A newly discovered malware campaign is taking advantage of a vulnerability in Discord’s invitation system to spread an information stealer known as Skuld and the AsyncRAT remote access trojan.
According to Check Point, the attackers are hijacking links through vanity link registration, enabling them to silently redirect users from trusted sources to malicious servers. This is achieved by combining the ClickFix phishing technique, multi-stage loaders, and time-based evasions to deliver AsyncRAT and a customized Skuld Stealer that targets crypto wallets.
The issue lies in Discord’s invite mechanism, which allows attackers to hijack expired or deleted invite links and secretly redirect unsuspecting users to malicious servers under their control. This means that a previously trusted Discord invite link shared on forums or social media platforms could unknowingly lead users to malicious sites.
Check Point’s findings come about a month after the company uncovered another sophisticated phishing campaign that hijacked expired vanity invite links to lure users into joining a Discord server and verifying their accounts, resulting in the theft of their digital assets.
Discord allows users to create temporary, permanent, or custom (vanity) invite links. However, the platform prevents other legitimate servers from reclaiming a previously expired or deleted invite. Check Point discovered that creating custom invite links enables the reuse of expired invite codes and even deleted permanent invite codes in some cases.
This ability to reuse expired or deleted codes when creating custom vanity invite links creates a significant risk, as users who follow previously trusted invite links can unknowingly be redirected to fake Discord servers created by threat actors.
“This creates a serious risk: Users who follow previously trusted invite links (e.g., on websites, blogs, or forums) can unknowingly be redirected to fake Discord servers created by threat actors,” Check Point said.
The Discord invite-link hijacking campaign involves taking control of invite links originally shared by legitimate communities and then using them to redirect users to the malicious server. Users who fall prey to the scheme and join the server are asked to complete a verification step to gain full server access by authorizing a bot, which then leads them to a fake website with a prominent “Verify” button.
This is where the attackers incorporate the infamous ClickFix social engineering tactic to trick users into infecting their systems under the pretext of verification.
Specifically, clicking the “Verify” button executes JavaScript that copies a PowerShell command to the machine’s clipboard. The users are then urged to launch the Windows Run dialog, paste the already copied “verification string” (i.e., the PowerShell command), and press Enter to authenticate their accounts.
However, performing these steps triggers the download of a PowerShell script hosted on Pastebin that subsequently retrieves and executes a first-stage downloader, which is ultimately used to drop AsyncRAT and Skuld Stealer from a remote server and execute them.
The attack involves a meticulously engineered, multi-stage infection process designed for precision and stealth, while also taking steps to subvert security protections through sandbox security checks.
AsyncRAT, which offers comprehensive remote control capabilities over infected systems, employs a technique called dead drop resolver to access the actual command-and-control (C2) server by reading a Pastebin file.
The other payload is a Golang information stealer downloaded from Bitbucket, equipped to steal sensitive user data from Discord, various browsers, crypto wallets, and gaming platforms.
Skuld is also capable of harvesting crypto wallet seed phrases and passwords from the Exodus and Atomic crypto wallets using an approach called wallet injection, which replaces legitimate application files with trojanized versions downloaded from GitHub.
The attack also employs a custom version of an open-source tool known as ChromeKatz to bypass Chrome’s app-bound encryption protections. The collected data is exfiltrated to the attackers via a Discord webhook.
The fact that payload delivery and data exfiltration occur via trusted cloud services such as GitHub, Bitbucket, Pastebin, and Discord allows the threat actors to blend in with normal traffic and evade detection. Discord has since disabled the malicious bot, effectively breaking the attack chain.
Check Point also identified another campaign mounted by the same threat actor that distributes the loader as a modified version of a hacktool for unlocking pirated games. The malicious program, hosted on Bitbucket, has been downloaded 350 times.
The victims of these campaigns are primarily located in the United States, Vietnam, France, Germany, Slovakia, Austria, the Netherlands, and the United Kingdom.
The findings represent the latest example of how cybercriminals are targeting the popular social platform, which has had its content delivery network (CDN) abused to host malware in the past.
“This campaign illustrates how a subtle feature of Discord’s invite system, the ability to reuse expired or deleted invite codes in vanity invite links, can be exploited as a powerful attack vector,” the researchers said. “By hijacking legitimate invite links, threat actors silently redirect unsuspecting users to malicious Discord servers.”
“The choice of payloads, including a powerful stealer specifically targeting cryptocurrency wallets, suggests that the attackers are primarily focused on crypto users and motivated by financial gain.”
