New Red Teaming Tool RedTiger Attacking Gamers and Discord Accounts in the Wild

RedTiger is an open-source red-teaming tool repurposed by attackers to steal sensitive data from Discord users and gamers.

Released in 2025 on GitHub, RedTiger bundles penetration-testing utilities, including network scanners and OSINT tools. But its infostealer module has gone rogue, with malicious payloads circulating online since early 2025.

Netskope Threat Labs reported multiple variants targeting French-speaking gamers, based on sample filenames and custom warnings like “Attention, ton PC est infecté!” (Warning, your PC is infected!).

This marks the second gamer-focused infostealer Netskope has tracked this month, following a Python RAT aimed at Minecraft players.

RedTiger Tool Abused

Attackers favor RedTiger for its modularity and ease of customization, much like the abused Cobalt Strike framework. Distributed as PyInstaller-compiled binaries, these samples masquerade as game cheats or mods, tricking users into execution.

Malicious RedTiger based infostealer zeroes in on Discord accounts, injecting JavaScript into the app’s core files to hijack API traffic.

It snags tokens via regex searches in Discord’s databases, validates them through API calls, and extracts user details like emails, MFA status, and subscription levels.

Even password changes don’t escape; the malware intercepts updates to billing endpoints for Stripe and Braintree, capturing card info, PayPal details, and Nitro purchases.

Beyond social platforms, it raids browsers Chrome, Firefox, Edge, and niche ones like Opera GX for cookies, passwords, history, and credit cards.

Game files from Roblox and crypto wallets like MetaMask are copied wholesale, while .txt, .sql, and .zip files matching keywords (e.g., “passwords”) get archived.

Roblox-specific cookie extraction via browser_cookie3 reveals account info through API queries. The malware adds persistence on Windows by dropping into startup folders, though Linux and macOS implementations falter without manual tweaks.

For evasion, it scans for sandbox indicators usernames like “sandbox” or hardware IDs tied to analysis tools and self-terminates, Netskope said.

It also edits the hosts file to block security vendors and spawns hundreds of junk files and processes to clog forensics.

Exfiltration is clever: Stolen data zips up and uploads to anonymous GoFile storage, with links pinged to attackers via Discord webhooks, including victim IP and geolocation.

RedTiger’s webcam snaps and screenshots round out its espionage kit, using OpenCV and Pillow libraries. Netskope detects it as Win64.Trojan.RedTiger, urging gamers to scan downloads and enable two-factor authentication.

As infostealers evolve, experts warn of more variants. “Gamers’ shared files and Discord reliance make them prime targets,” said Netskope’s Rayudu Venkateswara Reddy. Victims should monitor accounts and use antivirus with behavioral detection to stay ahead.