Discord Invite Compromised by Hackers to Spread AsyncRAT Malware via Malicious Links

Recent investigations have revealed a sophisticated cyberattack campaign that leverages Discord’s invite system to distribute malware, with a particular focus on AsyncRAT and a customized Skuld Stealer variant.

The attacks target cryptocurrency holders, gamers, and online communities by exploiting trusted Discord features and employing social engineering tactics.

Exploitation of Trusted Discord Features

Discord, a popular platform for real-time communication, relies on invite links to grant users access to servers and groups.

These links typically look like https://discord.com/invite/<code> or https://discord.gg/<code>. Attackers have abused this system by registering fake domains (e.g., discord-giveaway[.]net, discordnitro[.]gift) and exploiting expired, reusable, or hijacked invite codes.

Once legitimate or boosted servers lose access to their invite codes, attackers quickly register the same codes for their malicious servers, effectively “hijacking” user trust.

A particularly insidious exploitation involves the Safeguard#0786 bot, which has been observed in active campaigns since early 2025.

When users join an attacker-controlled server, they are led to a channel  #verify and prompted to click a verification button.

Clicking this button redirects them to a phishing page such as captchaguard[.]me, which mimics Discord’s authentication process. Here, unsuspecting users are tricked into authorizing OAuth2 access and may unknowingly allow malicious code to be executed.

Malicious Payload and Exfiltration

Upon interacting with the fake verification site, a PowerShell script is copied to the victim’s clipboard.

Execution of this script downloads and runs AsyncRAT, an open-source remote access trojan capable of executing commands, logging keystrokes, capturing the screen, manipulating files, and accessing remote desktops or webcams.

This variant of AsyncRAT employs a “dead drop resolver” mechanism, which means it retrieves its command-and-control (C2) server address from a public Pastebin link rather than hardcoding it, making detection and tracking more challenging.

Alongside AsyncRAT, attackers deploy an evolved variant of Skuld Stealer, written in Go and tailored to target cryptocurrency wallets such as Exodus and Atomic.

The stealer exfiltrates browser data, Discord tokens, and sensitive wallet information via encrypted Discord webhooks.

Notably, it also injects malicious JavaScript into the wallet’s application files, allowing the capture of seed phrases and passwords.

To maximize stealth, the payload is periodically updated and downloaded from trusted platforms like GitHub and Bitbucket, maintaining a low detection rate on security scanners.

Defense and Prevention

This campaign highlights the dangers of trusting Discord invites and the ease with which attackers weaponize social engineering.

To mitigate risk, users should verify invite links directly with community moderators or official sources before joining a server.

Installing reputable security software, avoiding suspicious verification prompts, and scrutinizing unknown bots are crucial steps for defense.

Discord’s recent intervention to remove malicious bots is a positive step, but users must remain vigilant as attackers continue to evolve their tactics.

Indicators of Compromise (IOCs)