analyst badge track.

Grabber Detections

Counts confirmed Discord token stealers you've found. Tracked independently from reputation. Determines your rank on the threat-hunter leaderboard and drives the Hunter badge track.

Total Badges

Your cumulative count of earned milestone badges. Reflects overall achievement across both the Analyst and Hunter tracks. Shown on your profile and the Total Badges leaderboard.

StatWhat It TracksVisible to Others
reputationScan contributions to the global databaseYes — profile & leaderboard
grabberDetectionsConfirmed Discord threats discoveredYes — profile & leaderboard
badges (count)Total earned milestone badgesYes — profile & leaderboard
freeScansLeftRemaining free scans for todayOnly you
premiumScansRemaining premium credit balanceOnly you
14 — Community

Leaderboard

Three separate rankings measure different dimensions of contribution. You can access them from the Leaderboard tab inside Vortex. Earn free scans by achieving Rank 1 by the end of the week (Monday, 12 AM IST). The users who top the Reputation, Grabber Detector, or Total Badges leaderboards will receive premium scans, which will be added directly to their accounts.

Reputation Rank

Rankings by scan contribution to the global database. The most comprehensive measure of community activity and quality.

Grabber Rank

Ranks users by confirmed Discord threat discoveries. A high position means you've been a significant force in identifying real malware in the wild.

Total Badges Rank

Rankings by total number of earned milestone badges. Reflects overall achievement across both Analyst and Hunter badge tracks combined.

15 — Reference

Rules & Conduct

Vortex enforces strict policies to maintain integrity. Violations are detected automatically and result in permanent bans with no appeal process.

Prohibited

  • Creating more than one account per person or device
  • Using VPNs or proxies during account registration
  • Sharing your account, session, or credentials
  • Attaching debugging tools to the Vortex process
  • Intercepting or tampering with Vortex network traffic
  • Attempting to reverse-engineer security measures
  • Submitting false or fabricated scan data

Permitted

  • Scanning any file you have a legitimate reason to analyze
  • Using a VPN after registration — login and scanning are fine
  • Sharing scan result summaries in communities
  • Using all 5 of your free daily scans every day
  • Discussing Vortex findings publicly
  • Reporting bugs or suspected false positives to the team
Automatic ban system — no appeal, no exceptions.
Attaching a debugger to the Vortex process triggers an immediate, silent, permanent ban — no warning is given. The ban covers your account, your current IP address, and your original registration IP. All three are blocked simultaneously. IP bans prevent new accounts from being registered from the same IP. There is no manual review process and no appeal path. Any account found violating these rules is permanently banned and cannot be reinstated.
Best Practices

Configure all three API keys before your first scan

Without VirusTotal and Hybrid Analysis keys, those cross-reference layers are skipped. Without your OpenRouter key, the AI verdict engine is disabled. Set up all three before scanning for the most accurate results.

Never close Vortex or disconnect mid-scan

Closing the app or losing internet during a scan aborts the entire scan — which is discarded and not saved. The credit may still be deducted. Always let scans run to full completion.

Protect your config.json file

Your API keys live in config.json. Never share it, include it in screenshots, or upload it anywhere. Anyone with your keys can consume your API quota.

Always run Sandbox scans inside a VM

The Sandbox executes suspicious files. Running this on your real machine is dangerous. Maintain a dedicated VM snapshot you can restore after each scanning session.

16 — Reference

FAQ

17 — Download

Download Vortex

Always use the latest version to ensure current detection signatures and server compatibility.

Latest Release · v1.0.1
Initial Public Release
Released January 2025
  • 7-layer threat analysis: Static, YARA, CAPA, VirusTotal, Hybrid Analysis, Sandbox (dynamic), and AI verdict engine
  • Sandbox analysis with GrabberDetector (Method 1) and deep-dive (Method 2)
  • Full account system with hardware binding and per-account scan history
  • Badge system across two tracks — Analyst (reputation) and Hunter (grabber detections)
  • Three-tier leaderboard: Reputation Rank, Grabber Rank, and Total Badges Rank
  • Free tier: 5 scans per day with midnight IST reset
  • Premium credits with zero-cost duplicate scan advantage
  • Global threat database with first-discovery attribution
Download v1.0.1
Version History
v1.0.1 · Latest
Initial Public Release
January 2025
  • 7-layer threat analysis: Static, YARA, CAPA, VirusTotal, Hybrid Analysis, Sandbox (dynamic), and AI verdict engine
  • Sandbox analysis with GrabberDetector (Method 1) and deep-dive (Method 2)
  • Full account system with hardware binding and per-account scan history
  • Badge system across two tracks — Analyst (reputation) and Hunter (grabber detections)
  • + 4 more
Download