Hackers Abuse Parental Controls to Hijack Google Accounts

What Happened

Hackers are taking over people's Google and Discord accounts by tricking them into downloading fake video games sent by compromised friends. Once the hackers get into a Google account, they change the user's age to make them a child and set themselves up as the 'parent' using the Google Family Link feature. This allows the hackers to lock the real owner out completely, bypass security protections, and demand a ransom to give the account back. Users should be very careful about downloading files from friends on chat apps and should review their Google account security settings.

Key Takeaways

• Attackers are abusing the Google Family Link parental control feature to maintain persistent control over hijacked accounts and block recovery.
• Initial compromise often occurs via social engineering on Discord, where compromised friends trick victims into downloading fake video games.
• By changing a victim's account age to under 13, attackers can assign themselves as a 'parent' account, granting them administrative control.
• Parent accounts can reset the child's password, which automatically logs out all sessions and disables 2-Step Verification.
• Attackers demand ransom payments (e.g., $250-$450) to return the accounts and prevent the sale of harvested data.

Affected Systems

• Google Accounts
• Discord Accounts
• Windows OS

Attack Chain

The attack begins with social engineering via Discord, where compromised accounts send messages urging friends to download a fake game. The provided link directs victims to a malicious website that downloads an executable payload hosted on Dropbox. Once executed, the malware likely harvests session tokens or credentials, granting the attacker access to the victim's Google account. The attacker then modifies the account's birthdate to under 13, assigns a malicious parent account via Google Family Link, and resets the password to lock the victim out and demand a ransom.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules or queries.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect the execution of the initial malicious payload (fake game .exe) downloaded from Dropbox, but will not have visibility into the cloud-side Google account manipulation. Network Visibility: Low — Traffic to Netlify and Dropbox is encrypted and generally trusted, making network-based detection of the download difficult without SSL inspection and specific URL indicators. Detection Difficulty: Hard — The core abuse relies on legitimate Google features (Family Link) and occurs entirely within Google's infrastructure, making it invisible to standard enterprise endpoint telemetry unless Google Workspace logs are actively monitored for age changes or Family Link associations.

Required Log Sources

• Google Workspace Admin Logs
• EDR Process Creation Logs
• Web Proxy Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Consider hunting for unexpected executions of unsigned binaries downloaded from cloud storage providers like Dropbox, especially those originating from communication apps like Discord.	EDR Process Creation Logs, Web Proxy Logs	Execution	Medium
If you have visibility into Google Workspace logs, consider monitoring for sudden changes to user birthdates that drop the age below 13, followed immediately by Family Link parent assignments.	Google Workspace Admin Logs	Credential Access / Impact	Low

Control Gaps

• Lack of MFA enforcement for sensitive account profile changes (like birthdate)
• Inability to prevent personal Google account abuse from unmanaged devices

Key Behavioral Indicators

• Execution of files named 'Hyperion.exe', 'HyperionV2.exe', or 'DungeonWarriorDemo.exe'
• Unexpected child account approval prompts on Google accounts

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• If an account is compromised, consider isolating the affected endpoint to prevent further credential harvesting or lateral movement.
• Evaluate whether to block the identified malicious Netlify and Dropbox URLs at the network perimeter.

Infrastructure Hardening

• Consider disabling Google's 'Skip password when possible' feature to require authentication before password changes.
• Evaluate enforcing strict MFA (FIDO2/WebAuthn) for all corporate and sensitive accounts.

User Protection

• Consider advising users to remove saved Google passwords from local browsers or password managers if the device is suspected to be compromised.
• If applicable, encourage users to utilize Google Takeout to maintain offline backups of critical account data.

Security Awareness

• Consider incorporating scenarios into security awareness training where trusted contacts send unusual links or requests via platforms like Discord.
• Educate users on the risks of downloading and executing unverified software, even when recommended by known contacts.

MITRE ATT&CK Mapping

• T1566.002 - Phishing: Spearphishing Link
• T1204.002 - User Execution: Malicious File
• T1098 - Account Manipulation
• T1531 - Account Access Removal