Discord Invite System Hijacked: Expired Links Now Lead to Crypto-Stealing Malware
Ddos 
In the latest expose from Check Point Research, Discordβs once-trusted invite system has been turned against its own communities. Attackers are now exploiting a subtle yet powerful loophole in Discord’s invitation mechanicsβrepurposing expired or deleted links to redirect users to malware-laden servers without ever compromising the original source.
Most Discord users believe an invite link is immutableβa simple URL leading to a safe, specific community. But that assumption is dangerously flawed. When a server loses its Level 3 Boost or deletes an invite, the link can be reclaimed as a vanity URL by anyone with the right privileges, including threat actors.
βTemporary invites are published under the false assumption that they will never expireβ¦ These links eventually expire without warning, making their codes vulnerable to hijacking and malicious reuse,β the researchers explained.
Legitimate communities might have posted these links months ago on blogs, social media, or forums. Once hijacked, the same link becomes a backdoor into attacker-controlled servers meticulously designed to appear real.
Once a victim joins a malicious server via a hijacked invite, the βverificationβ process begins. A bot named Safeguard requests OAuth permissions and redirects the user to captchaguard[.]me, a phishing site styled to mirror Discordβs interface.
Here, attackers deploy the clever ClickFix trickβdisplaying a broken CAPTCHA and guiding users to paste a malicious PowerShell command directly into their Run dialog.
βClicking βVerifyβ executes JavaScript that silently copies a malicious PowerShell command to the userβs clipboardβ¦β
That command kicks off a sophisticated, multi-stage infection:
- Stage 1: PowerShell downloads a loader (installer.exe) from GitHub.
- Stage 2: The loader hides itself, evades detection, and downloads two encrypted payloads from Bitbucket: AsyncRAT and a stripped-down yet potent variant of Skuld Stealer.
- Stage 3: A scheduled task launches the malware repeatedly, creating persistence and delaying execution to bypass sandbox environments.
βEven when the full infection chain is triggeredβ¦ at least 15 minutes must pass before any malicious behavior becomes visible β long enough to evade detection by many automated sandbox systems.β
While AsyncRAT enables complete remote control of infected systems, the custom Skuld Stealer zeroes in on browser credentials, Discord tokens, and most importantlyβcryptocurrency wallets.
The stealer uses a unique double-webhook design. One webhook exfiltrates browser and system data; the other is dedicated solely to high-value targets: Exodus and Atomic wallet seed phrases and passwords.
βThe second webhook is specifically reserved for exfiltrating highly sensitive data: crypto wallet seed phrases and passwordsβ¦β
Even more insidiously, Skuld replaces .asar files in wallet applications with trojanized versions from GitHub, injecting JavaScript to capture wallet secrets during use. The stolen data is instantly forwarded to attackers via Discord webhooks.
In response to Chromeβs 2024 Application-Bound Encryption (ABE), which protected browser cookies, the threat actors adapted ChromeKatz, a memory-based cookie extractor.
βThreat actors can now bypass Chromeβs App Bound Encryption (ABE) by using adapted tools like ChromeKatz to steal cookiesβ¦β
By injecting into Chrome, Edge, or Brave processes, the malware dumps cookiesβincluding session tokensβfrom memory. These are then zipped and sent via Discord, extending the campaignβs reach into sensitive accounts and platforms.
Bitbucket download counts for payloads exceed 1,300, with victims confirmed across the US, Vietnam, France, Germany, and the UK, among others. Check Point also identified an alternate delivery variant posing as a pirated Sims 4 DLC unlocker, showing how attackers tailor vectors to specific communities.
βThe choice of payloads, including a powerful stealer specifically targeting cryptocurrency wallets, suggests that the attackers are primarily focused on crypto users and motivated by financial gain.β
Related Posts:
- OpenAI announces a bug bounty program, providing a bug bounty ranging from $200 to $20,000
- PyPI Under Attack: Malicious Crypto-Stealing Packages Discovered
- New Skuld Infostealer Campaign Unveiled in npm Ecosystem
- Roblox Developers Targeted in Supply Chain Attack with Malicious npm Packages
- Zero-Click Calendar Invite: Critical macOS Vulnerability Chain Uncovered
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
