The Discord Invite Hijacking campaign is a sophisticated multi-stage attack leveraging Discord's invite system and content delivery mechanisms to distribute malware aimed at stealing sensitive information. Attackers craft fake Discord invite links, expired invite codes, and vanity URLs to redirect users to malicious Discord servers. The attack chain begins with social engineering tactics that trick victims into authorizing a malicious bot within Discord. Once authorized, this bot facilitates the deployment of two primary malware payloads: AsyncRAT, a remote access trojan capable of extensive system control, and a customized variant of Skuld Stealer, which targets browser credentials, Discord authentication tokens, and cryptocurrency wallets. The campaign employs advanced evasion techniques including time-based payload delivery and encrypted multi-stage loaders hosted on trusted platforms such as GitHub and Bitbucket, which help bypass traditional security controls and maintain persistence on infected systems. The malware leverages techniques such as credential dumping (T1005), process injection (T1055), persistence mechanisms (T1547.001), and command and control communication over standard protocols (T1071.001). The use of wallet injection techniques and targeting of cryptocurrency assets highlights a financial motivation. This campaign does not require exploitation of software vulnerabilities but relies heavily on social engineering and user interaction to initiate the infection chain. No known exploits in the wild have been reported yet, but the campaign’s use of trusted infrastructure and sophisticated evasion tactics make it a credible threat vector for users of Discord and related platforms.

European organizations, particularly those with active Discord communities or employees who use Discord for communication, are at risk of credential theft, unauthorized access, and financial loss due to cryptocurrency wallet compromise. The theft of browser credentials and Discord tokens can lead to further lateral movement within corporate environments if these credentials are reused or linked to corporate accounts. The deployment of AsyncRAT allows attackers to gain persistent remote access, potentially leading to data exfiltration, espionage, or disruption of services. Organizations in sectors with high cryptocurrency usage or those involved in gaming, software development, or online communities may face increased risks. The use of trusted platforms like GitHub and Bitbucket to host payloads complicates detection and response efforts, increasing the likelihood of prolonged undetected compromise. Additionally, the social engineering aspect means that even well-secured environments can be vulnerable if users are not adequately trained to recognize malicious invites and bot authorization requests. The campaign’s multi-stage and time-based evasion tactics further reduce the effectiveness of traditional signature-based defenses, increasing the potential impact on confidentiality, integrity, and availability of affected systems.

1. Implement strict Discord usage policies within organizations, including restricting the authorization of bots to verified and trusted entities only. 2. Educate users on the risks of clicking on unsolicited Discord invite links, especially those that appear expired or use vanity URLs, and train them to verify invite legitimacy through official channels. 3. Deploy endpoint detection and response (EDR) solutions capable of detecting behaviors associated with AsyncRAT and Skuld Stealer, such as unusual process injection, credential dumping, and persistence mechanisms. 4. Monitor network traffic for suspicious connections to GitHub, Bitbucket, or other code hosting platforms that may be used to fetch encrypted payloads, and apply anomaly detection to identify unusual patterns. 5. Enforce multi-factor authentication (MFA) on all critical accounts, including Discord and cryptocurrency wallets, to reduce the impact of stolen credentials. 6. Regularly audit and revoke unnecessary bot authorizations within Discord servers to minimize attack surface. 7. Employ threat hunting focused on indicators of compromise related to this campaign, such as detection of AsyncRAT command and control traffic or Skuld Stealer activity. 8. Use application allowlisting to prevent unauthorized execution of unknown binaries and scripts that may be part of the multi-stage loaders. 9. Maintain up-to-date security awareness programs emphasizing the risks of social engineering attacks via collaboration platforms. 10. Collaborate with Discord and platform providers to report suspicious invite links and malicious bots promptly.