In the latest expose from Check Point Research, Discord’s once-trusted invite system has been turned against its own communities. Attackers are now exploiting a subtle yet powerful loophole in Discord’s invitation mechanics—repurposing expired or deleted links to redirect users to malware-laden servers without ever compromising the original source.
Most Discord users believe an invite link is immutable—a simple URL leading to a safe, specific community. But that assumption is dangerously flawed. When a server loses its Level 3 Boost or deletes an invite, the link can be reclaimed as a vanity URL by anyone with the right privileges, including threat actors.
“Temporary invites are published under the false assumption that they will never expire… These links eventually expire without warning, making their codes vulnerable to hijacking and malicious reuse,” the researchers explained.
Legitimate communities might have posted these links months ago on blogs, social media, or forums. Once hijacked, the same link becomes a backdoor into attacker-controlled servers meticulously designed to appear real.
Once a victim joins a malicious server via a hijacked invite, the “verification” process begins. A bot named Safeguard requests OAuth permissions and redirects the user to captchaguard[.]me, a phishing site styled to mirror Discord’s interface.
Here, attackers deploy the clever ClickFix trick—displaying a broken CAPTCHA and guiding users to paste a malicious PowerShell command directly into their Run dialog.
“Clicking ‘Verify’ executes JavaScript that silently copies a malicious PowerShell command to the user’s clipboard…”
That command kicks off a sophisticated, multi-stage infection:
- Stage 1: PowerShell downloads a loader (installer.exe) from GitHub.
- Stage 2: The loader hides itself, evades detection, and downloads two encrypted payloads from Bitbucket: AsyncRAT and a stripped-down yet potent variant of Skuld Stealer.
- Stage 3: A scheduled task launches the malware repeatedly, creating persistence and delaying execution to bypass sandbox environments.
“Even when the full infection chain is triggered… at least 15 minutes must pass before any malicious behavior becomes visible — long enough to evade detection by many automated sandbox systems.”
While AsyncRAT enables complete remote control of infected systems, the custom Skuld Stealer zeroes in on browser credentials, Discord tokens, and most importantly—cryptocurrency wallets.
The stealer uses a unique double-webhook design. One webhook exfiltrates browser and system data; the other is dedicated solely to high-value targets: Exodus and Atomic wallet seed phrases and passwords.
“The second webhook is specifically reserved for exfiltrating highly sensitive data: crypto wallet seed phrases and passwords…”
Even more insidiously, Skuld replaces .asar files in wallet applications with trojanized versions from GitHub, injecting JavaScript to capture wallet secrets during use. The stolen data is instantly forwarded to attackers via Discord webhooks.
In response to Chrome’s 2024 Application-Bound Encryption (ABE), which protected browser cookies, the threat actors adapted ChromeKatz, a memory-based cookie extractor.
“Threat actors can now bypass Chrome’s App Bound Encryption (ABE) by using adapted tools like ChromeKatz to steal cookies…”
By injecting into Chrome, Edge, or Brave processes, the malware dumps cookies—including session tokens—from memory. These are then zipped and sent via Discord, extending the campaign’s reach into sensitive accounts and platforms.
Bitbucket download counts for payloads exceed 1,300, with victims confirmed across the US, Vietnam, France, Germany, and the UK, among others. Check Point also identified an alternate delivery variant posing as a pirated Sims 4 DLC unlocker, showing how attackers tailor vectors to specific communities.
“The choice of payloads, including a powerful stealer specifically targeting cryptocurrency wallets, suggests that the attackers are primarily focused on crypto users and motivated by financial gain.”
