Skip to main content

RedTiger: Emerging Infostealer Targeting Gamers

October 23, 2025

Recent analysis reveals that gamers are increasingly targeted by infostealers, with the latest insights focusing on RedTiger, a red teaming tool responsible for various payloads circulating in the wild. This update highlights RedTiger's capabilities, particularly regarding its focus on capturing sensitive data from gamers.

Infostealer Overview

RedTiger is an open-source, Python-based tool that bundles various security-related functionalities, including network scanning and phishing toolkits, alongside its infostealer component. The infostealer aims to capture Discord account details, browser-stored data, and more, utilizing methods such as JavaScript injection within the Discord client.

Key Findings

  • RedTiger is actively distributing infostealer payloads, indicating an evident targeting of gamers.
  • The tool exfiltrates data in a two-stage process, first uploading to GoFile cloud storage and then notifying attackers via Discord webhook.
  • Indicators suggest that some samples are particularly aimed at French-speaking users.

Distribution and Targeting

Samples of RedTiger are compiled binaries, primarily targeting gamers, as indicated by various filenames and included messages. The malware captures critical gaming-related information and data associated with Discord.

Exfiltration Methods

The infostealer uploads data archives to GoFile and sends the associated download link to attackers through Discord. This method assists in maintaining anonymity during data transfer.

Auto-Start Capabilities

On systems like Windows, the infostealer can establish persistence by placing its payload in the startup folder. However, on Linux and macOS systems, additional files are necessary for achieving this functionality.

Defense Evasion Techniques

RedTiger incorporates defenses against detection, abandoning operations upon identifying specific environmental markers typically associated with sandboxing.

Targeted Data Overview

The infostealer targets a range of sensitive data, including Discord tokens, banking information, and user credentials, executing via modified application files to capture this information effectively.

Webcam and Screen Capture

The tool can also capture images from the webcam and take screenshots of the desktop, storing these within the data compiled for exfiltration.

Conclusions

RedTiger has emerged as a notable infostealer within gaming communities, targeting user credentials and sensitive information on platforms like Discord and Roblox. Netskope Threat Labs will continue to monitor the development of threats like RedTiger to offer timely updates.

Indicators of Compromise

A comprehensive list of IOCs related to RedTiger can be found in our GitHub repository.

Related Perspectives