A new type of malware called RedTiger has been popping up more and more in recent months. While the tool was originally intended for security testing and red teaming, it is now being actively exploited by cybercriminals to attack gamers and Discord users.
The open-source tool, developed in Python and released in 2024, includes modules for network research, phishing, OSINT, and data collection. It is primarily the built-in infostealer that is now being used by malicious actors to steal personal and financial information.
According to an analysis by Netskope Threat Labs, RedTiger is primarily focused on stealing Discord accounts. The malware injects custom JavaScript code into the Discord client to intercept account information, payment details, and tokens. Even if a victim changes their password or email address, the malware can continue to collect new login credentials using this method.
In addition, RedTiger collects browser data such as stored passwords, cookies, credit card information, and browsing history. Crypto wallets and game accounts, including Roblox, are also actively searched for usable data. The malware uses existing Python libraries to read browser cookies and make API requests to retrieve user information.
Multiple mechanisms to avoid detection
The exfiltration of stolen data takes place in two phases. First, all collected files are compressed and uploaded to GoFile, a free cloud storage service that does not require an account. RedTiger then sends the download link and the victim’s system information to the attacker via a Discord webhook. This keeps the operation largely anonymous and difficult to trace. The malware also has various mechanisms to avoid detection, such as terminating processes on virtual machines or test environments and blocking connections to security websites by modifying the hosts file. To complicate forensic investigation, RedTiger simultaneously launches approximately four hundred processes and creates a hundred random files, which slows down systems and pollutes log files.
According to Netskope, it is not entirely clear how the malware is distributed, but other sources mention various methods. The infected RedTiger files are believed to circulate via Discord channels, malicious download sites, forum posts, misleading advertisements, and YouTube videos posing as game hacks or performance boosters. This aligns RedTiger with a broader trend in which attackers use gaming communities as a gateway to personal data and payment information.
The rise of RedTiger underscores how quickly legitimate security tools can become powerful weapons for cybercriminals, especially when they are available as open source. For users, this means that caution when downloading unknown software is more important than ever.