Info Stealer
Hackers exploit Discord invite links to spread advanced malware, targeting crypt...
Security researchers have uncovered a highly sophisticated malware campaign that exploits a critical vulnerability in Discord’s invitation system, redirecting users from trusted community links to malicious servers designed to steal cryptocurrency assets and establish persistent remote access to victims' computers.
## Campaign Overview and Scale
Check Point Research revealed this active campaign in June 2025, documenting how cybercriminals have successfully compromised over 1,300 users across eight countries by hijacking expired Discord invite links and weaponizing them for multi-stage malware delivery.
**Geographic Distribution of Discord Invite Link Hijacking Campaign Victims**
The operation, which has been active since August 2024, represents a significant evolution in social engineering tactics that leverage trusted platforms for malicious purposes.
The campaign’s global reach spans multiple continents, with the United States and Vietnam showing the highest concentration of victims, followed by significant impacts in France, Germany, and other European nations. This geographic distribution suggests a targeted approach that exploits regional gaming communities and cryptocurrency adoption patterns.
## Discord Vulnerability-How Invite Links Become Weapons
The attack exploits a fundamental flaw in Discord's custom vanity invite link system, which allows servers with premium subscriptions to create personalized invitation codes. When legitimate servers lose their boost status or links expire, these codes become available for reuse by malicious actors who can register them as custom vanity URLs on their own boosted servers.
This vulnerability affects three types of Discord invitations with varying degrees of risk. Temporary invite links become completely vulnerable after expiration, while permanent invites face conditional risk only when deleted and contain exclusively lowercase letters and digits. Custom vanity invites present the highest ongoing risk when original servers lose their premium status.
Discord's interface design compounds this security issue through a misleading user experience. When users attempt to make existing temporary invites permanent by checking the _"Set this link to never expire"_ option, the system displays a false confirmation while leaving the underlying invitation code unchanged. This design flaw has directly contributed to the campaign’s success, as users unknowingly publish temporary invites under the false assumption they are permanent.
## Multi-Stage Attack Chain: From Trust to Compromise
The attack begins when unsuspecting users click previously legitimate invite links on community forums, social media, or official websites. Instead of reaching their intended destination, victims are silently redirected to attacker-controlled Discord servers meticulously designed to appear authentic.
Upon joining these malicious servers, users encounter a sophisticated social engineering scheme. Most channels remain locked, with only a single "verify" channel accessible, where a bot named "Safeguard" prompts newcomers to complete a verification process.
This bot, explicitly created for the campaign in February 2025, requests authorization and redirects users to an external phishing website designed to mimic Discord's interface.
The campaign employs the increasingly popular "[ClickFix](https://www.secureblink.com/cyber-security-news/state-sponsored-hackers-leverage-click-fix-social-engineering-in-global-cyber-espionage)" social engineering technique, a method that has gained significant traction among cybercriminals throughout 2024 and into 2025.
This technique presents users with a fake error message—typically a failed Google CAPTCHA—and provides detailed instructions for "fixing" the problem. The solution involves opening the Windows Run dialog and executing a malicious PowerShell command secretly copied to the user’s clipboard.
## Advanced Evasion and Payload Delivery
The malware delivery system demonstrates remarkable sophistication in evading detection through multiple layers of obfuscation and legitimate service abuse.
The initial PowerShell script, hosted on Pastebin, achieved zero detections across all major antivirus engines during analysis. This script downloads a first-stage executable from GitHub repositories, which maintained an extraordinarily low detection rate of just one out of seventy antivirus engines.
**VirusTotal Detection Rates for Discord Campaign Malware Components**
The campaign’s infrastructure exclusively leverages trusted cloud services to blend malicious traffic with legitimate network activity. Attackers dynamically rotate between GitHub repositories for malware hosting, use Bitbucket for encrypted payload storage, and employ Pastebin for script hosting with frequent URL updates.
This approach allows the operation to maintain persistence while avoiding traditional security controls that might flag suspicious domains.
**Legitimate Services Abused in Discord Invite Link Hijacking Campaign**
The malware employs sophisticated time-based evasion techniques to circumvent automated sandbox analysis. Initial execution requires specific command-line parameters, and the full malicious payload only becomes active after a carefully orchestrated 15-minute delay involving multiple staged downloads and decryption processes.
This temporal separation ensures that automated security systems cannot observe the complete attack chain during typical analysis windows.
## Cryptocurrency-Focused Payloads
The campaign deploys two primary malware families, each serving distinct but complementary functions in the attackers’ financial objectives. AsyncRAT, a well-established remote access trojan, provides comprehensive system control capabilities including keylogging, screen capture, and file manipulation. The malware uses a _"dead drop resolver"_ technique, retrieving its command-and-control server addresses from publicly accessible Pastebin documents to maintain operational flexibility.
The second payload, a customized variant of the Skuld Stealer, specifically targets cryptocurrency infrastructure with devastating precision.
This Go-based information stealer focuses primarily on Exodus and Atomic wallet applications, employing a sophisticated injection technique that replaces legitimate wallet archives with malicious versions downloaded from GitHub.
The cryptocurrency targeting mechanism represents a particularly insidious form of supply chain attack. When users interact with their compromised wallets, malicious JavaScript code intercepts sensitive operations, extracting both password credentials and seed phrases—the master keys that provide complete control over cryptocurrency holdings. This stolen information is immediately transmitted to attackers via dedicated Discord webhooks, ensuring rapid monetization of compromised accounts.
**A conceptual diagram illustrating various behaviors and characteristics of malware, including multi-stage execution and persistence mechanisms FIRST**
## Bypassing Modern Security Controls.
The campaign’s technical sophistication extends to circumventing cutting-edge browser security features, specifically Google Chrome's Application-Bound Encryption (ABE) introduced in 2024.
By binding encryption to system-level privileges, Chrome's ABE was designed to prevent information-stealing malware from accessing encrypted cookie data.
However, the attackers adapted the open-source ChromeKatz tool to bypass this protection through direct browser memory manipulation. This technique operates within the browser’s NetworkService process, using signature-based searches to locate and extract cookie data from memory structures before encryption can occur. The bypass requires minimal system privileges and can operate undetected by most endpoint security solutions.
## Gaming Community Exploitation
Beyond the primary Discord campaign, researchers identified a parallel operation targeting gaming communities through trojanized software. This variant distributes malicious archives disguised as game modification tools, specifically targeting The Sims 4 players with fake DLC unlocking utilities. The gaming-focused campaign has achieved over 350 documented downloads, demonstrating the attackers' ability to diversify their initial access vectors while maintaining the same core malware infrastructure.
This gaming angle reflects broader trends in cybercriminal targeting, with recent research showing over 19 million attempted attacks disguising malware as popular video games throughout 2024 and early 2025.
The overlap between gaming and cryptocurrency communities creates particularly attractive targets for financially motivated threat actors.
## Industry Response and Platform Measures
Discord responded to the research findings by disabling the malicious "Safeguard" bot identified in the campaign, effectively breaking the current attack chain.
However, security experts emphasize that this represents a tactical disruption rather than a strategic solution, as the underlying vulnerability in the invitation system remains unaddressed.
The platform has historically faced significant challenges with malicious content, as evidenced by enforcement statistics showing over 26 million accounts disabled for spam-related violations in a single quarter.
Despite proactive scanning for malware and user reporting mechanisms, Discord’s infrastructure remains an attractive platform for cybercriminal operations.
Current Discord safety initiatives, including the recent launch of the Ignore tool and participation in the ROOST (Robust Open Online Safety Tools) foundation, focus primarily on user empowerment and cross-industry collaboration. However, these measures do not directly address the technical vulnerabilities that enable invite link hijacking.
Security researchers have identified multiple technical indicators organizations can use to detect and prevent these attacks. File system artifacts include creating a distinctive directory structure under `ServiceHelper` and establishing a scheduled task named "checker" that executes every five minutes. Network indicators encompass specific user-agent strings ("Dynamic WinHTTP Client/1.0") and communication patterns with known malicious domains.
The malware’s persistence mechanism creates a unique mutex with the identifier `3575651c-bb47-448e-a514-22865732bbc`, which security tools can monitor to detect active infections.
Additionally, the campaign’s reliance on legitimate cloud services creates opportunities for enhanced monitoring of suspicious file hosting patterns and webhook communications.
## Implications for Platform Security
This campaign highlights fundamental tensions between platform usability and security in modern online ecosystems. Discord’s decision to allow vanity URL reuse serves legitimate business purposes, enabling premium subscribers to claim memorable invite codes. However, this functionality creates systemic vulnerabilities that extend beyond individual user security.
The attackers’ exclusive use of legitimate services for command-and-control infrastructure represents a significant challenge for traditional security controls.
By routing malicious communications through Discord webhooks, GitHub repositories, and Pastebin documents, the campaign effectively immunizes itself against domain-based blocking and reputation systems.
## Recommendations and Future Outlook
Security experts recommend multiple layers of protection for both individual users and organizations. Users should avoid clicking invite links over 30 days, verify link authenticity through official channels, and never execute PowerShell commands from untrusted sources.
Two-factor authentication protects high-value accounts, particularly those containing cryptocurrency assets.
Organizations require more comprehensive defensive strategies, including advanced endpoint detection systems capable of monitoring for suspicious scheduled tasks and PowerShell execution patterns.
Application allow listing can prevent unauthorized script execution, while network monitoring should focus on identifying suspicious communications with cloud hosting services.
The campaign's ongoing evolution, including regular infrastructure updates and new payload variants, suggests threat actors will continue adapting their techniques to maintain effectiveness.
The successful bypass of Chrome's App-Bound Encryption demonstrates that even cutting-edge security controls face rapid circumvention by determined adversaries.
As cryptocurrency adoption continues expanding globally and gaming communities grow increasingly interconnected, the intersection of these trends creates expanding attack surfaces for financially motivated cybercriminals.
The Discord invite link hijacking campaign represents not just a tactical security concern but a strategic indicator of how trusted platforms can be systematically weaponized against their own users.
The persistence and sophistication of this operation underscore the critical need for platform providers to implement robust security controls that balance functionality with protection. At the same time, users and organizations must adopt comprehensive defensive strategies that account for the evolving threat landscape of legitimate service abuse.
