Attackers are increasingly leveraging the open-source red-team toolkit RedTiger to develop sophisticated infostealers that target sensitive user data, particularly from Discord accounts. This emerging threat poses significant risks, as the malware is capable of collecting a broad spectrum of information, including payment details and personal credentials.
Overview of RedTiger
RedTiger is a comprehensive Python-based penetration testing suite compatible with both Windows and Linux operating systems. It integrates various functionalities such as network scanning, password cracking, open-source intelligence (OSINT) utilities, and dedicated tools for Discord. Additionally, it includes a malware-building feature, thus enabling users to craft malicious software with relative ease.
Discord-Specific Threats
Infostealer Capabilities
The infostealer component within RedTiger is designed for extensive data collection. It can capture:
- System information
- Browser cookies and passwords
- Cryptocurrency wallet files
- Game-related credentials, specifically for platforms like Roblox and Discord.
Moreover, the malware can take webcam snapshots and screenshots, providing attackers with even more insight into the victim’s activities.
Despite being marked as intended for "legal use only" on GitHub, the open-source nature of RedTiger and its lack of inherent safeguards have led to its weaponization by cybercriminals.
Mechanism of Attack
According to a report by Netskope, threat actors are predominantly using RedTiger to compromise Discord accounts, particularly among users in France. The attackers compile RedTiger’s code using PyInstaller to generate standalone binaries disguised under gaming or Discord-themed names.
Once the infostealer infiltrates a victim’s device, the malware conducts a thorough search for Discord data and browser databases. It employs regular expressions (regex) to extract both plain and encrypted tokens, subsequently validating them to retrieve essential information, such as profiles, email addresses, multi-factor authentication (MFA) details, and subscription information.
Additionally, it injects custom JavaScript into Discord’s index.js file to intercept API calls, capturing critical events like login attempts and purchases. The malware can also exfiltrate payment information—both PayPal and credit card details—stored within Discord.
Data Harvesting Techniques
From compromised web browsers, RedTiger efficiently gathers:
- Saved passwords
- Cookies
- Browsing history
- Credit card information
- Installed browser extensions
Furthermore, the malware scans the victim’s filesystem for specific file types, including .TXT, .SQL, and .ZIP, to maximize its data theft potential. After collecting the data, it archives the information and uploads it to GoFile, an anonymous cloud storage service. The attackers receive the download link along with victim metadata via a Discord webhook.
Evasion Techniques
RedTiger incorporates robust evasion strategies to avoid detection. It features anti-sandbox mechanisms and terminates its processes if any debugging tools are detected. Additionally, in an effort to overwhelm forensic analysis, the malware can spawn up to 400 processes and create 100 random files.
Distribution Methods
While Netskope has not disclosed precise distribution vectors exploited by the malicious RedTiger binaries, attackers typically utilize common vectors such as:
- Discord channels
- Malicious software download sites
- Online forums
- Malvertising campaigns
- YouTube videos
User Precautions
To mitigate the risk of infection, users must exercise caution by avoiding the download of executables or game tools—such as mods, trainers, or boosters—from unverified sources. If a compromise is suspected, immediate actions should include revoking Discord tokens, changing passwords, and reinstalling the Discord desktop client from the official website. Furthermore, it is crucial to clear saved data from web browsers and enable multi-factor authentication (MFA) wherever feasible.
46% of environments experienced password compromises, a figure that has nearly doubled from 25% last year. For an in-depth analysis on prevention, detection, and data exfiltration trends, consider reviewing the comprehensive Picus Blue Report 2025.