From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery

June 13, 2025, 8:49 p.m.

Description

Check Point Research uncovered a malware campaign exploiting expired Discord invite links to redirect users to malicious servers. The attackers use a combination of techniques including ClickFix phishing, multi-stage loaders, and time-based evasions to deliver AsyncRAT and a customized Skuld Stealer targeting crypto wallets. The campaign leverages trusted cloud services for payload delivery and data exfiltration to avoid detection. The operation continues to evolve, with threat actors now able to bypass Chrome's App Bound Encryption using adapted tools like ChromeKatz to steal cookies from new Chromium browser versions. The campaign highlights how subtle features in Discord's invite system can be exploited as attack vectors.

External References

https://research.checkpoint.com/2025/from-trust-to-threat-hijacked-discord-invites-used-for-multi-stage-malware-delivery
https://otx.alienvault.com/pulse/684c39e8dd56f16d5a6349bc
Tags
phishing
evasion
asyncrat
discord
crypto wallets
2025-06-13
chromekatz
skuld stealer

Date

  • Created: June 13, 2025, 2:47 p.m.
  • Published: June 13, 2025, 2:47 p.m.
  • Modified: June 13, 2025, 8:49 p.m.

Attack Patterns

Additional Informations

  • Slovakia
  • Austria
  • Netherlands
  • France
  • Germany
  • United Kingdom of Great Britain and Northern Ireland
  • United States of America