I’m sure most of us have done this: tried to use an old link to access a site or service. That old familiar link takes you where you need to go—but when it comes to Discord, that old link could land you in a world of malware.

That Old Discord Link Could Be Spreading Malware

It’s wild to think that an innocent-looking Discord link could direct you to dangerous malware.

But that’s exactly what the security researchers at Check Point discovered when they uncovered a huge malware campaign actively exploiting old Discord invites.

A Discord invite allows you to head straight to the server it was sent from and sign in. The invite codes sent to you contain a unique identifier that allows you to access the server, with different levels of access set by the sender (such as temporary, permanent, and so on).

Now, on Discord, there are special “Level 3” servers with boosted features that enable faster growth, such as more invites, higher capacity, and vanity links. While regular Discord invites are generated randomly (and thus unlikely to appear again), the hackers are exploiting these old and potentially expired vanity links and repurposing them to point towards malicious servers hosting malware.

So, when you click one of the repurposed malicious links, you land on a Discord server that appears the same and feels authentic, but prompts you to verify your identity. From here, the link launches an instance of the ClickFix malware, which displays a message stating that the CAPTCHA failed, directing you to manually verify.

The “manual verification process” requires you to run a Windows command that launches a PowerShell script, which, in turn, downloads and installs the malware. Interestingly, the Check Point research team found that the script used to download and install the malware went undetected by most antivirus and antimalware suites, making it all the more difficult to avoid an attack of this nature.

Related

This Novel Malware Uses Discord Emojis to Steal Data

Who knew emojis could be used for this?

What Malware Does the Fake Discord Link Download?

Once the script is executed on your machine, it attempts to download and install considerably dangerous malware. For example, AsyncRAT is a powerful remote access Trojan that could give an attacker control over your machine, Skuld Stealer is an infostealer that targets user data and crypto wallets, and ChromeKatz attempts to steal browser cookies and other information.

Once installed, this combination of malware gives extensive access to any device, stealing very sensitive data, and more.

Related

Why Infostealer Malware Is My New Biggest Malware Worry

Infostealer malware is everywhere, and it’s particularly nasty.

How to Avoid Discord Link Malware

First, avoid all old Discord invite links. Any link sent to you that’s been lingering in your inbox for a while that you haven’t used should be discarded—consider it potentially dangerous.

Second, extend those suspicions to any Discord invite links hosted on websites, forums like Reddit, and otherwise. Any link embedded into a site like that could be considered dangerous, so avoid them.

Finally, if you do click on a Discord invite link and it asks you to reverify your identity, that’s another red flag and a good reason to close that page immediately. Any Discord server or otherwise that asks you to run a specific command from the Run dialog in Windows is also extremely bad news and should be avoided at all costs.

Finally, make sure your antivirus or antimalware suite is up to date. I know that I wrote that the Discord malware script was detected by very few antivirus tools, but having an up to date tool should help protect you against any malware installed—though no antivirus suite is perfect!