RedTiger, an open-source red-teaming tool initially designed for penetration testing, has been co-opted by cybercriminals to extract sensitive information from gamers and Discord users. Launched on GitHub in 2025, RedTiger integrates various penetration-testing utilities, including network scanners and open-source intelligence (OSINT) tools. However, its information-stealing module has been misused, with malicious payloads surfacing online since early 2025.
Netskope Threat Labs has identified multiple variants of this malware targeting French-speaking gamers. Indicators include sample filenames and custom warnings in French, such as Attention, ton PC est infecté! (Warning, your PC is infected!). This development follows the discovery of another gamer-focused infostealer, a Python-based Remote Access Trojan (RAT) aimed at Minecraft players.
Exploitation of RedTiger
Cyber attackers are drawn to RedTiger due to its modularity and ease of customization, similar to the previously exploited Cobalt Strike framework. These malicious versions are distributed as PyInstaller-compiled binaries, often disguised as game cheats or modifications to deceive users into executing them.
Once executed, the RedTiger-based infostealer primarily targets Discord accounts. It injects JavaScript into the application’s core files to intercept API traffic, capturing tokens through regex searches in Discord’s databases. These tokens are then validated via API calls, allowing the extraction of user details such as email addresses, multi-factor authentication (MFA) status, and subscription levels.
The malware also monitors password changes, intercepting updates to billing endpoints for payment processors like Stripe and Braintree. This enables the capture of credit card information, PayPal details, and Discord Nitro purchases.
Beyond Discord, the infostealer extends its reach to web browsers, including Chrome, Firefox, Edge, and niche browsers like Opera GX. It harvests cookies, saved passwords, browsing history, and credit card information. Additionally, it targets game files from platforms like Roblox and cryptocurrency wallets such as MetaMask, copying them in their entirety. Files with extensions like .txt, .sql, and .zip that contain keywords like passwords are also archived.
Specifically for Roblox, the malware uses the browser_cookie3 library to extract cookies, revealing account information through API queries. To maintain persistence on Windows systems, it places itself in startup folders. However, implementations on Linux and macOS are less effective without manual adjustments.
Evasion Techniques
To evade detection, the malware scans for sandbox indicators, such as usernames like sandbox or hardware IDs associated with analysis tools, and terminates itself if such indicators are found. It also modifies the hosts file to block access to security vendors and generates numerous junk files and processes to hinder forensic analysis.
Data Exfiltration Methods
The exfiltration process is notably sophisticated. Stolen data is compressed into zip files and uploaded to anonymous GoFile storage. Attackers receive links to these files via Discord webhooks, which also include the victim’s IP address and geolocation data.
Furthermore, RedTiger employs the OpenCV and Pillow libraries to capture webcam snapshots and screenshots, enhancing its espionage capabilities.
Recommendations for Users
Netskope identifies this threat as Win64.Trojan.RedTiger and advises gamers to thoroughly scan downloads and enable two-factor authentication to protect their accounts. As infostealers continue to evolve, experts anticipate the emergence of more sophisticated variants. Rayudu Venkateswara Reddy of Netskope emphasizes that the sharing of files and reliance on platforms like Discord make gamers particularly vulnerable. He recommends that victims monitor their accounts closely and utilize antivirus solutions with behavioral detection features to stay protected.
