Hackers exploit Discord flaw to spread malware through expired invites

A Discord bug is allowing attackers to revive old invite links and redirect users to malicious servers delivering spyware and trojans.

What happened

Hackers are exploiting a flaw in Discord’s invitation system to hijack expired or deleted invite links and trick users into joining fake servers that deliver malware. The attackers use these recycled links often from once-legitimate communities and post them on social media or other platforms to lure victims.

The malware campaign, which has affected at least 1,300 users across the US, UK, France, the Netherlands, and Germany, delivers remote access trojans (RATs), password stealers, and cryptocurrency wallet sniffers.

Going deeper

Discord offers different types of invite links. Some expire after a short time, others are permanent, and some are custom links called "vanity links" which are only available to servers with Level 3 boosts. When any of these links are deleted or expire, such as when a server loses its boost, Discord sometimes allows the same invite code to be used by a different server.

Researchers at Check Point found that this creates a security risk. Even expired or deleted links, including vanity links, can be taken over. In some cases, attackers take advantage of how Discord handles capital letters in invite codes. For example, a code written in uppercase letters might still be reused in lowercase form, even though the original link looks active.

Discord does not properly clear out the old information linked to these codes. This makes it possible for attackers to redirect users who click on the link to a fake server. These fake servers usually have only one visible channel, called #verify. Users are told to complete a verification step that leads to a fake Discord CAPTCHA page. The CAPTCHA always fails and tells users to copy and paste a PowerShell script into their computer’s Run window. This script installs malware onto the system.

The final payloads delivered through this method include:

• AsyncRAT: Remote control malware capable of keylogging, file theft, and webcam access
• Skuld Stealer: A credential and wallet data stealer targeting Discord tokens, browsers, and crypto wallets
• ChromeKatz: A custom tool that extracts cookies and saved passwords from Chrome
• The malware persists by creating a scheduled task that re-executes the loader every five minutes.

What was said

Check Point researchers state that Discord’s link system can be misunderstood by users and exploited by attackers. They pointed out that expired or deleted invites should not be reusable, and that Discord’s lowercase comparison of vanity URLs creates loopholes.

They recommend users avoid engaging with old invites and be cautious of verification prompts or commands involving PowerShell. Administrators are encouraged to use permanent, non-custom invite links to minimize hijacking risk.

The big picture

The incident points to the risks associated with overlooked platform functions that can be repurposed for malware distribution. With Discord seeing wider use across gaming and community spaces, attackers are beginning to focus on its infrastructure rather than just individual users. The campaign also draws attention to the security of custom features such as vanity links, particularly when expiration settings can be bypassed.

FAQs

Why are vanity invite links riskier than standard Discord invites?

Vanity links are custom-made and often reused or recycled if a server loses its boost status. This makes them more vulnerable to hijacking by malicious actors.

How can users verify if a Discord invite is safe?

Always check the source of the invite. Avoid links shared in outdated posts or unofficial platforms, and never trust an invite that asks you to run manual commands or download files.

What is a ClickFix attack?

ClickFix is a tactic that mimics legitimate verification or CAPTCHA pages to trick users into performing harmful actions, such as executing malicious code on their own systems.

Can Discord prevent this kind of attack?

Yes, by patching how invite codes are handled, standardizing case sensitivity, and ensuring expired or deleted invites are permanently invalidated and unreusable.

What should Discord server admins do to reduce risk?

Use permanent invite links, monitor for suspicious activity, disable vanity URLs if no longer needed, and regularly audit how server access is being granted.