RedTiger is an open-source red-teaming instrument repurposed by attackers to steal delicate knowledge from Discord customers and avid gamers.
Launched in 2025 on GitHub, RedTiger bundles penetration-testing utilities, together with community scanners and OSINT instruments. However its infostealer module has gone rogue, with malicious payloads circulating on-line since early 2025.
Netskope Risk Labs reported a number of variants focusing on French-speaking avid gamers, primarily based on pattern filenames and customized warnings like “Consideration, ton PC est infecté!” (Warning, your PC is contaminated!).
This marks the second gamer-focused infostealer Netskope has tracked this month, following a Python RAT geared toward Minecraft gamers.
Attackers favor RedTiger for its modularity and ease of customization, very similar to the abused Cobalt Strike framework. Distributed as PyInstaller-compiled binaries, these samples masquerade as recreation cheats or mods, tricking customers into execution.
Malicious RedTiger primarily based infostealer zeroes in on Discord accounts, injecting JavaScript into the app’s core recordsdata to hijack API site visitors.
It snags tokens through regex searches in Discord’s databases, validates them by API calls, and extracts person particulars like emails, MFA standing, and subscription ranges.
Even password adjustments don’t escape; the malware intercepts updates to billing endpoints for Stripe and Braintree, capturing card information, PayPal particulars, and Nitro purchases.
Past social platforms, it raids browsers Chrome, Firefox, Edge, and area of interest ones like Opera GX for cookies, passwords, historical past, and bank cards.
Sport recordsdata from Roblox and crypto wallets like MetaMask are copied wholesale, whereas .txt, .sql, and .zip recordsdata matching key phrases (e.g., “passwords”) get archived.
Roblox-specific cookie extraction through browser_cookie3 reveals account information by API queries. The malware provides persistence on Home windows by dropping into startup folders, although Linux and macOS implementations falter with out guide tweaks.
For evasion, it scans for sandbox indicators usernames like “sandbox” or {hardware} IDs tied to evaluation instruments and self-terminates, Netskope stated.
It additionally edits the hosts file to dam safety distributors and spawns a whole lot of junk recordsdata and processes to clog forensics.
Exfiltration is intelligent: Stolen knowledge zips up and uploads to nameless GoFile storage, with hyperlinks pinged to attackers through Discord webhooks, together with sufferer IP and geolocation.
RedTiger’s webcam snaps and screenshots spherical out its espionage package, utilizing OpenCV and Pillow libraries. Netskope detects it as Win64.Trojan.RedTiger, urging avid gamers to scan downloads and allow two-factor authentication.
As infostealers evolve, consultants warn of extra variants. “Players’ shared recordsdata and Discord reliance make them prime targets,” stated Netskope’s Rayudu Venkateswara Reddy. Victims ought to monitor accounts and use antivirus with behavioral detection to remain forward.
