Discord Users Under Attack: Malicious Invite Links Resurface

Discord Users Under Grave Threat: Reanimated Invite Links Lead to Device Compromise and Crypto Theft

Security researchers are sounding the alarm as a new and insidious threat targets Discord users: hackers are actively hijacking expired or deleted invite links, which often linger across various online platforms, to lure unsuspecting victims into sophisticated scams. Accepting one of these seemingly innocuous invites can lead to a complete device compromise and the devastating theft of cryptocurrency.

The cunning nature of this attack, as detailed in a recent report by Check Point Research, stems from an overlooked feature within Discord's invitation system. Attackers are exploiting the platform's ability to reuse expired or deleted invite links, specifically targeting "vanity" or custom invite links that were once legitimately associated with active servers.

The modus operandi is disturbingly effective. Hackers scour the internet for these dormant links – found on old forum posts, social media, official websites, and elsewhere – and then re-register them under their control. When a user clicks on one of these reanimated links, they are redirected to a malicious server. There, they are confronted with a fake verification bot and a phishing site meticulously designed to mimic legitimate Discord servers. This elaborate ruse tricks victims into unknowingly executing harmful commands, leading to the download of sophisticated malware onto their computers.

To further evade detection, the attackers leverage other legitimate services, such as GitHub and Pastebin, to host and distribute their malware in multiple, segmented steps. This multi-stage delivery system makes it harder for security software to identify and block the malicious payload.

The primary objective of these attackers is financial gain, with crypto wallets being their prime target. The deployed malware is highly capable, designed to steal credentials and sensitive wallet information. Already, over 1,300 malicious downloads have been tracked across a wide geographical spread, including the US, Vietnam, France, Germany, and other countries, highlighting the global reach of this threat.

How the Hijack Works: A Flaw in the System

Discord, a communication platform popular among video game players for its text, voice, and video chat capabilities, possesses a critical vulnerability in its invitation system. Check Point's investigation revealed that Discord's vanity (custom invite) link registration mechanism surprisingly permits the reuse of expired temporary invite codes, and in some instances, even deleted permanent invite codes. This is particularly problematic for custom URLs crafted with a premium subscription.

The researchers explain that once a temporary invite expires, its code can be registered as a custom invite for a different Discord server, provided that server has a Level 3 Boost. This creates an open hunting ground for attackers seeking out these expired codes on popular platforms, allowing them to effectively "reclaim" and repurpose the same invite for their own malicious servers. For example, if a legitimate server once shared a link like https://discord.gg/<some characters>, once that link becomes inactive, anyone can re-register the identical invite code for their own nefarious purposes.

An additional deceptive tactic exploited by hackers involves uppercase and lowercase letters in invite codes. Even if an active invite code contains uppercase letters (e.g., https://discord[.]gg/uzwgPxUZ), attackers can register another invite link with all lowercase letters (uzwgpxuz). Both links will coexist until the original uppercase link expires, at which point it will automatically redirect to the lowercase, malicious one.

The subsequent stages of the attack mirror classic phishing schemes. Users are rerouted to a convincing phishing site, where they are coerced into downloading malware or executing harmful commands. Recent real-world incidents have seen users compromised with AsyncRAT and Skuld Stealer malware. AsyncRAT, an open-source Remote Access Trojan (RAT), grants attackers extensive remote control over infected systems. Skuld Stealer, on the other hand, is specifically designed to pilfer sensitive user data from Discord, various browsers, crypto wallets, and even gaming platforms.

"By hijacking trusted links, attackers created an effective attack chain that combined social engineering with abuse of legitimate services like GitHub, Bitbucket, and Pastebin," the researchers emphasise.

Check Point cautions that this campaign is not static; it is constantly evolving. Attackers are regularly updating their downloaders to maintain a zero-detection rate on VirusTotal, and they adapt their lures and tools based on the specific user groups they are targeting.

While Discord has taken action to disable the specific malicious bot used in this particular campaign, the underlying tactics remain viable. Other attackers can easily register new bots to exploit the same flaw in the invite system.

Protecting Yourself: Essential Security Measures

To safeguard against this evolving threat, Check Point recommends prioritising permanent invites, as they are more resistant to hijacking. Crucially, if a permanent invite code contains any uppercase letters, it cannot be reused even after deletion.

Discord users must exercise extreme caution when encountering invite links. Always double-check their legitimacy: scrutinise if the link originates from an old post, tweet, or any unverified source. Before authorising any bots, always look for the "verified App" badge.

Most importantly, Check Point strongly urges users to never run unknown commands on their computers, even if they appear to come from legitimate servers. No genuine Discord server or verification process will ever require you to execute PowerShell commands or paste anything into your system terminal. Staying vigilant and adhering to these security best practices are paramount to protecting your devices and digital assets from these sophisticated attacks.