- Cyber Syrup
- Posts
- Malware Campaign Abuses Discord Invite System to Steal Crypto Wallets
Malware Campaign Abuses Discord Invite System to Steal Crypto Wallets
Cybersecurity researchers have uncovered a new malware campaign that exploits a subtle flaw in Discord's invitation system
In partnership with
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
What Top Execs Read Before the Market Opens
The Daily Upside was founded by investment professionals to arm decision-makers with market intelligence that goes deeper than headlines. No filler. Just concise, trusted insights on business trends, deal flow, and economic shifts—read by leaders at top firms across finance, tech, and beyond.
Malware Campaign Abuses Discord Invite System to Steal Crypto Wallets
Cybersecurity researchers have uncovered a new malware campaign that exploits a subtle flaw in Discord's invitation system to deliver information-stealing malware and remote access trojans (RATs), targeting unsuspecting users across multiple countries.
What’s the Exploit?
The flaw lies in Discord’s vanity invite link system, which permits the reuse of expired or deleted invite codes. Attackers exploit this by registering new servers using previously trusted invite codes—shared on forums or websites—to silently redirect users to malicious Discord servers.
Attack Flow: How It Works
Invite Link Hijacking:
Attackers identify expired or deleted invite links from legitimate communities and register new Discord servers using those codes. Users who revisit those trusted links are unknowingly redirected to fake servers.ClickFix Phishing Tactic:
Users who join the rogue server are asked to complete a fake “verification” step. Clicking the “Verify” button:Copies a malicious PowerShell command to the clipboard
Instructs the user to paste and execute it using the Windows Run dialog
Payload Delivery via Pastebin and Bitbucket:
The script retrieves additional stages of the attack, culminating in the download and execution of:AsyncRAT – A remote access trojan with command-and-control capabilities
Skuld Stealer – A Golang-based malware targeting browsers, Discord, gaming platforms, and crypto wallets
Technical Sophistication
Multi-Stage Loaders: Built to bypass antivirus solutions with time-delayed actions and sandbox detection
Dead Drop Resolver: AsyncRAT retrieves its C2 address via a hidden Pastebin link
Wallet Injection: Skuld uses a GitHub-hosted replacement of crypto wallet apps (e.g., Exodus, Atomic) to exfiltrate seed phrases and private keys
ChromeKatz Integration: A modified tool used to bypass Chrome’s encryption and extract sensitive data
The stolen data is then exfiltrated via Discord webhooks, masking malicious activity as normal platform traffic.
Target Geography
Victims have been identified in:
United States
Vietnam
France
Germany
Slovakia
Austria
The Netherlands
United Kingdom
Why It Matters
This campaign underscores how seemingly minor platform behaviors, like reusing vanity invite codes, can be turned into powerful social engineering tools. It also highlights how attackers are increasingly abusing trusted services like GitHub, Pastebin, and Discord itself to deploy and manage malware campaigns.
Discord has since disabled the malicious bot used in the attacks, breaking the immediate attack chain.
Recommendations
For Users:
Avoid clicking on old or reused Discord invite links from untrusted sources
Never run scripts or commands copied from unknown sources
For Developers & Admins:
Regularly audit public-facing invite links
Use server verification processes that avoid clipboard-based interactions
For Discord:
Consider prohibiting reuse of deleted or expired codes in vanity URLs
Implement more stringent bot verification systems
This attack serves as a reminder of the growing abuse of social platforms as malware delivery vectors—and the urgent need for both user education and technical safeguards.