The open-source red-teaming toolkit known as RedTiger has been repurposed by cybercriminals to deploy an infostealer campaign that specifically targets users of Discord and the gaming community. Attackers exploit the toolkit’s native capabilities to harvest authentication tokens, payment information and browser-stored credentials. According to recent threat intelligence reports, the malware is already circulating in the wild and presenting a serious risk to gamers, streamers and enterprise-connected users alike.
Origins and malicious adaptation of RedTiger
RedTiger originated as a legitimate red-team tool designed for authorized penetration testing. However, its full open-source distribution allowed threat actors to adapt it into a highly capable infostealer. Researchers at Netskope identified multiple variants built on RedTiger that target Discord tokens, browser-saved data and game accounts. The modular nature of the toolkit enables attackers to integrate phishing kits, network scanners and credential skimmers into a unified payload.
Mechanics of the attack: how the malware works
Once executed, the malicious binary compiled from the RedTiger code masquerades as a game cheat, mod installer or cracked software. It scans for Discord installation folders and browser database files on Windows systems. It extracts plain-text and encrypted tokens via regular expression searches, validates them, then mines associated email addresses, MFA status and subscription data.
The malware further injects custom JavaScript into the Discord client’s index.js file to intercept API calls, monitor login attempts or purchases, and harvest payment data such as PayPal or credit-card info stored within Discord. Meanwhile, the infostealer archives browser cookies, saved passwords, cryptocurrency wallet files and other asset-rich items (e.g., .txt, .sql, .zip) then compresses the collected data and uploads it to a cloud-storage service like GoFile.
The attacker receives the download link via a Discord webhook, concealing the exfiltration channel. SC Media+1 To evade detection, the malware spawns hundreds of bogus processes and files, monitors for sandbox or debugger presence and terminates if analysis is suspected. Why gamers and Discord users are prime targets
Gamers often download modding tools, trainers, or unofficial files hosted in forums and Discord communities, which lowers their risk threshold. The presence of gaming-related assets, crypto wallets and live streaming further increases opportunity for mis-use. The emphasis on Discord tokens means once compromised, an actor can hijack a user’s account, impersonate them, harvest contacts, propagate the malware via friend lists and pivot into broader fraud operations.
Because RedTiger handles persistence and credential theft, the compromised account may continue leaking data even after password resets.
Enterprise implications: beyond the gaming world
Although current distribution focuses on gamers, the technical architecture makes this threat viable for enterprise targeting. A stolen communication-platform token can give access to channels, insiders and corporate messaging infrastructure.
Browser credentials and token-based authentication cookies may facilitate lateral movement or business-email-compromise (BEC) campaigns. Organizations with employees who game, use Discord or store tokens in cloud workspaces should monitor for token abuse and anomalous processes.
Mitigation and remediation steps
• Immediately review and revoke Discord tokens, re-authenticate via official client download and enable multi-factor authentication (MFA) on all accounts.
• Use endpoint-detection and response (EDR) tools to detect process-spawning anomalies, large file exfiltration and unauthorized script injection activities.
• Block downloads of unauthorized trainers, mods and cracked executables in gaming-linked environments.
• Audit browsers and remove stored passwords, cookies and wallet extensions if compromise is suspected. Then reinstall browser profiles from trusted backups.
• Conduct token-hygiene training: discourage reuse of game credentials in corporate directories, and specifically monitor usage of communication-platform tokens which may bypass standard password policies.
Malware analysts expect RedTiger variants to proliferate rapidly because the codebase is open-source and easy to modify. Attackers may adapt its payload for other platforms (Slack, Microsoft Teams) and introduce ransomware or credential-theft modules built on the same framework. Because the gaming community is a growing subset of enterprise-connected devices, CISOs must treat gamer-centric malware like enterprise-grade risk. The time to act is now.
FAQs
Q1. What is RedTiger and how is it different from other infostealers?
A1. RedTiger started as a legitimate red-teaming toolkit but its open-source nature allowed attackers to weaponize its modules. Unlike standard infostealers, RedTiger includes token-hijacking, API injection and cloud-based exfiltration via Discord webhooks, which elevates its impact.
Q2. How does RedTiger steal Discord accounts specifically?
A2. The malware scans for Discord token files inside local storage, validates the tokens via Discord API, injects custom JavaScript to intercept client calls, and captures login events or payment-related actions. Once linked to an account, attacker access persists beyond password resets.
Q3. Can enterprise users be affected or is it just gamers?
A3. Enterprise users are at risk when they use the same devices for gaming and work or install mods from untrusted sources. Token-based access, browser credentials and remote persistence mechanisms make this threat relevant in corporate settings.
Q4. What immediate response should an individual take if they suspect infection?
A4. They should revoke all Discord tokens, reinstall the Discord client, enable MFA, clear browser stored credentials and run a full endpoint scan for suspicious processes. Additionally, remove any untrusted mods or executables.
Q5. What longer-term controls should organizations implement?
A5. Organizations should enforce least-privilege for user environments, restrict execution of unauthorized modding tools, monitor endpoint telemetry for data exfiltration via cloud upload channels and treat gaming-device hygiene as part of enterprise risk management.
