A new cyber threat is sweeping through the gaming community — hackers have turned a legitimate cybersecurity testing tool into malware that steals Discord accounts, passwords, and crypto wallets.
Security researchers at Netskope have discovered that RedTiger, a new, open-source, Python-based read teaming tool released in 2024, has been weaponized into a powerful infostealer.
Originally built to simulate cyberattacks for training and security audits, RedTiger’s code has now been repackaged into malware — one capable of compromising gaming accounts, cryptocurrency wallets, browser data, and even webcam footage.
“As is often the case with red team tools, attackers usually adopt them and use them for malicious purposes,” wrote the researchers in a blog post.
From Testing Tool To Theft Engine
Like other powerful legitimate security frameworks — such as Cobalt Strike or Metasploit — attackers quickly seized on RedTiger’s open-source availability and weaponized it. Its infostealer component, once intended for controlled experiments, has been compiled into a standalone malware executable using PyInstaller.
Researchers have already found samples disguised under game-related downloads, often containing warning messages in French — hinting that French-speaking gamers are among the first to be hit.
After stealing data, RedTiger uploads everything to GoFile, a cloud service that allows anonymous uploads, and then the download link is sent secretly to the attacker via a Discord webhook, along with details like the victim’s IP address, system name, and location. This approach allows hackers to remain hidden while retrieving stolen data through channels that security tools rarely monitor.
How RedTiger Steals Your Data
RedTiger’s main goal is simple: steal Discord accounts. Once installed, it can secretly collect your Discord login tokens and passwords; saved browser-stored information such as passwords, cookies, and credit card details; crypto wallet data and related files; gaming accounts (like Roblox); and screenshots and even webcam images, taken without user consent.
Further, even if a user changes their password or email, RedTiger keeps monitoring and sends the updated credentials straight to the attacker.
Additionally, the malware also floods victims’ systems by adding fake files and processes — a tactic known as “spamming,” making it harder for users or antivirus software to detect.
Built-In Evasion And Persistence
RedTiger is also equipped with defense evasion features that terminates its process if it detects usernames, hostnames, or hardware IDs from a predefined list typically running inside a sandbox. On Windows, it can establish persistence by automatically launching at system start-up, while Linux and macOS persistence modules appear to be in development.
The Bigger Picture
Gamers are the ideal targets because they often download mods, “boosters,” and cracked software from unverified sources, creating the perfect infection path for malware like RedTiger. But cybersecurity experts warn that this tool could easily be upgraded to target businesses and organizations in the future.
How To Protect Yourself
If you think you may have been affected:
- Delete and reinstall Discord from the official site and revoke all active tokens.
- Change all passwords and enable two-factor authentication (2FA) on every account.
- Avoid downloading game tools, mods, hacks, or game tools from unverified sources or random Discord links.
- Regularly scan your system using trusted antivirus software.
