A sophisticated new attack vector exploits a critical flaw in Discord’s invitation system, allowing attackers to hijack expired invite links. This emerging threat leverages the trusted nature of Discord to silently compromise victims through previously legitimate invitation links. The attack chain begins when threat actors exploit Discord’s custom vanity invite link system, which is available to premium servers. When legitimate servers lose their boost status or links expire, the invitation codes become available for reuse by malicious actors. This creates a dangerous scenario where users clicking trusted links are unknowingly redirected to attacker-controlled Discord servers designed to appear legitimate.
Check Point researchers identified this active malware campaign in June 2025, uncovering how attackers weaponized the Discord vulnerability.
The campaign demonstrates remarkable technical sophistication, combining the ClickFix phishing technique with multi-stage loaders and time-based evasions. This combination is used to stealthily deliver AsyncRAT, a powerful remote access trojan, alongside a customized variant of Skuld Stealer. What makes this operation particularly insidious is that payload delivery and data exfiltration occur exclusively via trusted cloud services. This allows malicious traffic to blend seamlessly with normal network activity and avoid raising security alarms, making it very hard to detect.
The infection mechanism employed in this campaign represents a masterclass in social engineering, utilizing a refined technique known as ClickFix.
Once users join the hijacked Discord server, they encounter what appears to be a legitimate verification process managed by a bot. When victims click the verification button, they are redirected to an external phishing website that presents a sophisticated replica of Discord’s interface. The site displays a fake Google CAPTCHA that appears to fail, prompting users to perform manual “verification” steps to proceed. The JavaScript on this malicious page silently copies a PowerShell command to the user’s clipboard without their knowledge or any direct interaction.
The social engineering aspect is particularly effective because it presents users with familiar Windows instructions to follow to complete the process. This includes opening the Run dialog with Win+R, pasting the clipboard content, and then pressing Enter to finally execute the command. This command employs string reversal and Base64 decoding to obfuscate a Pastebin URL, which initiates the final malware infection chain. This approach cleverly eliminates the need for users to download or run files manually, removing common red flags that might alert security-conscious individuals. The campaign’s scale is significant, with potential victims exceeding 1,300 across multiple countries, including the United States, Vietnam, and Germany.
Reference:
