![How to Use AI as a Productivity Tool with Mike Kaput [MAICON 2025 Speaker Series]](https://www.marketingaiinstitute.com/hubfs/v2MAICON-Speaker_Series.png)
![[The AI Show Episode 152]: ChatGPT Connectors, AI-Human Relationships, New AI Job Data, OpenAI Court-Ordered to Keep ChatGPT Logs & WPP’s Large Marketing Model](https://www.marketingaiinstitute.com/hubfs/ep%20152%20cover.png)
![Designing a Robust Modular Hardware-Oriented Application in C++ [closed]](https://i.sstatic.net/f2sQd76t.webp)
_91QLANU.jpg?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#){kind=tracking}
_Alexander-Yakimov_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
_Zoonar_GmbH_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![AirPods Pro 3 Not Launching Until 2026 [Pu]](https://www.iclarified.com/images/news/97620/97620/97620-640.jpg)
![Apple Releases First Beta of iOS 18.6 and iPadOS 18.6 to Developers [Download]](https://www.iclarified.com/images/news/97626/97626/97626-640.jpg)
![Apple Seeds watchOS 11.6 Beta to Developers [Download]](https://www.iclarified.com/images/news/97627/97627/97627-640.jpg)
![Apple Seeds tvOS 18.6 Beta to Developers [Download]](https://www.iclarified.com/images/news/97628/97628/97628-640.jpg)
![T-Mobile customers' address, number, and other info allegedly up for sale; company denies claim [UPDATED]](https://m-cdn.phonearena.com/images/article/171306-two/T-Mobile-customers-address-number-and-other-info-allegedly-up-for-sale-company-denies-claim-UPDATED.jpg?#)
Hackers Hijacked Discord Invite to Inject Malicious Links That Deliver AsyncRAT
Cybercriminals have developed a sophisticated attack campaign that exploits Discord’s invite system to distribute dangerous malware, including AsyncRAT remote access trojans and cryptocurrency-stealing software. The campaign leverages expired Discord invite codes and social engineering tactics to redirect unsuspecting users to malicious servers designed to appear legitimate. The attack begins when threat actors monitor and claim […] The post Hackers Hijacked Discord Invite to Inject Malicious Links That Deliver AsyncRAT appeared first on Cyber Security News.
Cybercriminals have developed a sophisticated attack campaign that exploits Discord’s invite system to distribute dangerous malware, including AsyncRAT remote access trojans and cryptocurrency-stealing software.
The campaign leverages expired Discord invite codes and social engineering tactics to redirect unsuspecting users to malicious servers designed to appear legitimate.
The attack begins when threat actors monitor and claim expired Discord invite codes, particularly those from boosted servers with vanity URLs.
.webp)
When legitimate Discord communities lose their Level 3 Boost status or allow temporary invites to expire, attackers can register these same codes for their own malicious servers.
Users clicking on previously trusted invite links from websites, forums, or social media are unknowingly redirected to fake Discord servers controlled by cybercriminals.
Dark Atlas researchers identified this campaign in February 2025, noting the use of sophisticated multi-stage infection chains that combine ClickFix phishing techniques with time-based evasion tactics.
The attackers specifically target cryptocurrency users and gamers, deploying both AsyncRAT for remote system control and a customized variant of Skuld Stealer designed to extract sensitive wallet information.
The malware campaign has demonstrated significant reach, with payload downloads exceeding 1,300 across observed repositories hosted on platforms like Bitbucket and GitHub.
Victims span multiple countries including the United States, Vietnam, France, Germany, and the United Kingdom, indicating a geographically diverse operation targeting English-speaking and European cryptocurrency communities.
The Verification Trap and Malware Deployment
Once users join the hijacked Discord server, they encounter what appears to be a standard verification process through a single unlocked channel typically named “#verify.”
A malicious bot, often using trusted-sounding names like “Safeguard” or “TrustBot,” instructs users to complete verification by clicking a prominent button.
This interaction triggers a carefully orchestrated infection sequence that exploits both Discord’s OAuth2 system and user trust.
When users click the verification button, they are redirected to an external phishing website such as captchaguard[.]me, which mimics Discord’s interface while secretly executing malicious code.
.webp)
The site presents a fake verification page with a green shield logo and security messaging, but clicking the “Verify” button silently copies a malicious PowerShell command to the user’s clipboard.
This PowerShell script serves as the initial payload downloader, fetching encrypted malware components from legitimate platforms to avoid detection.
The PowerShell command initiates a multi-stage infection process that downloads and executes two primary payloads.
The first is AsyncRAT version 0.5.8, which provides attackers with comprehensive remote access capabilities including command execution, keylogging, screen capture, and webcam access.
Rather than hardcoding command and control servers, this variant uses a dead drop resolver mechanism, fetching server addresses from Pastebin links that can be quickly updated to evade security measures.
The second payload consists of a customized Skuld Stealer variant written in Go, specifically engineered to target cryptocurrency wallets.
This malware performs sophisticated injection attacks against popular wallets like Exodus and Atomic, replacing legitimate application files with trojanized versions.
The malicious code hooks into wallet unlock functions to capture seed phrases and passwords, transmitting this sensitive information through encrypted Discord webhooks.
The stealer also incorporates ChromeKatz integration to bypass Google’s Application-Bound Encryption, extracting browser cookies directly from memory rather than encrypted databases.
This campaign represents a concerning evolution in cybercrime tactics, demonstrating how attackers can abuse legitimate platform features and trusted communication channels to distribute sophisticated malware while maintaining a low detection profile.
Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access
The post Hackers Hijacked Discord Invite to Inject Malicious Links That Deliver AsyncRAT appeared first on Cyber Security News.
