Hackers Compromise Discord Invite to Inject Malicious Links Delivering AsyncRAT
Threat actors have exploited Discord’s invite system to distribute malicious links, ultimately delivering AsyncRAT and other harmful payloads.
Discord, a widely trusted platform for gamers, developers, and communities, has become a target for cybercriminals who abuse its infrastructure particularly the invite link and content delivery features to orchestrate phishing schemes and malware infections.
This campaign, detailed in a recent cybersecurity report, reveals how attackers leverage fake Discord invites, social engineering, and hijacked vanity URLs to compromise user accounts and steal sensitive data, with a primary focus on cryptocurrency and gaming ecosystems.
Exploiting Discord’s Invite System
The attack begins with the manipulation of Discord invite links, which are unique URLs used to access servers or group chats.
Legitimate links typically follow formats like https://discord.gg/, but attackers craft deceptive lookalike domains such as discord-giveaway[.]net or discordnitro[.]gift to trick users.
A critical vulnerability lies in the reuse of expired or deleted invite codes, especially vanity URLs tied to boosted servers.
Once a temporary invite expires, attackers with Level 3 Boost status can reclaim the code, redirecting unsuspecting users to malicious servers.
According to Dark Atlas Report, this hijacking exploits residual trust in previously shared links on platforms like Twitter or Reddit, leading victims to join fake servers designed to mimic legitimate communities.
Multi-Stage Infection Chain
Once users join these attacker-controlled servers, they are often funneled into a single channel, such as #verify, where a fake bot commonly named “Safeguard” or “TrustBot” prompts them to click a “Verify” button.
This interaction redirects users to phishing sites like captchaguard[.]me, which abuse Discord’s OAuth2 authorization flow to harvest data before presenting a spoofed UI mimicking the Discord desktop app.
Clicking “Verify” on these pages triggers JavaScript that copies a malicious PowerShell command to the clipboard, initiating the download of AsyncRAT (a Remote Access Trojan) and Skuld Stealer.
AsyncRAT, identified by hashes like 53b65b7c38e3d3fca465c547a8c1acc53c8723877c6884f8c3495ff8ccc94fbe, enables full remote control, keylogging, and file manipulation, while Skuld targets browser credentials, Discord tokens, and cryptocurrency wallets like Exodus through .asar file injections.
The malware also uses Discord webhooks for data exfiltration and leverages platforms like GitHub and Bitbucket to host encrypted payloads, ensuring stealth and persistence.
This campaign’s impact is notable, with download counts from hosting repositories exceeding 1,300, indicating a potentially large victim pool across regions like the United States, Vietnam, and the UK.
Despite Discord’s efforts to remove malicious bots, the underlying techniques relying on invite abuse and modular delivery chains remain viable for future attacks. Users are urged to scrutinize invite links and avoid unverified verification prompts to mitigate risks.
Indicators of Compromise (IOCs)
| Type | Indicator |
|---|---|
| SHA256 (AsyncRAT) | 53b65b7c38e3d3fca465c547a8c1acc53c8723877c6884f8c3495ff8ccc94fbe |
| SHA256 (Skuld Stealer) | 8135f126764592be3df17200f49140bfb546ec1b2c34a153aa509465406cb46c |
| Phishing URL | captchaguard[.]me |
| C2 Address | 101.99.76.120 |
| Webhook URL | https://discord[.]com/api/webhooks/1355186248578502736/_RDywh_K6… |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates
Source link
