Hackers use Discord invite links to deliver malware

A new campaign of malware targeting crypto users via Discord invite links has been uncovered. According to information, the new malware exploits a weakness in Discord’s invitation system to deliver an information stealer known as Skuld and the AsyncRAT remote access trojan.

In a report by Check Point, the platform mentioned that the attackers hijack the links through vanity link registration, which allows them to easily redirect users from trusted sources to malicious servers.

“The attackers combined the ClickFix phishing technique, multi-stage loaders, and time-based evasions to stealthily deliver AsyncRAT, and a customized Skuld Stealer targeting crypto wallets,” Check Point said.

According to the platform, one of the uses of Discord’s invite mechanism is that it allows attackers to hijack expired or deleted invite links and secretly redirect unsuspecting users to different malicious servers under their control. This means that a Discord invite link, which was previously shared for a legitimate purpose on social media and other forums could be used to lead users to their malicious servers and platforms.

Discord invite link hijacked for malicious purposes

This development comes a little over a month after the cybersecurity firm revealed another sophisticated phishing campaign that hijacked expired vanity links to entice users into joining a Discord server, instructing them to visit a phishing site to verify ownership. The malicious actors eventually used the platform to gain illegal access to the users’ digital wallets and drain their wallets after connecting them.

While users are allowed to create temporary, permanent, or custom invite links on Discord, the platform does not allow other legitimate servers to reclaim a previously expired or deleted invite link. However, if a user creates a custom link, they can reuse the expired invite codes and even some deleted permanent invite codes in some cases.

This ability to reuse expired or deleted codes when creating custom vanity invite links allows criminals to abuse it, with most of them claiming them for their malicious servers. “This creates a serious risk: Users who follow previously trusted invite links (e.g., on websites, blogs, or forums) can unknowingly be redirected to fake Discord servers created by threat actors,” Check Point said.

According to the report, Discord invite link hijacking involves using a legitimate invite link shared by communities to redirect users to a malicious server. Victims of this scheme are asked to complete a verification stamp, which involves entering several details to gain full access to the server. This is done by authorizing a bot, which leads them to a fake website where they are mandated to verify the information provided. After this, the scammers use a social engineering tactic to trick users into infecting their systems.

Malicious actors steal wallet seed phrases with malware

According to the report, the Skuld malware is capable of harvesting crypto wallet seed phrases from the Exodus and Atomic crypto wallets. It carries out this activity using an approach called wallet injection, replacing the original version of the application files with versions loaded with trojans downloaded from GitHub. Another payload is a Goland information stealer that can be downloaded from Bitbucket. It is used to steal sensitive data from Discord, various browsers, crypto wallets, and gaming platforms.

Check Point added that it also identified another malicious campaign being carried out by the same threat actor where it distributed the loader as a modified version of a hack tool for unlocking pirated hams. The program, according to the report, has been downloaded 350 times on Bitbucket. Victims of these campaigns are primarily located in the United States, France, Slovakia, the Netherlands, Austria, Vietnam, and the United Kingdom.

The findings show the latest example of how cybercriminals have been targeting the platform. “This campaign illustrates how a subtle feature of Discord’s invite system, the ability to reuse expired or deleted invite codes in vanity invite links, can be exploited as a powerful attack vector,” the researchers said. “By hijacking legitimate invite links, threat actors silently redirect unsuspecting users to malicious Discord servers.”

KEY Difference Wire helps crypto brands break through and dominate headlines fast