# How Malware Uses Discord to Take Control and Steal Cryptocurrency Wallets

## **Campaign Overview**

Recently, cybersecurity experts discovered a dangerous attack campaign called "**Invite link hijacking**" on the **Discord** platform to spread malware. The ultimate goal is to **steal sensitive information**, especially users' **cryptocurrency wallets**. Hackers exploit expired or deleted invite codes to redirect users to malicious servers containing spyware and remote access trojans.

This campaign uses two main types of malware:

* **AsyncRAT**: A powerful open-source remote access trojan (RAT).
    
* **Skuld Stealer**: A specialized information-stealing software targeting browsers, cryptocurrency wallets, and login credentials.
    

According to analysis by security experts at Check Point, the ongoing attack campaign has affected at least 1,300 users worldwide, with the most reports coming from the **United States, United Kingdom, France, the Netherlands, and Germany.**

## **AsyncRAT và Skuld Stealer – Hai công cụ nguy hiểm**

**AsyncRAT:**

* Allows attackers to:
    
    * Monitor users remotely.
        
    * Record keystrokes (keylogger).
        
    * Access webcam and microphone.
        
    * Upload or download files.
        
* Open-source, easy to customize.
    

**Skuld Stealer**:

* Main goal: steal sensitive information.
    
* Capabilities:
    
    * Extract cryptocurrency wallets from browsers (Chrome, Edge, Brave…).
        
    * Retrieve login data, cookies, Discord tokens.
        
    * Extract files from wallet directories (MetaMask, Exodus, Atomic…).
        
    * Send stolen information to the C2 server via webhook or TCP.
        

## **What is a Discord Invite Link?**

"Discord Invite Link" is a special link created to invite others to join a Discord server. It looks like: “[***https://discord.gg/abc123”***](https://discord.gg/abc123%E2%80%9D)

When a user clicks on this link, they will:

* **Join a Discord server** (if they haven't joined yet).
    
* **Gain immediate access** to the community if no verification is required.
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1750217510769/eb032c9d-5b1b-48a3-a8e5-7163e19f7f96.png align="center")

For this reason, if the link expires or is no longer used, **attackers can take over the invite code** to redirect users to a malicious server, where they can execute and escalate privileges to steal the sensitive information they desire.

## **How Attackers Operate**

![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBrgsGw3Bggn5NC_8EPxdngS0eIE900UxLvl5TeQq6tkXYFzztuHvEzFAXMxX5mYgO9pFc5_jGM7iPubCFtXcec80HNhRPGFFgInn70tbvxv0l-QJZ97CTw6Lc-gWtbbivCV_jNhz72BekrSIOEuxgpUQd7_9i5Qco8tV_q4tiACpEQdo6zLX9vxdamqQ/s16000/Infection%20chain%20-%20From%20hijacked%20Discord%20invite%20to%20execution%20of%20PowerShell%20downloader%20(Source%20-%20Check%20Point).webp align="left")

1. **Initial Intrusion**
    

* Initially, hackers will send expired and altered Discord invite links through legitimate groups to trick users. When users click on the shared link, they are unknowingly redirected to a malicious Discord server.
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1750220484527/0dba0746-fa3e-431c-a651-c406e180d7bc.png align="center")

* When users click the "**verify**" button, they immediately authorize the BOT and are redirected to a malicious website ***“***[***https://captchaguard\[.\]me“***](https://captchaguard%5B.%5Dme%E2%80%9C)***.*** Here, the BOT gains access to user profile details, such as username, avatar, and Discord banner.
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1750222513606/43fd06e5-4eb0-4516-8c3c-10e2af17a995.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1750222526120/0c2bb1ee-e5b0-4cf9-bd83-d29dadb93d54.png align="center")

* After authorizing the BOT, Discord will start the OAuth2 authentication flow and create a URL: [`https://captchaguard.me/oauth-pass?code=zyA11weHhTZxaY3Fs3EWBg6qfO7t6j`](https://captchaguard.me/oauth-pass?code=zyA11weHhTZxaY3Fs3EWBg6qfO7t6j). Then the server continues to redirect the user to another URL with the format: [`https://captchaguard[.]me/?key=aWQ9dXNlcm5hbWUyMzQ0JnRva2VuPTExMjIzMzQ0MDEyMz…`](https://captchaguard%5B.%5Dme/?key=aWQ9dXNlcm5hbWUyMzQ0JnRva2VuPTExMjIzMzQ0MDEyMz%E2%80%A6). These are all phishing sites mimicking Discord/UI CAPTCHA.
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1750304268711/3d488e8e-3a1d-40cd-a657-751b5d6be37b.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1750304433394/4c893fb4-984f-4800-9a6e-51f7918e9503.png align="center")

* As soon as the user clicks the **"Verify"** button, a PowerShell script will silently run on the user's machine to **download and execute remote malware.**
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1750316273715/bb0eb97f-13a1-479b-9756-6d0cd5b84b95.png align="center")

* Here, hackers will also use a technique called **“ClickFix”** to trick users into thinking their application is broken and needs to be fixed by following the steps in the message. Hackers will ask users to open Windows Run (Win + R) and paste the hacker's code. This will cause the user's machine to download a PowerShell script from the address [`https://pastebin[.]com/raw/zW0L2z2M`](https://pastebin%5B.%5Dcom/raw/zW0L2z2M).
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1750317635622/41d98930-5966-4648-ae1e-f022d11f8eea.png align="center")

* A piece of **malicious PowerShell script** is clearly designed to hide the PowerShell window, download an executable (EXE) file from GitHub, and run it silently on the victim's system. Additionally, hackers can deploy payloads (RAT, stealer...).
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1750320219764/826c1ea3-6494-4fa4-b7d9-7af448a3a7a5.png align="center")

* In the attack campaign, experts also discovered some links containing addresses for malware installation files.
    
    * [`https://github[.]com/frfs1/update/raw/refs/heads/main/installer.exe`](https://github[.]com/frfs1/update/raw/refs/heads/main/installer.exe)
        
    * [`https://github[.]com/shisuh/update/raw/refs/heads/main/installer.exe`](https://github[.]com/shisuh/update/raw/refs/heads/main/installer.exe)
        
    * [`https://github[.]com/gkwdw/wffaw/raw/refs/heads/main/installer.exe`](https://github[.]com/gkwdw/wffaw/raw/refs/heads/main/installer.exe)
        
    * [`https://codeberg[.]org/wfawwf/dwadwaa/raw/branch/main/installer.exe`](https://codeberg[.]org/wfawwf/dwadwaa/raw/branch/main/installer.exe)
        
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1750323397529/82521aaa-fb56-472a-ae0a-dfbf1cb77883.png align="center")
    
* In addition to `Installer.exe` downloading the payload from Bitbucket, there will be 2 malicious VBScript files created and executed by the attacker with the main purposes of **evading security**, **establishing persistence**, and **creating and executing configuration files**.
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1750402704894/5b2dae25-6da6-4f05-83f6-f6289c8cfa35.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1750402713763/5c7611ff-a1ae-4118-ad88-71397e71e0df.png align="center")

* When these malicious files are launched, the accompanying payloads are immediately downloaded from **Bitbucket:**
    
    * [`https://bitbucket.org/syscontrol6/syscontrol/downloads/skul.exe`](https://bitbucket.org/syscontrol6/syscontrol/downloads/skul.exe)
        
    * [`https://bitbucket.org/syscontrol6/syscontrol/downloads/Rnr.exe`](https://bitbucket.org/syscontrol6/syscontrol/downloads/Rnr.exe)
        

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1750403743597/fd6cab32-65ec-449d-baca-8f574a070dc0.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1750404108961/73e2693c-eef5-4b90-985e-72ad495d82e2.png align="center")

* The next step for the hacker is to download a malicious file `Rnr.exe`, similar to the `installer.exe` file, to download additional malicious payloads. This payload will perform the following tasks:
    
    * Decode XOR binary data.
        
    * Write the payload to AppData.
        
    * Download malware from Bitbucket.
        
    * Manipulate vtable (possibly obfuscation or anti-debugging).
        
    * Run the payload silently through a task or script.
        

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1750404733401/18e83335-6066-481c-96f1-63cdf62920be.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1750404916336/646f2a35-6c13-4f1e-b52d-d2434151b51b.png align="center")

2. **Deploying Payload**
    

* During the campaign, experts found two payloads related to **Skuld Stealer and AsyncRAT** deployed by the attacker on the victim's machine. First, the payload: **AClient.exe (AsyncRAT) will be launched, allowing the attackers to:**
    
    * Execute arbitrary commands and scripts.
        
    * Perform keylogging and take screenshots.
        
    * Manage files (upload, download, delete files).
        
    * Access remote desktop and camera.
        

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1750405746255/ca5cb36f-e344-4efc-a84a-8cdd341f7777.png align="center")

All the data collected will be sent by the hacker to a malicious C&C address: **101.99.76.120**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1750406083444/1b1fbd63-f297-41c9-8a12-cbdaf9a4ce18.png align="center")

* Next, the second payload is also executed: **skul.exe (Skuld Stealer). The special features of this payload include:**
    
    * Anti-debugging.
        
    * Detecting virtual machines and evading Sandbox systems.
        
    * Stealing information from Chrome-based browsers such as logins, cookies, credit cards, and browsing history.
        
    * Crypto clipper (replacing clipboard content with cryptocurrency addresses controlled by the attacker).
        
    * Stealing Discord authentication tokens.
        
    * Blocking sensitive user activities like logging in, changing passwords, adding payment information, preventing device view requests, and blocking QR logins.
        
    * Collecting sessions from popular gaming platforms (Epic Games, Minecraft, Riot Games, Uplay).
        
    * Gathering system information (CPU, GPU, RAM, IP, geolocation, Wi-Fi network).
        
    * Stealing cryptocurrency wallet data, including seed phrases and passwords.
        
* The most dangerous aspect of **skul.exe** is that it targets the victim's cryptocurrency wallet. It will download malicious `.asar` files from the following sources:
    
    * [`https://github.com/hackirby/wallets-injection/raw/main/atomic.asar`](https://github.com/hackirby/wallets-injection/raw/main/atomic.asar)
        
    * [`https://github.com/hackirby/wallets-injection/raw/main/exodus.asar`](https://github.com/hackirby/wallets-injection/raw/main/exodus.asar)
        
* After these files are downloaded, they create fake wallet licenses and encrypt them. Of course, to decrypt them, the hacker has also prepared a sophisticated **Exodus wallet stealer** script, hiding a webhook in a legitimate file to extract mnemonics/passwords, then sending them to the attacker via Discord. It exploits the wallet's open-source code to access sensitive data as soon as the user unlocks the wallet.
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1750407727805/a7a241c4-3a5b-497a-92ed-fcb60271acef.png align="center")

## **Conclusion**

This campaign is a typical example of exploiting **community trust** (Discord) to deploy a **phishing + multi-stage malware** strategy targeting **cryptocurrency**. The attacker used various sophisticated techniques such as hijacking invite links, fake servers, ClickFix, and downloading and deploying malicious PowerShell.

These actions are truly dangerous if not detected in time. Good defense and integrating monitoring systems to protect both personal and organizational systems are necessary in the face of increasing cyber threats.

## **Recommendations**

1. **Block malicious Discord domains and links**
    

* **Monitor and filter DNS** to detect abused Discord domains such as:
    
    * [`discord.com/invite/<code>`](http://discord.com/invite/%3Ccode%3E)
        
    * [`cdn.discordapp.com/`](http://cdn.discordapp.com/)`...`
        
* Configure proxy/firewall to **block access to unauthorized Discord links** in the enterprise environment.
    

2. **Do not trust Discord invites from unknown sources**
    

* Warn users not to click on **Discord invites** coming from:
    
    * Strange emails, spam.
        
    * Pop-up ads, YouTube channels, download blogs.
        
* Enhance **user awareness** about **malware potentially hiding behind seemingly legitimate Discord links.**
    

3. **Limit script execution rights**
    

* Configure systems to:
    
    * Disallow users from executing `.vbs`, `.ps1`, `.js` from directories like `Downloads`, `AppData`.
        
    * Use **AppLocker or Windows Defender Application Control (WDAC)** to control scripts.
        

4. **Regularly update systems and applications**
    

* Many malware exploit **vulnerabilities in outdated software** to execute malicious code or escalate privileges.
    
* Maintain a regular update policy for operating systems and browsers.
    

## **IOC**

1. Hashes
    
    * 673090abada8ca47419a5dbc37c5443fe990973613981ce622f30e83683dc932
        
    * 160eda7ad14610d93f28b7dee20501028c1a9d4f5dc0437794ccfc2604807693
        
    * 5d0509f68a9b7c415a726be75a078180e3f02e59866f193b0a99eee8e39c874f
        
    * 375fa2e3e936d05131ee71c5a72d1b703e58ec00ae103bbea552c031d3bfbdbe
        
    * 53b65b7c38e3d3fca465c547a8c1acc53c8723877c6884f8c3495ff8ccc94fbe
        
    * d54fa589708546eca500fbeea44363443b86f2617c15c8f7603ff4fb05d494c1
        
    * 670be5b8c7fcd6e2920a4929fcaa380b1b0750bfa27336991a483c0c0221236a
        
    * 8135f126764592be3df17200f49140bfb546ec1b2c34a153aa509465406cb46c
        
    * f08676eeb489087bc0e47bd08a3f7c4b57ef5941698bc09d30857c650763859c
        
    * db1aa52842247fc3e726b339f7f4911491836b0931c322d1d2ab218ac5a4fb08
        
    * ef8c2f3c36fff5fccad806af47ded1fd53ad3e7ae22673e28e541460ff0db49c
        
2. **Url & Domain**
    
    * **Phishing Website:**
        
        * captchaguard\[.\]me
            
        * [https://captchaguard\[.\]me/?key=](https://captchaguard[.]me/?key=)
            
        
        **PowerShell Script:**
        
        * [https://pastebin\[.\]com/raw/zW0L2z2M](https://pastebin[.]com/raw/zW0L2z2M)
            
        
        **Bitbucket repositories:**
        
        * [https://bitbucket\[.\]org/updatevak/upd/downloads](https://bitbucket[.]org/updatevak/upd/downloads)
            
        * [https://bitbucket\[.\]org/syscontrol6/syscontrol/downloads](https://bitbucket[.]org/syscontrol6/syscontrol/downloads)
            
        * [https://bitbucket\[.\]org/updateservicesvar/serv/downloads](https://bitbucket[.]org/updateservicesvar/serv/downloads)
            
        * [https://bitbucket\[.\]org/registryclean1/fefsed/downloads](https://bitbucket[.]org/registryclean1/fefsed/downloads)
            
        * [https://bitbucket\[.\]org/htfhtthft/simshelper/downloads](https://bitbucket[.]org/htfhtthft/simshelper/downloads)
            
        
        **First stage downloader:**
        
        * [https://github\[.\]com/frfs1/update/raw/refs/heads/main/installer.exe](https://github[.]com/frfs1/update/raw/refs/heads/main/installer.exe)
            
        * [https://github\[.\]com/shisuh/update/raw/refs/heads/main/installer.exe](https://github[.]com/shisuh/update/raw/refs/heads/main/installer.exe)
            
        * [https://github\[.\]com/gkwdw/wffaw/raw/refs/heads/main/installer.exe](https://github[.]com/gkwdw/wffaw/raw/refs/heads/main/installer.exe)
            
        
        **Second stage downloader:**
        
        * [https://bitbucket\[.\]org/updatevak/upd/downloads/Rnr.exe](https://bitbucket[.]org/updatevak/upd/downloads/Rnr.exe)
            
        * [https://bitbucket\[.\]org/syscontrol6/syscontrol/downloads/Rnr.exe](https://bitbucket[.]org/syscontrol6/syscontrol/downloads/Rnr.exe)
            
        
        **Skuld stealer:**
        
        * [https://bitbucket\[.\]org/updatevak/upd/downloads/skul.exe](https://bitbucket[.]org/updatevak/upd/downloads/skul.exe)
            
        * [https://bitbucket\[.\]org/syscontrol6/syscontrol/downloads/skul.exe](https://bitbucket[.]org/syscontrol6/syscontrol/downloads/skul.exe)
            
        
        **AsyncRAT:**
        
        * [https://bitbucket\[.\]org/updatevak/upd/downloads/AClient.exe](https://bitbucket[.]org/updatevak/upd/downloads/AClient.exe)
            
        * [https://bitbucket\[.\]org/syscontrol6/syscontrol/downloads/AClient.exe](https://bitbucket[.]org/syscontrol6/syscontrol/downloads/AClient.exe)
            
        
        **AsyncRat Dead Drop Resolver:**
        
        * [https://pastebin\[.\]com/raw/ftknPNF7](https://pastebin[.]com/raw/ftknPNF7)
            
        * [https://pastebin\[.\]com/raw/NYpQCL7y](https://pastebin[.]com/raw/NYpQCL7y)
            
        * [https://pastebin\[.\]com/raw/QdseGsQL](https://pastebin[.]com/raw/QdseGsQL)
            
3. **C2**
    
    * 101.99.76.120
        
    * 87.120.127.37
        
    * 185.234.247.8
        
    * microads\[.\]top
        
4. **Skuld Discord Webhooks**
    
    * [https://discord\[.\]com/api/webhooks/1355186248578502736/\_RDywh\_K6GQKXiM5T05ueXSSjYopg9nY6XFJo1o5Jnz6v9sih59A8p-6HkndI\_nOTicO](https://discord[.]com/api/webhooks/1355186248578502736/_RDywh_K6GQKXiM5T05ueXSSjYopg9nY6XFJo1o5Jnz6v9sih59A8p-6HkndI_nOTicO)
        
    * [https://discord\[.\]com/api/webhooks/1348629600560742462/RJgSAE7cYY-1eKMkl5EI-qZMuHaujnRBMVU\_8zcIaMKyQi4mCVjc9R0zhDQ7wmPoD7Xp](https://discord[.]com/api/webhooks/1348629600560742462/RJgSAE7cYY-1eKMkl5EI-qZMuHaujnRBMVU_8zcIaMKyQi4mCVjc9R0zhDQ7wmPoD7Xp)
        

## **Reference**

1. [The Discord Invite Loop Hole Hijacked for Attacks - Check Point Research](https://research.checkpoint.com/2025/from-trust-to-threat-hijacked-discord-invites-used-for-multi-stage-malware-delivery/)
    
2. [Discord Invite Link Hijacking Delivers AsyncRAT and Skuld Stealer Targeting Crypto Wallets](https://thehackernews.com/2025/06/discord-invite-link-hijacking-delivers.html)
