428/68 Tuesday, October 28, 2025
Security researchers have discovered that threat actors repurposed the open-source penetration-testing tool RedTiger, modifying it into an info-stealer malware. Attackers compile the tool into binaries and give them game- or Discord-related names to trick users into downloading them. When executed, the malware scans for Discord and web browser databases to harvest tokens, passwords, cookies, profile data, subscription details (including stored PayPal and credit-card info on Discord), crypto wallet files, and various game account credentials.
Beyond account theft, RedTiger can inject JavaScript into Discord files to intercept API calls and key events such as logins, purchases, or password changes. It also captures screenshots and webcam images. The stolen data and artifacts are compressed and uploaded to public file-hosting services (for example, GoFile), with the upload link delivered to attackers via a Discord webhook. The malware includes anti-analysis features (anti-sandbox and debugger detection) and deliberately creates many random files to complicate forensic investigation.
Netskope’s report notes the campaign primarily targets Discord users in France. Recommended actions for suspected victims include revoking Discord tokens, changing passwords, enabling multi-factor authentication (MFA) on all supported services, reinstalling Discord from the official website, clearing saved browser data (passwords and cookies), avoiding downloads of software or game tools from untrusted sources, and exercising caution with attachments and links received through gaming communities or other online channels.
