RedTiger
Discord
RedTiger malware has compromised over 408,000 gamers by weaponizing Discord. Dis...
Security researchers have uncovered a dangerous new campaign in which cybercriminals are weaponizing **RedTiger**, an open-source red-teaming tool, into a sophisticated infostealer targeting gamers and Discord users. The malware represents a growing trend of attackers repurposing legitimate security tools for malicious operations, with evidence suggesting a particular focus on **French-speaking gaming communities**.
## Legitimate Tool Turned Threat
RedTiger, developed initially as a **Python-based penetration testing** suite in 2024, bundles various security assessment tools including network scanners, OSINT utilities, and phishing toolkits. Like the notorious Cobalt Strike framework before it, RedTiger has now been adopted by malicious actors for unauthorized attacks.
According to Netskope Threat Labs, whose October 2025 analysis serves as the basis for this report, the weaponized RedTiger infostealer is being distributed as **PyInstaller-compiled binaries** with filenames designed to appeal to gaming communities. Several samples include French warning messages, including one that reads "Attention, ton PC est infecté!" (Warning, your PC is infected!), indicating targeted campaigns against French-speaking users .
*Table: RedTiger Infostealer at a Glance*
| **Attribute** | **Description** |
| :--- | :--- |
| **Origin** | Open-source red-teaming tool (2024) |
| **Primary Targets** | Discord users, gamers, cryptocurrency holders |
| **Distribution** | PyInstaller binaries masquerading as game mods/cheats |
| **Key Capabilities** | Discord token theft, browser data harvesting, cryptocurrency wallet theft |
| **Data Exfiltration** | Two-stage process via GoFile cloud storage and Discord webhooks |
## Advanced Targeting & Data Harvesting
### Discord-Focused Attack Modules
The RedTiger [infostealer](https://github.com/loxy0dev/RedTiger-Tools) demonstrates particularly advanced capabilities against Discord, employing multiple techniques to compromise accounts comprehensively:
- **JavaScript Injection**: The malware injects custom JavaScript code into Discord's `index.js` file, allowing it to intercept API calls and capture events including login attempts, password changes, and payment transactions .
- **Token Compromise**: It scans Discord's local storage files (`.ldb` and `.log`) using regex patterns to extract authentication tokens, which are then validated through API calls to harvest profile information, email addresses, multi-factor authentication status, and subscription details .
- **Payment Data Theft**: By intercepting billing endpoints for services like Stripe and Braintree, the malware captures credit card information, PayPal details, and Discord Nitro purchase data .
### Comprehensive Data Harvesting
Beyond Discord, RedTiger casts a wide net for valuable data through multiple vectors:
- **Browser Data Theft**: The stealer targets popular browsers including Chrome, Firefox, Edge, and Opera GX to extract saved passwords, cookies, browsing history, and payment card information .
- **Gaming & Financial Assets**: It actively hunts for game files related to Roblox, stealing account credentials through cookie extraction. Cryptocurrency wallets like MetaMask are also copied entirely, and the malware scans for `.TXT`, `.SQL`, and `.ZIP` files containing keywords like "passwords" .
- **Surveillance Capabilities**: RedTiger can capture screenshots of the victim's desktop and take snapshots through the webcam using OpenCV and Pillow libraries, adding a disturbing privacy invasion dimension to the attacks .
### Data Exfiltration
The malware employs a clever two-stage exfiltration process designed to maintain attacker anonymity:
1. **Compression and Upload**: All stolen data is compressed and uploaded to **GoFile**, a cloud storage service that allows anonymous uploads without requiring an account .
2. **Link Delivery**: GoFile generates a download link that is automatically sent to the attacker via a **Discord webhook**, along with victim metadata including IP address, geographic location, and hostname .
RedTiger establishes persistence mechanisms across multiple platforms. On Windows systems, it adds itself to the startup folder to execute at login. While persistence capabilities exist for Linux and macOS, implementations are reportedly incomplete in current variants .
## Evasion and Anti-Forensic Features
### Advanced Evasion Techniques
RedTiger incorporates multiple defense evasion mechanisms designed to avoid detection and analysis:
- **Anti-Sandbox Detection**: The malware automatically terminates if it detects usernames, hostnames, or hardware IDs associated with sandbox environments. The predefined detection lists include entries such as "WDAGUtilityAccount," "SANDBOX," and numerous specific hardware identifiers used by analysis tools .
- **Network Protection Bypass**: Some variants modify the system's hosts file to block connections to security vendors' websites, further complicating detection and remediation efforts .
### Forensic Obstruction
To hinder security analysis and forensic investigation, RedTiger employs resource-based obstruction techniques:
- **Process Spamming**: The malware launches approximately **400 processes** simultaneously across the system, creating significant noise and log pollution .
- **File Spamming**: It creates **100 files** with random extensions and fills them with random alphanumeric strings, unpredictably consuming disk space and complicating forensic timelines .
## Distribution, Protection, and Recommendations
### Infection Vectors and Campaign Links
While Netskope's [report](https://www.netskope.com/blog/redtiger-new-red-teaming-tool-in-the-wild-targeting-gamers-and-discord-accounts) doesn't explicitly document distribution methods, other security sources indicate RedTiger primarily spreads through:
- **Malicious game mods**, "trainers," or performance boosters distributed via Discord channels and gaming forums .
- **Fake utility software** and cheats promoted through YouTube videos and malicious download sites.
This campaign aligns with a broader trend of attackers targeting gaming communities. Notably, this represents the second gamer-focused infostealer Netskope has tracked in October 2025, following a Python RAT that masqueraded as a Minecraft client called "Nursultan Client".
### Remediation Recommendations
For gamers and Discord users, security experts recommend implementing these protective measures:
- **Download Vigilance**: Avoid downloading executables, game mods, or "cheats" from unverified sources, especially those promoted through Discord channels or unofficial forums .
- **Discord-Specific Protections**: If compromise is suspected, immediately revoke all Discord tokens, change your password, and perform a fresh installation of the Discord client from the official website .
- **General Security Hygiene**: Clear saved passwords and browsing data from browsers, enable multi-factor authentication on all accounts, and run comprehensive malware scans using updated security software .
The weaponization of RedTiger underscores an ongoing concerning trend in cybersecurity: the rapid adoption of legitimate red-teaming tools by malicious actors. As these tools become more accessible and feature-rich, they provide attackers with sophisticated capabilities without requiring advanced technical development.
The targeting of gamers represents a strategic shift toward communities that may prioritize convenience over security, often downloading third-party software to enhance their gaming experience. With RedTiger's open-source nature allowing for easy modification, security researchers anticipate more variants and enhanced capabilities to emerge in the coming months .
As one researcher noted, "Gamers' shared files and Discord reliance make them prime targets" for these increasingly sophisticated attacks . This campaign serves as a stark reminder that maintaining vigilance and implementing basic security practices remains crucial, regardless of how one uses their computer.
*This technical analysis is based on threat intelligence reports from Netskope Threat Labs with corroborating information from multiple cybersecurity sources. All organizations and malware names referenced are trademarks of their respective owners.*
