If you’ve been sent a Discord invite link but have yet to join the server, it’s advisable to refrain from clicking it weeks or months later. According to Bleeping Computer, cybercriminals are taking advantage of expired or deleted Discord invite links to spread malware, including information stealers and keyloggers.

Understanding the Malware Campaign

The malicious campaign, as reported by Check Point Research, exploits a vulnerability in how Discord manages its invite links, which can be designated as temporary, permanent, or specially customized for paid servers with Level 3 Boost status.

Standard Discord server URLs are randomly created and rarely duplicated. However, vanity links—as well as expired temporary invites and removed permanent links—can be reclaimed and reused. Additionally, Discord permits the recycling of invite codes using uppercase letters into vanity links with lowercase, as long as the original remains active.

This loophole enables hackers to redirect users to harmful servers via links that originate from seemingly reputable Discord communities. Such links are often disseminated through various social media platforms and official community websites.

Upon clicking an illegitimate link, the user is directed to a Discord server that appears genuine and prompts them to confirm their identity for access. This verification leads to a ClickFix webpage that falsely claims a (nonexistent) CAPTCHA has failed to load, instructing the user to verify by executing a manual Windows command. Such actions trigger a PowerShell script that subsequently downloads and installs the malware.

The payload can contain various harmful programs—such as AsynchRAT, Skuld Stealer, and ChromeKatz—that facilitate keylogging, unauthorized access to webcams or microphones, as well as stealing valuable information like browser credentials, cookies, passwords, Discord tokens, and cryptocurrency wallet details.

Checks by Check Point reveal that the malware is designed with multiple features to evade antivirus detection. Although Discord has made efforts to counteract this particular attack, the potential for similar threats through alternate methods persists.

Protecting Against Malicious Discord Links

Begin by exercising caution with older Discord invite links, particularly those that appear on social media or forums after several weeks. (Temporary Discord invite URLs can expire in as little as 30 minutes or last up to a week.) Avoid clicking links from unfamiliar users, and instead, ask for a new invitation rather than relying on an outdated one.

Be skeptical of verification prompts, particularly those encouraging you to manually execute commands on your device. ClickFix attacks that utilize fake CAPTCHA requests are prevalent, and any validation process that requires running a command should raise immediate red flags.

For those managing Discord servers, it’s advisable to use permanent invite links since they are less susceptible to theft and repurposing compared to temporary or customized links.