- Cybercriminals are recycling expired Discord links to launch silent, devastating multi-stage malware attacks
- A fake Discord bot tricks users into running PowerShell commands disguised as CAPTCHA fixes
- Old community invite links now lead to malware servers stealing your data and digital assets
Cybercriminals are increasingly exploiting a lesser-known flaw in Discord’s invitation system to target unsuspecting users, particularly gamers, new research has claimed.
A report from researchers from Check Point found attackers manage to register previously valid invite links with custom vanity URLs.
The tactic involves hijacking once legitimate and trusted expired or deleted Discord invite links and redirecting them to malicious servers hosting multi-stage malware campaigns.
From trusted links to dangerous redirects
These hijacked links, often embedded in old forum posts, community pages, or social media, are being used to silently funnel users to Discord servers operated by threat actors.
Once on these fake servers, users are greeted with what appears to be a standard verification process.
A bot named “Safeguard” prompts visitors to click a “Verify” button, which initiates an OAuth2 process and redirects them to a phishing site.
The site employs a social engineering method called “ClickFix,” where users are tricked into copying and running a PowerShell command under the guise of fixing a broken CAPTCHA.
This action silently launches the malware installation chain, with the attackers using cloud services such as Pastebin, GitHub, and Bitbucket to deliver the payloads in multiple stages, allowing them to blend into normal network traffic.
Initial scripts download executables that retrieve further encrypted payloads, which include AsyncRAT, a tool that gives attackers remote control over infected systems, and a tailored variant of the Skuld Stealer designed to extract credentials and cryptocurrency wallet data.
Gamers have become a prime target, with campaigns even disguising malware as tools like The Sims 4 DLC unlockers – one archive named Sims4-Unlocker.zip was downloaded over 350 times, highlighting the campaign’s reach.
Through clever evasion techniques such as delayed execution and command-line argument checks, the malware often bypasses detection from even the best antivirus software.
The threats extend beyond typical malware infections. The Skuld Stealer used in these attacks can extract crypto wallet seed phrases and passwords, effectively granting full control over victims’ digital assets.
Considering the focus on cryptocurrency theft and credential harvesting, individuals should reinforce their defenses with robust identity theft protection services.
These tools can monitor for unauthorized use of personal information, alert users to breaches, and assist in recovering compromised digital identities.
While some might assume that endpoint protection tools would shield them from these tactics, the multi-layered, modular structure of the attack often flies under the radar.
To stay safe, users must be wary of Discord invite links, especially those embedded in old content. Also, avoid running unexpected scripts or following suspicious verification steps.
