RedTiger Infostealer: How a Red Team Tool Became a Gamer Targeting Malware

Security researchers have observed a wave of attacks that repurpose RedTiger - an open source, Python based red teaming toolkit into a compiled infostealer targeting gamers and Discord users. Actors distribute binaries (masquerading as game mods, cheats, or utilities), which harvest Discord tokens, browser stored credentials and payment info, cryptocurrency wallet files, game account artifacts, screenshots, webcam captures, and more. Stolen archives are uploaded to cloud file services (notably GoFile) and exfiltration is signaled to operators via Discord webhooks.

Why this matters?

• High impact targets: Gamers often hold Discord accounts linked to communities, payment info, and NFTs/crypto etc.

• Tool provenance: Because RedTiger is open source and modular, variants can be built quickly and adopted by low skill operators.

• Stealth & reach: Binaries are compiled and obfuscated; exfiltration via legitimate cloud services reduces immediate detection.

How RedTiger infostealer works?

1. Build & distribution

   1. RedTiger is a Python toolset on GitHub. Threat actors modify or reuse the infostealer modules. The offensive code is then packaged with PyInstaller into Windows executables (.exe) for broad distribution

   2. Binaries are named as game mods, cheats, or "boosters" and shared via Discord channels, torrent sites, forums, or direct messages. Some samples include French UI/warnings indicating targeted users.

2. Triaging & persistence

   1. Samples often implement anti analysis checks (VM detection, process enumeration) and spawn multiple fake processes to frustrate analysts

3. Data collection modules

   1. RedTiger is modular. Common capabilities observed in the wild include:

      1. Discord token theft: finding and exfiltrating tokens from Local Storage and leveldb files, and injecting JavaScript into Discord app contexts to capture events.

      2. Browser credential harvesting: extracting cookies, saved passwords, autofill and payment info from Chromium browsers and Firefox profiles.

      3. Crypto wallet targeting: copying wallet directories (e.g MetaMask extension files, local wallet JSONs) and attempting to detect desktop wallet apps.

      4. Game account & config collection: reading game folders (Roblox, Steam caches, config files).

      5. System capture: screenshots, webcam snapshots (when available), system info and installed software manifests.

4. Exfiltration & C2

   1. stolen data is archived (ZIP/7z), uploaded to cloud storage providers such as GoFile and then the download URL is sent to the attacker via a Discord webhook or similar channel. This pattern makes detection harder since traffic is blended with legitimate web cloud usage and Discord API calls.

Indicators of compromise (IoCs)

• Filenames and versions observed in reports (search for recent suspicious EXE names matching game mods).

• GoFile upload patterns originating from endpoints with newly created archives.

• Discord webhook POSTs from unusual hosts or times.

• Unusual processes spawning screenshots/webcam activity (nircmd, ffmpeg invoked by unfamiliar parent).

Mitigation & prevention

• User education: don't run unknown .exe files or game mods from untrusted sources. Verify installers via official channels.

• App control & allow-listing: restrict execution of unknown binaries (AppLocker, Windows Defender Application Control).

• Browser hardening: deploy credential managers that do not expose plaintext on disk. Use browser isolation for untrusted downloads.

• Limit stored secrets: discourage storing payment info and keys in browsers. Use hardware wallets for crypto.

RedTiger's evolution from a red-team toolkit into an actively abused infostealer underlines a continuing reality: open-source tools accelerate criminal capabilities. The campaign's targeting of gamers and Discord users highlights how attackers prioritize high value, easily monetizable credentials (Discord tokens, crypto wallets, game accounts). Defenders should combine user education, application control, and telemetry driven detection to reduce exposure and assume that any PyInstaller binary or unknown game mod is suspect.

Happy cyber-exploration! 🚀🔒

Note: Feel free to drop your thoughts in the comments below - whether it's feedback, a topic you'd love to see covered, or just to say hi! Don’t forget to join the forum for more engaging discussions and stay updated with the latest blog posts. Let’s keep the conversation going and make cybersecurity a community effort!

-AJ