Cybercriminals are abusing the open-source red-team toolkit RedTiger to build an info-stealer that harvests Discord account data, stored payment information and other sensitive credentials.
RedTiger is a Python-based penetration-testing suite for Windows and Linux that bundles network scanning, password-cracking and OSINT utilities, and a malware builder. Although it labels dangerous features “legal use only,” the tool is free and lacks built-in safeguards, which makes it easy to abuse the code.
According to cybersecurity firm Netskope, threat actors have compiled RedTiger with PyInstaller into standalone Windows binaries, renamed them to appear as gaming or Discord related tools, and deployed an info-stealer component.
Once run, the malware searches the filesystem and browser databases for Discord data and browser credentials. It extracts plain and encrypted tokens, validates them, and pulls profile details including email, multi-factor authentication and subscription information. The threat also injects custom JavaScript into Discord’s index.js to intercept API calls, allowing attackers to capture events such as logins, purchases and password changes, as well as exfiltrate any payment details stored in Discord.
Besides Discord, RedTiger’s info-stealer harvests saved browser passwords, cookies, history, credit-card entries, browser extensions, cryptocurrency wallet files, and game account data (including Roblox). It can take desktop screenshots and webcam snapshots and scans for common data files (e.g., .txt, .sql, .zip). Collected material is archived and uploaded to an anonymous cloud host (GoFile in observed cases); the malware then notifies the attacker via a Discord webhook with a download link and victim metadata.
The strains analyzed by the researchers implement various anti-analysis features, including the ability to detect and terminate under debuggers or sandboxes, spawn hundreds of processes and create numerous random files to overwhelm forensic tools.