{"id":53955,"date":"2025-07-25T06:07:54","date_gmt":"2025-07-25T10:07:54","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=53955"},"modified":"2025-08-04T06:35:27","modified_gmt":"2025-08-04T10:35:27","slug":"hijacked-discord-invite-links-for-multi-stage-malware-delivery","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/hijacked-discord-invite-links-for-multi-stage-malware-delivery\/53955\/","title":{"rendered":"How malicious actors exploit Discord&#8217;s invite system"},"content":{"rendered":"<p>Attackers are using expired and deleted Discord invite links to distribute two strains of malware: AsyncRAT for taking remote control of infected computers, and Skuld Stealer for stealing crypto wallet data. They do this by <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/discord-flaw-lets-hackers-reuse-expired-invites-in-malware-campaign\/\" target=\"_blank\" rel=\"nofollow noopener\">exploiting a vulnerability in Discord\u2019s invite link system<\/a> to stealthily redirect users from trusted sources to malicious servers.<\/p>\n<p>The attack leverages the ClickFix technique, multi-stage loaders and deferred execution to bypass defenses and deliver malware undetected. This post examines in detail how attackers exploit the invite link system, what is ClickFix and why they use it, and, most importantly, how not to fall victim to this scheme.<\/p>\n<h2>How Discord invite links work<\/h2>\n<p>First, let\u2019s look at how Discord invite links work and how they differ from each other. By doing so, we\u2019ll gain an insight into how the attackers learned to exploit the link creation system in Discord.<\/p>\n<p>Discord invite links are special URLs that users can use to join servers. They are created by administrators to simplify access to communities without having to add members manually. Invite links in Discord can take two alternative formats:<\/p>\n<ul>\n<li>https:\/\/discord.gg\/{invite_code}<\/li>\n<li>https:\/\/discord.com\/invite\/{invite_code}<\/li>\n<\/ul>\n<p>Having more than one format, with one that uses a \u201cmeme\u201d domain, is not the best solution from a security viewpoint, as it sows confusion in the users\u2019 minds. But that\u2019s not all. Discord invite links also have three main types, which differ significantly from each other in terms of properties:<\/p>\n<ul>\n<li>Temporary invite links<\/li>\n<li>Permanent invite links<\/li>\n<li>Custom invite links (vanity URLs)<\/li>\n<\/ul>\n<p>Links of the first type are what <a href=\"https:\/\/support.discord.com\/hc\/en-us\/articles\/208866998-Invites-101\" target=\"_blank\" rel=\"nofollow noopener\">Discord creates by default<\/a>. Moreover, in the Discord app, the server administrator has a choice of fixed invite expiration times: 30 minutes, 1 hour, 6 hours, 12 hours, 1 day or 7 days (the default option). For links created through the Discord API, a custom expiration time can be set \u2014 any value up to 7 days.<\/p>\n<p>Codes for temporary invite links are randomly generated and usually contain 7 or 8 characters, including uppercase and lowercase letters, as well as numbers. Examples of a temporary link:<\/p>\n<ul>\n<li>https:\/\/discord.gg\/a7X9pLd<\/li>\n<li>https:\/\/discord.gg\/Fq5zW2cn<\/li>\n<\/ul>\n<p>To create a permanent invite link, the server administrator must manually select <em>Never<\/em> in the <em>Expire After<\/em> field. Permanent invite codes consist of 10 random characters \u2014 uppercase and lowercase letters, and numbers, as before. Example of a permanent link:<\/p>\n<ul>\n<li>https:\/\/discord.gg\/hT9aR2kLmB<\/li>\n<\/ul>\n<p>Lastly, <a href=\"https:\/\/support.discord.com\/hc\/en-us\/articles\/115001542132-Custom-Invite-Link\" target=\"_blank\" rel=\"nofollow noopener\">custom invite links (vanity links)<\/a> are available only to Discord Level 3 servers. To reach this level, a server <a href=\"https:\/\/support.discord.com\/hc\/en-us\/articles\/360028038352-Server-Boosting-FAQ\" target=\"_blank\" rel=\"nofollow noopener\">must get 14 boosts<\/a>, which are paid upgrades that community members can buy to unlock special perks. That\u2019s why popular communities with an active audience \u2014 servers of bloggers, streamers, gaming clans or public projects \u2014 usually attain Level 3.<\/p>\n<p>Custom invite links allow administrators to set their own invite code, which must be unique among all servers. The code can contain lowercase letters, numbers and hyphens, and can be almost arbitrary in length \u2014 from 2 to 32 characters. A server can have only one custom link at any given time.<\/p>\n<p>Such links are always permanent \u2014 they do not expire as long as the server maintains Level 3 perks. If the server loses this level, its vanity link becomes available for reuse by another server with the required level. Examples of a custom invite link:<\/p>\n<ul>\n<li>https:\/\/discord.gg\/alanna-titterington<\/li>\n<li>https:\/\/discord.gg\/best-discord-server-ever<\/li>\n<li>https:\/\/discord.gg\/fq5zw2cn<\/li>\n<\/ul>\n<p>From this last example, attentive readers may guess where we\u2019re heading.<\/p>\n<h2>How scammers exploit the invite system<\/h2>\n<p>Now that we\u2019ve looked at the different types of Discord invite links, let\u2019s see how malicious actors weaponize the mechanism. Note that when a regular, <em>non-custom<\/em> invite link expires or is deleted, the administrator of a legitimate server cannot get the same code again, since all codes are generated randomly.<\/p>\n<p>But when creating a <em>custom<\/em> invite link, the server owner can manually enter any available code, including one that matches the code of a previously expired or deleted link.<\/p>\n<p>It is this quirk of the invite system that attackers exploit: they track legitimate expiring codes, then register them as custom links on their servers with Level 3 perks.<\/p>\n<p>As a result, scammers can use:<\/p>\n<ul>\n<li>Any expired temporary invite links (even if the expired link has capital letters and the scammers\u2019 custom URL replaces them with lowercase, the system automatically redirects the user to this vanity URL)<\/li>\n<li>Permanent invite links deleted from servers, if the code consisted solely of lowercase letters and numbers (no redirection here)<\/li>\n<li>Custom invite links, if the original server has lost Level 3 perks and its link is available for re-registration<\/li>\n<\/ul>\n<p>What does this substitution lead to? Attackers get the ability to direct users who follow links previously posted on wholly legitimate resources (social networks, websites, blogs and forums of various communities) to their own malicious servers on Discord.<\/p>\n<p>What\u2019s more, the legal owners of these resources may not even realize that the old invite links now point to fake Discord servers set up to distribute malware. This means they can\u2019t even warn users that a link is dangerous, or delete messages in which it appears.<\/p>\n<h2>How ClickFix works in Discord-based attacks<\/h2>\n<p>Now let\u2019s talk about what happens to users who follow hijacked invite links received from trusted sources. After joining the attackers\u2019 Discord server, the user sees that all channels are unavailable to them except one, called <em>verify<\/em>.<\/p>\n<div id=\"attachment_53959\" style=\"width: 1417px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2025\/07\/25054246\/hijacked-discord-invite-links-for-multi-stage-malware-delivery-1.jpeg\"><img decoding=\"async\" aria-describedby=\"caption-attachment-53959\" class=\"size-full wp-image-53959\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2025\/07\/25054246\/hijacked-discord-invite-links-for-multi-stage-malware-delivery-1.jpeg\" alt=\"Malicious Discord server\" width=\"1407\" height=\"899\"><\/a><p id=\"caption-attachment-53959\" class=\"wp-caption-text\">On the attackers\u2019 Discord server, users who followed the hijacked link have access to only one channel, verify <a href=\"https:\/\/research.checkpoint.com\/2025\/from-trust-to-threat-hijacked-discord-invites-used-for-multi-stage-malware-delivery\/\" target=\"_blank\" rel=\"nofollow noopener\">Source<\/a><\/p><\/div>\n<p>This channel features a bot named Safeguard that offers full access to the server. To get this, the user must click the <em>Verify<\/em> button, which is followed by a prompt to authorize the bot.<\/p>\n<div id=\"attachment_53960\" style=\"width: 862px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2025\/07\/25054347\/hijacked-discord-invite-links-for-multi-stage-malware-delivery-2.jpeg\"><img decoding=\"async\" aria-describedby=\"caption-attachment-53960\" class=\"size-full wp-image-53960\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2025\/07\/25054347\/hijacked-discord-invite-links-for-multi-stage-malware-delivery-2.jpeg\" alt=\"Authorization window of the Safeguard bot\" width=\"852\" height=\"1122\"><\/a><p id=\"caption-attachment-53960\" class=\"wp-caption-text\">On clicking the Authorize button, the user is automatically redirected to the attackers\u2019 external site, where the next and most important phase of the attack begins. <a href=\"https:\/\/research.checkpoint.com\/2025\/from-trust-to-threat-hijacked-discord-invites-used-for-multi-stage-malware-delivery\/\" target=\"_blank\" rel=\"nofollow noopener\">Source<\/a><\/p><\/div>\n<p>After authorization, the bot gains access to profile information (username, avatar, banner), and the user is redirected to an external site: https:\/\/captchaguard<strong>[.]<\/strong>me. Next, the user goes through a chain of redirects and ends up on a well-designed web page that mimics the Discord interface, with a <em>Verify<\/em> button in the center.<\/p>\n<div id=\"attachment_53961\" style=\"width: 1490px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2025\/07\/25054603\/hijacked-discord-invite-links-for-multi-stage-malware-delivery-3.jpeg\"><img decoding=\"async\" aria-describedby=\"caption-attachment-53961\" class=\"size-full wp-image-53961\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2025\/07\/25054603\/hijacked-discord-invite-links-for-multi-stage-malware-delivery-3.jpeg\" alt=\"Fake verification screen on an external site\" width=\"1480\" height=\"1078\"><\/a><p id=\"caption-attachment-53961\" class=\"wp-caption-text\">Redirection takes the user to a fake page styled to look like the Discord interface. Clicking the Verify button activates malicious JavaScript code that copies a PowerShell command to the clipboard <a href=\"https:\/\/research.checkpoint.com\/2025\/from-trust-to-threat-hijacked-discord-invites-used-for-multi-stage-malware-delivery\/\" target=\"_blank\" rel=\"nofollow noopener\">Source<\/a><\/p><\/div>\n<p>Clicking the <em>Verify<\/em> button activates JavaScript code that copies a malicious PowerShell command to the clipboard. The user is then given precise instructions on how to \u201cpass the check\u201d\u009d: open the <em>Run<\/em> window (Win + R), paste the clipboarded text (Ctrl + V), and click Enter.<\/p>\n<div id=\"attachment_53962\" style=\"width: 850px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2025\/07\/25054655\/hijacked-discord-invite-links-for-multi-stage-malware-delivery-4.jpeg\"><img decoding=\"async\" aria-describedby=\"caption-attachment-53962\" class=\"size-full wp-image-53962\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2025\/07\/25054655\/hijacked-discord-invite-links-for-multi-stage-malware-delivery-4.jpeg\" alt=\"The ClickFix technique implemented by Discord link hijackers\" width=\"840\" height=\"849\"><\/a><p id=\"caption-attachment-53962\" class=\"wp-caption-text\">Next comes the ClickFix technique: the user is instructed to paste and run the malicious command copied to the clipboard in the previous step. <a href=\"https:\/\/research.checkpoint.com\/2025\/from-trust-to-threat-hijacked-discord-invites-used-for-multi-stage-malware-delivery\/\" target=\"_blank\" rel=\"nofollow noopener\">Source<\/a><\/p><\/div>\n<p>The site does not ask the user to download or run any files manually, thereby removing the typical warning signs. Instead, users essentially infect themselves by running a malicious PowerShell command that the site slips onto the clipboard. All these steps are part of an infection tactic called ClickFix, <a href=\"https:\/\/www.kaspersky.com\/blog\/what-is-clickfix\/53348\/\" target=\"_blank\" rel=\"noopener nofollow\">which we\u2019ve already covered in depth on our blog<\/a>.<\/p>\n<h2>AsyncRAT and Skuld Stealer malware<\/h2>\n<p>The user-activated PowerShell script is the first step in the multi-stage delivery of the malicious payload. The attackers\u2019 next goal is to install two malicious programs on the victim\u2019s device \u2014 let\u2019s take a closer look at each of them.<\/p>\n<p>First, the attackers download a modified version of AsyncRAT to gain remote control over the infected system. This tool provides a wide range of capabilities: executing commands and scripts, intercepting keystrokes, viewing the screen, managing files, and accessing the remote desktop and camera.<\/p>\n<p>Next, the cybercriminals install Skuld Stealer on the victim\u2019s device. This crypto stealer harvests system information, siphons off Discord login credentials and authentication tokens saved in the browser, and, crucially, steals seed phrases and passwords for Exodus and Atomic crypto wallets by injecting malicious code directly into their interface.<\/p>\n<p>Skuld sends all collected data via a <a href=\"https:\/\/support.discord.com\/hc\/en-us\/articles\/228383668\" target=\"_blank\" rel=\"nofollow noopener\">Discord webhook<\/a> \u2014 a one-way HTTP channel that allows applications to automatically send messages to Discord channels. This provides a secure way for stealing information directly in Discord without the need for a sophisticated management infrastructure.<\/p>\n<p>As a result, all data \u2014 from passwords and authentication tokens to crypto wallet seed phrases \u2014 is automatically published in a private channel set up in advance on the attackers\u2019 Discord server. Armed with the seed phrases, the attackers can recover all the private keys of the hijacked wallets and gain full control over all cryptocurrency assets of their victims.<\/p>\n<h2>How to avoid falling victim?<\/h2>\n<p>Unfortunately, Discord\u2019s invite system lacks transparency and clarity. And this makes it extremely difficult, especially for newbies, to spot the trick before clicking a hijacked link and during the redirection process.<\/p>\n<p>Nevertheless, there are some security measures that, if done properly, should fend off the worst outcome \u2014 a malware-infected computer and financial losses:<\/p>\n<ul>\n<li>Never paste code into the <em>Run<\/em> window if you don\u2019t know exactly what it does. Doing this is extremely dangerous, and normal sites will never give such an instruction.<\/li>\n<li>Configure Discord privacy and security by following <a href=\"https:\/\/www.kaspersky.com\/blog\/discord-privacy-security\/38546\/\" target=\"_blank\" rel=\"noopener nofollow\">our detailed guide<\/a>. This will not guard against hijacked invite links, but will minimize other risks associated with Discord.<\/li>\n<li>Use a <a href=\"https:\/\/www.kaspersky.com\/premium?icid=gl_bb2023-kdplacehd_acq_ona_smm__onl_b2c_kdaily_lnk_sm-team___kprem___\" target=\"_blank\" rel=\"noopener nofollow\">reliable security solution<\/a>\u00a0that gives advance warning of danger and prevents the download of malware. It\u2019s best to install it on all devices, but especially on ones where you use crypto wallets and other financial software.<\/li>\n<\/ul>\n<blockquote><p>Malicious actors often target Discord to steal cryptocurrency, game accounts and assets, and generally cause misery for users. Check out our posts for more examples of Discord scams:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/malware-in-discord\/42846\/\" target=\"_blank\" rel=\"noopener nofollow\">Malicious activity in Discord chats<\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/cryptoscam-in-discord\/38661\/\" target=\"_blank\" rel=\"noopener nofollow\">Cryptoscam in Discord<\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/cryptoscam-in-discord-fake-news-services\/38764\/\" target=\"_blank\" rel=\"noopener nofollow\">Discord cryptoscam: Attack of the clones<\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/cryptoscam-in-discord-fake-dex-airdrop\/39140\/\" target=\"_blank\" rel=\"noopener nofollow\">Discord cryptoscam: Revenge of the fraudsters<\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/cryptoscam-in-discord-fake-ico\/40165\/\" target=\"_blank\" rel=\"noopener nofollow\">Discord cryptoscam: A new hope<\/a><\/li>\n<\/ul>\n<\/blockquote>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"premium-crypto-generic\">\n","protected":false},"excerpt":{"rendered":"<p>Attackers hijack Discord invite links and redirect victims to scam servers to install malware using the ClickFix technique.<\/p>\n","protected":false},"author":2726,"featured_media":53957,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2683],"tags":[111,4650,4635,4026,4426,36,607,746,97,211,3244,422],"class_list":{"0":"post-53955","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-attacks","9":"tag-clickfix","10":"tag-cryptocurrency","11":"tag-discord","12":"tag-links","13":"tag-malware-2","14":"tag-messengers","15":"tag-rat","16":"tag-security-2","17":"tag-social-media","18":"tag-stealers","19":"tag-threats"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/hijacked-discord-invite-links-for-multi-stage-malware-delivery\/53955\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/hijacked-discord-invite-links-for-multi-stage-malware-delivery\/28362\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/hijacked-discord-invite-links-for-multi-stage-malware-delivery\/31208\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/hijacked-discord-invite-links-for-multi-stage-malware-delivery\/40170\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/hijacked-discord-invite-links-for-multi-stage-malware-delivery\/13615\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/hijacked-discord-invite-links-for-multi-stage-malware-delivery\/23019\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/hijacked-discord-invite-links-for-multi-stage-malware-delivery\/24048\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/hijacked-discord-invite-links-for-multi-stage-malware-delivery\/29440\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/discord\/","name":"Discord"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/53955","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2726"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=53955"}],"version-history":[{"count":9,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/53955\/revisions"}],"predecessor-version":[{"id":54024,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/53955\/revisions\/54024"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/53957"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=53955"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=53955"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=53955"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}