RedTiger malware has compromised over 408,000 gamers by weaponizing Discord. Discover how this stealer hijacks tokens, payment data, and accounts

Continue reading
Security researchers have uncovered a dangerous new campaign in which cybercriminals are weaponizing RedTiger, an open-source red-teaming tool, into a sophisticated infostealer targeting gamers and Discord users. The malware represents a growing trend of attackers repurposing legitimate security tools for malicious operations, with evidence suggesting a particular focus on French-speaking gaming communities.
RedTiger, developed initially as a Python-based penetration testing suite in 2024, bundles various security assessment tools including network scanners, OSINT utilities, and phishing toolkits. Like the notorious Cobalt Strike framework before it, RedTiger has now been adopted by malicious actors for unauthorized attacks.
According to Netskope Threat Labs, whose October 2025 analysis serves as the basis for this report, the weaponized RedTiger infostealer is being distributed as PyInstaller-compiled binaries with filenames designed to appeal to gaming communities. Several samples include French warning messages, including one that reads "Attention, ton PC est infecté!" (Warning, your PC is infected!), indicating targeted campaigns against French-speaking users .
Table: RedTiger Infostealer at a Glance
| Attribute | Description |
|---|---|
| Origin | Open-source red-teaming tool (2024) |
| Primary Targets | Discord users, gamers, cryptocurrency holders |
| Distribution | PyInstaller binaries masquerading as game mods/cheats |
| Key Capabilities | Discord token theft, browser data harvesting, cryptocurrency wallet theft |
| Data Exfiltration | Two-stage process via GoFile cloud storage and Discord webhooks |
The RedTiger infostealer demonstrates particularly advanced capabilities against Discord, employing multiple techniques to compromise accounts comprehensively:
Beyond Discord, RedTiger casts a wide net for valuable data through multiple vectors:
The malware employs a clever two-stage exfiltration process designed to maintain attacker anonymity:
RedTiger establishes persistence mechanisms across multiple platforms. On Windows systems, it adds itself to the startup folder to execute at login. While persistence capabilities exist for Linux and macOS, implementations are reportedly incomplete in current variants .
RedTiger incorporates multiple defense evasion mechanisms designed to avoid detection and analysis:
To hinder security analysis and forensic investigation, RedTiger employs resource-based obstruction techniques:
While Netskope's report doesn't explicitly document distribution methods, other security sources indicate RedTiger primarily spreads through:
This campaign aligns with a broader trend of attackers targeting gaming communities. Notably, this represents the second gamer-focused infostealer Netskope has tracked in October 2025, following a Python RAT that masqueraded as a Minecraft client called "Nursultan Client".
For gamers and Discord users, security experts recommend implementing these protective measures:
The weaponization of RedTiger underscores an ongoing concerning trend in cybersecurity: the rapid adoption of legitimate red-teaming tools by malicious actors. As these tools become more accessible and feature-rich, they provide attackers with sophisticated capabilities without requiring advanced technical development.
The targeting of gamers represents a strategic shift toward communities that may prioritize convenience over security, often downloading third-party software to enhance their gaming experience. With RedTiger's open-source nature allowing for easy modification, security researchers anticipate more variants and enhanced capabilities to emerge in the coming months .
As one researcher noted, "Gamers' shared files and Discord reliance make them prime targets" for these increasingly sophisticated attacks . This campaign serves as a stark reminder that maintaining vigilance and implementing basic security practices remains crucial, regardless of how one uses their computer.
This technical analysis is based on threat intelligence reports from Netskope Threat Labs with corroborating information from multiple cybersecurity sources. All organizations and malware names referenced are trademarks of their respective owners.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation