RedTiger Infostealer Weaponizes Python Red-Teaming Tool to Hack Discord Accounts and Steal Crypto Wallets

Netskope Threat Labs has discovered a rapidly spreading Python-based infostealer dubbed RedTiger, which is being repurposed from an open-source red-teaming tool to steal credentials, payment data, and digital assets from gamers. The malware, released publicly in 2024, has already been weaponized by multiple threat actors to target Discord users, Roblox accounts, and cryptocurrency wallets.

According to Netskope researchers, “RedTiger is a relatively new, open-source, Python-based red teaming tool that bundles various security and penetration testing tools, including network scanning, OSINT tools, phishing-related toolkits, an infostealer, and Discord-related tools.” However, attackers are now exploiting its infostealer component for criminal purposes.

The report compares this trend to the history of Cobalt Strike abuse, noting that “as is often the case with red-team tools, attackers usually adopt them and use them for malicious purposes.”

Netskope observed multiple RedTiger payloads circulating in the wild, particularly targeting gamers and French-speaking users through compiled executables distributed under gaming-related filenames.

The campaign’s primary victims are Discord users and gamers, as reflected in the malware’s design and sample filenames. “Based on filenames and display messages, the attackers are targeting gamers, with some samples targeting French-speaking users,” the researchers explained.

Once executed, the infostealer injects custom JavaScript into the Discord client to intercept user activity and capture tokens, payment data, and authentication updates.

“The RedTiger infostealer targets various types of sensitive information, with a primary focus on Discord accounts. It injects custom JavaScript into the Discord client to intercept events,” Netskope stated.

Even if victims attempt to change their credentials, RedTiger continues to monitor Discord traffic. The malware “intercepts API calls to Discord, Braintree, and Stripe and inspects the data sent for event-specific keywords to selectively capture traffic,” including login activity, MFA tokens, and billing modifications.

Netskope detailed that RedTiger employs a two-stage exfiltration process designed for anonymity and efficiency.

First, the malware archives all stolen data and uploads it to GoFile, a cloud storage service that allows file uploads without an account. Then, the generated download link is sent to the attacker through a Discord webhook.

The report explains: “Archived stolen files are first uploaded to GoFile cloud storage, then the download link is sent to the attacker via a Discord webhook. Additionally, it also sends victim details such as IP address, country, and hostname to identify the source of the stolen data.”

This cloud-based delivery chain enables attackers to quickly retrieve stolen information without maintaining their own infrastructure, making attribution and takedown significantly harder.

RedTiger supports Windows, Linux, and macOS, though its persistence mechanisms are more complete on Windows.

“On Windows, it adds the payload to the startup folder to run at login,” Netskope explained. “Persistence on Linux and Darwin is incomplete,” with missing .desktop and .plist files preventing full automation.

This suggests that while the malware is cross-platform, its creators primarily designed it to target Windows gaming environments — where most Discord and Roblox players operate.

To hinder forensics and overwhelm system resources, RedTiger spawns hundreds of files and processes simultaneously.

“The infostealer creates 100 files with random file extensions from a predefined list. It writes random alphanumeric strings into each file,” the researchers wrote. “For process spamming, the infostealer launches 100 threads… resulting in 400 total processes being launched simultaneously across the system.”

This tactic not only disrupts the user’s computer but also buries malicious activity in noise, complicating post-infection analysis.

RedTiger employs multiple anti-analysis measures to avoid detection in sandbox environments. It terminates execution if it detects usernames, hostnames, or hardware IDs linked to virtual machines or malware labs.

Netskope noted, “The infostealer’s defense evasion features terminate its process if it detects usernames, hostnames, or hardware IDs from a predefined list typically associated with sandbox environments.”

It also modifies the system’s hosts file to block access to certain security vendors, effectively preventing victims from downloading antivirus updates or visiting threat analysis websites.

RedTiger’s modular design allows it to target a wide range of data sources simultaneously:

• Discord tokens and payment data: Captures login credentials, MFA settings, and billing details.
• Gaming accounts: Extracts Roblox session tokens and user info via /mobileapi/userinfo API calls.
• Cryptocurrency wallets: Copies files from wallet directories such as Exodus, Atomic, and Coinomi.
• Browser-stored credentials: Steals passwords, cookies, browsing history, and saved credit cards from Chrome, Brave, Opera GX, Vivaldi, and Firefox.

As the report explains, “The RedTiger infostealer targets cryptocurrency wallets and game-related applications… In addition to targeting other game-related applications, the infostealer has a separate function to steal Roblox account information stored in the browser.”

Additionally, RedTiger captures screenshots and webcam images, storing them in the same archive before exfiltration.

Related Posts:

• Warning: Discord’s API Exploited for Malicious Takeover
• Python RAT Disguised as Minecraft Client Uses Telegram Bot API for Cross-Platform Command & Control
• Researchers Uncovers Sophisticated Phishing Campaigns Leveraging Cloudflare Workers
• Malicious PyPI Package Targets Discord Developers with Token Theft and Backdoor Exploit