{"id":2052,"date":"2025-06-13T19:10:51","date_gmt":"2025-06-13T16:10:51","guid":{"rendered":"https:\/\/trustcrypt.com\/discord-vulnerability-enables-malicious-actors-to-reutilize-expired-invitations-in-cybersecurity-threat-campaigns\/"},"modified":"2025-06-13T19:10:51","modified_gmt":"2025-06-13T16:10:51","slug":"discord-vulnerability-enables-malicious-actors-to-reutilize-expired-invitations-in-cybersecurity-threat-campaigns","status":"publish","type":"post","link":"https:\/\/trustcrypt.com\/ar\/discord-vulnerability-enables-malicious-actors-to-reutilize-expired-invitations-in-cybersecurity-threat-campaigns\/","title":{"rendered":"Discord Vulnerability Enables Malicious Actors to Reutilize Expired Invitations in Cybersecurity Threat Campaigns"},"content":{"rendered":"

\"Discord<\/p>\n

Recently discovered vulnerabilities in Discord’s invitation system are being exploited by cybercriminals to redirect users from expired or deleted invite links to malicious sites, where they download remote access trojans and information-stealing malware.<\/p>\n

This malware delivery campaign capitalizes on a flaw within Discord’s infrastructure that facilitates multi-stage infection processes, successfully evading detection from several antivirus solutions.<\/p>\n

Exploiting Expired Discord Invites<\/h2>\n

Discord invites enable users to join specific servers through URLs containing unique invite codes. These codes may be temporary, permanent, or customized for servers that have achieved ‘Level 3’ status by paying for exclusive perks. In regular servers, random invite links are generated, making repetitions highly unlikely.<\/p>\n

Attackers have identified a critical loophole: when a Level 3 server loses its boost status, its unique invite code can be reused by different servers. This also applies to expired temporary or deleted permanent invites, as outlined by researchers at Check Point.<\/p>\n

According to their findings, “the mechanism for creating custom invite links surprisingly lets you reuse expired temporary invite codes, and, in some cases, deleted permanent invite codes.”<\/p>\n

Moreover, the flawed system does not update the expiration of previously generated temporary invitation codes when they are reused as permanent links. This miscommunication has facilitated the attackers’ activities.<\/p>\n

\n
\"Example
Hijacking a temporary invite code (top) and reusing it in a vanity link (bottom)<\/strong><\/figcaption><\/figure>\n<\/div>\n

Lowercase character invite codes remain locked to their original server for the duration of their validity, but uppercase codes can be duplicated in vanity links when converted to lowercase, regardless of the original’s status.<\/p>\n

Redirection to Malicious Domains<\/h3>\n

Cybercriminals are actively monitoring expired and deleted Discord invites, leveraging these links in a campaign that has already compromised approximately 1,300 users across the US, UK, France, the Netherlands, and Germany, as reported by Check Point.<\/p>\n

These attackers are repurposing legitimate discord invite links from established communities, disseminating them via social media platforms and community websites. To add to the illusion of legitimacy, these malicious servers are designed to appear credible.<\/p>\n

The compromised Discord servers restrict users to a single channel, #verify, where a bot initiates a verification process.<\/p>\n

\n
\"Attacker's
Attacker’s Discord channel<\/strong><\/figcaption><\/figure>\n<\/div>\n

The verification attempts redirect users to a fraudulent website mimicking the Discord interface, falsely claiming a CAPTCHA issue. Users are manipulated into executing a PowerShell command that they are led to copy from the page.<\/p>\n

\n
\"The
The ClickFix page<\/strong><\/figcaption><\/figure>\n<\/div>\n

This action triggers a multi-stage infection involving various methodologies, including PowerShell downloaders, obfuscated C++ loaders, and VBScript files.<\/p>\n

Subsequently, malicious payloads download from the legitimate Bitbucket platform and may include:<\/p>\n

    \n
  • AsyncRAT<\/strong>: Provided as ‘AClient.exe,’ this malware enables extensive operations such as file retrieval, keylogging, and unauthorized access to microphones and webcams.<\/li>\n
  • Skuld Stealer<\/strong>: Distributed under ‘skul.exe,’ this info-stealer targets browser credentials, cookies, Discord tokens, and cryptocurrency wallet details, utilizing JavaScript to extract sensitive information via Discord webhooks.<\/li>\n
  • ChromeKatz<\/strong>: A customized variant of an open-source utility, delivered as ‘cks.exe,’ designed to exfiltrate cookies and passwords.<\/li>\n<\/ul>\n

    A scheduled task is established on the infected system to ensure the malware loader restarts at five-minute intervals, as discovered by researchers.<\/p>\n

    \n
    \"Infection
    Infection chain from ClickFix to malware<\/strong><\/figcaption><\/figure>\n<\/div>\n

    To mitigate these risks, it is imperative for Discord users to exercise caution with old invite links, particularly those originating from outdated posts. Additionally, users should critically assess “verification” requests and refrain from executing PowerShell commands without thorough understanding.<\/p>\n

    Server administrators are strongly advised to utilize permanent invites, as they are substantially more secure against hijacking attempts.<\/p>\n","protected":false},"excerpt":{"rendered":"

    Recently discovered vulnerabilities in Discord’s invitation system are being exploited by cybercriminals to redirect users from expired or deleted invite…<\/p>\n","protected":false},"author":1,"featured_media":2053,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"Default","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[28],"tags":[635,54,543],"class_list":["post-2052","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-invitation","tag-malware","tag-redirection"],"acf":[],"yoast_head":"\nDiscord Vulnerability Enables Malicious Actors to Reutilize Expired Invitations in Cybersecurity Threat Campaigns - Trustcrypt<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/trustcrypt.com\/ar\/discord-vulnerability-enables-malicious-actors-to-reutilize-expired-invitations-in-cybersecurity-threat-campaigns\/\" \/>\n<meta property=\"og:locale\" content=\"ar_AR\" \/>\n<meta property=\"og:locale:alternate\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Discord Vulnerability Enables Malicious Actors to Reutilize Expired Invitations in Cybersecurity Threat Campaigns\" \/>\n<meta property=\"og:description\" content=\"Recently discovered vulnerabilities in Discord’s invitation system are being exploited by cybercriminals to redirect users from expired or deleted invite...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/trustcrypt.com\/ar\/discord-vulnerability-enables-malicious-actors-to-reutilize-expired-invitations-in-cybersecurity-threat-campaigns\/\" \/>\n<meta property=\"og:site_name\" content=\"Trustcrypt\" \/>\n<meta property=\"article:published_time\" content=\"2025-06-13T16:10:51+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/06\/discord-vulnerability-enables-malicious-actors-to-reutilize-expired-invitations-in-cybersecurity-threat-campaigns.jpg\" \/>\n<meta name=\"author\" content=\"Trustscrypt\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u0643\u064f\u062a\u0628 \u0628\u0648\u0627\u0633\u0637\u0629\" \/>\n\t<meta name=\"twitter:data1\" content=\"Trustscrypt\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u0648\u0642\u062a \u0627\u0644\u0642\u0631\u0627\u0621\u0629 \u0627\u0644\u0645\u064f\u0642\u062f\u0651\u0631\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 \u062f\u0642\u0627\u0626\u0642\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/trustcrypt.com\/discord-vulnerability-enables-malicious-actors-to-reutilize-expired-invitations-in-cybersecurity-threat-campaigns\/\",\"url\":\"https:\/\/trustcrypt.com\/discord-vulnerability-enables-malicious-actors-to-reutilize-expired-invitations-in-cybersecurity-threat-campaigns\/\",\"name\":\"Discord Vulnerability Enables Malicious Actors to Reutilize Expired Invitations in Cybersecurity Threat Campaigns\",\"isPartOf\":{\"@id\":\"https:\/\/trustcrypt.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/trustcrypt.com\/discord-vulnerability-enables-malicious-actors-to-reutilize-expired-invitations-in-cybersecurity-threat-campaigns\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/trustcrypt.com\/discord-vulnerability-enables-malicious-actors-to-reutilize-expired-invitations-in-cybersecurity-threat-campaigns\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/06\/discord-vulnerability-enables-malicious-actors-to-reutilize-expired-invitations-in-cybersecurity-threat-campaigns.webp\",\"datePublished\":\"2025-06-13T16:10:51+00:00\",\"author\":{\"@id\":\"https:\/\/trustcrypt.com\/#\/schema\/person\/469b1cf97b9f7ea4e4d7fa31689dfa9f\"},\"inLanguage\":\"ar\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/trustcrypt.com\/discord-vulnerability-enables-malicious-actors-to-reutilize-expired-invitations-in-cybersecurity-threat-campaigns\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"ar\",\"@id\":\"https:\/\/trustcrypt.com\/discord-vulnerability-enables-malicious-actors-to-reutilize-expired-invitations-in-cybersecurity-threat-campaigns\/#primaryimage\",\"url\":\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/06\/discord-vulnerability-enables-malicious-actors-to-reutilize-expired-invitations-in-cybersecurity-threat-campaigns.webp\",\"contentUrl\":\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/06\/discord-vulnerability-enables-malicious-actors-to-reutilize-expired-invitations-in-cybersecurity-threat-campaigns.webp\",\"width\":1792,\"height\":1024,\"caption\":\"Discord Vulnerability Enables Malicious Actors to Reutilize Expired Invitations in Cybersecurity Threat Campaigns\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/trustcrypt.com\/#website\",\"url\":\"https:\/\/trustcrypt.com\/\",\"name\":\"Trustcrypt\",\"description\":\"\u0627\u0644\u0623\u0645\u0646 \u0647\u0648 \u0627\u0633\u0645\u0646\u0627 \u0627\u0644\u062b\u0627\u0646\u064a\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/trustcrypt.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"ar\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/trustcrypt.com\/#\/schema\/person\/469b1cf97b9f7ea4e4d7fa31689dfa9f\",\"name\":\"Trustscrypt\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"ar\",\"@id\":\"https:\/\/trustcrypt.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4c36ff3376565a0f4981e9397667feb08d5e09acacce32a52ea4a3f628e03692?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4c36ff3376565a0f4981e9397667feb08d5e09acacce32a52ea4a3f628e03692?s=96&d=mm&r=g\",\"caption\":\"Trustscrypt\"},\"sameAs\":[\"http:\/\/trustcrypt.com\"],\"url\":\"https:\/\/trustcrypt.com\/ar\/author\/trustscrypt\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Discord Vulnerability Enables Malicious Actors to Reutilize Expired Invitations in Cybersecurity Threat Campaigns - Trustcrypt","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/trustcrypt.com\/ar\/discord-vulnerability-enables-malicious-actors-to-reutilize-expired-invitations-in-cybersecurity-threat-campaigns\/","og_locale":"ar_AR","og_type":"article","og_title":"[:en]Discord Vulnerability Enables Malicious Actors to Reutilize Expired Invitations in Cybersecurity Threat Campaigns[:] - Trustcrypt","og_description":"Recently discovered vulnerabilities in Discord’s invitation system are being exploited by cybercriminals to redirect users from expired or deleted invite...","og_url":"https:\/\/trustcrypt.com\/ar\/discord-vulnerability-enables-malicious-actors-to-reutilize-expired-invitations-in-cybersecurity-threat-campaigns\/","og_site_name":"Trustcrypt","article_published_time":"2025-06-13T16:10:51+00:00","og_image":[{"url":"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/06\/discord-vulnerability-enables-malicious-actors-to-reutilize-expired-invitations-in-cybersecurity-threat-campaigns.jpg","type":"","width":"","height":""}],"author":"Trustscrypt","twitter_card":"summary_large_image","twitter_misc":{"\u0643\u064f\u062a\u0628 \u0628\u0648\u0627\u0633\u0637\u0629":"Trustscrypt","\u0648\u0642\u062a \u0627\u0644\u0642\u0631\u0627\u0621\u0629 \u0627\u0644\u0645\u064f\u0642\u062f\u0651\u0631":"3 \u062f\u0642\u0627\u0626\u0642"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/trustcrypt.com\/discord-vulnerability-enables-malicious-actors-to-reutilize-expired-invitations-in-cybersecurity-threat-campaigns\/","url":"https:\/\/trustcrypt.com\/discord-vulnerability-enables-malicious-actors-to-reutilize-expired-invitations-in-cybersecurity-threat-campaigns\/","name":"Discord Vulnerability Enables Malicious Actors to Reutilize Expired Invitations in Cybersecurity Threat Campaigns","isPartOf":{"@id":"https:\/\/trustcrypt.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/trustcrypt.com\/discord-vulnerability-enables-malicious-actors-to-reutilize-expired-invitations-in-cybersecurity-threat-campaigns\/#primaryimage"},"image":{"@id":"https:\/\/trustcrypt.com\/discord-vulnerability-enables-malicious-actors-to-reutilize-expired-invitations-in-cybersecurity-threat-campaigns\/#primaryimage"},"thumbnailUrl":"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/06\/discord-vulnerability-enables-malicious-actors-to-reutilize-expired-invitations-in-cybersecurity-threat-campaigns.webp","datePublished":"2025-06-13T16:10:51+00:00","author":{"@id":"https:\/\/trustcrypt.com\/#\/schema\/person\/469b1cf97b9f7ea4e4d7fa31689dfa9f"},"inLanguage":"ar","potentialAction":[{"@type":"ReadAction","target":["https:\/\/trustcrypt.com\/discord-vulnerability-enables-malicious-actors-to-reutilize-expired-invitations-in-cybersecurity-threat-campaigns\/"]}]},{"@type":"ImageObject","inLanguage":"ar","@id":"https:\/\/trustcrypt.com\/discord-vulnerability-enables-malicious-actors-to-reutilize-expired-invitations-in-cybersecurity-threat-campaigns\/#primaryimage","url":"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/06\/discord-vulnerability-enables-malicious-actors-to-reutilize-expired-invitations-in-cybersecurity-threat-campaigns.webp","contentUrl":"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/06\/discord-vulnerability-enables-malicious-actors-to-reutilize-expired-invitations-in-cybersecurity-threat-campaigns.webp","width":1792,"height":1024,"caption":"Discord Vulnerability Enables Malicious Actors to Reutilize Expired Invitations in Cybersecurity Threat Campaigns"},{"@type":"WebSite","@id":"https:\/\/trustcrypt.com\/#website","url":"https:\/\/trustcrypt.com\/","name":"Trustcrypt","description":"\u0627\u0644\u0623\u0645\u0646 \u0647\u0648 \u0627\u0633\u0645\u0646\u0627 \u0627\u0644\u062b\u0627\u0646\u064a","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/trustcrypt.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"ar"},{"@type":"Person","@id":"https:\/\/trustcrypt.com\/#\/schema\/person\/469b1cf97b9f7ea4e4d7fa31689dfa9f","name":"Trustscrypt","image":{"@type":"ImageObject","inLanguage":"ar","@id":"https:\/\/trustcrypt.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4c36ff3376565a0f4981e9397667feb08d5e09acacce32a52ea4a3f628e03692?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4c36ff3376565a0f4981e9397667feb08d5e09acacce32a52ea4a3f628e03692?s=96&d=mm&r=g","caption":"Trustscrypt"},"sameAs":["http:\/\/trustcrypt.com"],"url":"https:\/\/trustcrypt.com\/ar\/author\/trustscrypt\/"}]}},"_links":{"self":[{"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/posts\/2052","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/comments?post=2052"}],"version-history":[{"count":0,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/posts\/2052\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/media\/2053"}],"wp:attachment":[{"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/media?parent=2052"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/categories?post=2052"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/tags?post=2052"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}