Skip to main content

RedTiger infostealer targeting gamers and Discord accounts detected

November 18, 2025

The recent blog post highlights the emergence of RedTiger, an open-source infostealer targeting gamers, particularly those using Discord. It is essential for IT professionals to note the growing trend of malware directed at gaming communities.

Overview

RedTiger is an open-source tool that integrates multiple security and penetration testing functionalities. Released in 2024, it has gained traction among attackers, especially for its infostealer capabilities that focus on stealing sensitive data from Discord users.

Core Insights

  • RedTiger has been detected in active use with various payloads targeting gamers, particularly those in French-speaking areas.
  • The malware exfiltrates data in two steps: uploading to GoFile cloud storage, followed by sending a download link to the attacker via Discord webhook.
  • Attack methods primarily focus on gamers, implicating a significant security risk to this demographic.

Distribution of RedTiger

Samples of RedTiger found in the wild have been compiled as binaries through PyInstaller. These samples predominantly target gaming users with filenames that suggest a focus on this demographic.

RedTiger’s modular framework allows for various features to be utilized by attackers, primarily focusing on Discord account information, browser credentials, and cryptocurrency wallet information.

Maintaining Presence

The infostealer establishes persistence across Windows, Linux, and macOS, enabling it to activate on system startup, albeit requiring further setup on the latter two operating systems.

Data Exfiltration Methods

Data exfiltration occurs in two phases: first archiving the stolen information and uploading it to GoFile, then relaying the download link back to the attackers through Discord.

Evasion Tactics

RedTiger employs defense evasion techniques that include terminating processes if specific Host-Based Intrusion Detection System (IDS) (HIDS) signatures are recognized. Furthermore, it adjusts Domain Name System (DNS) entries to hinder access to security vendors’ sites.

Data Collecting Techniques

Key targets include Discord user accounts, payment information, and cryptocurrency wallets. The malware searches for specific file types and patterns to identify sensitive information.

Conclusion

This analysis of RedTiger illustrates a sophisticated infostealer that poses a risk to gamers and their sensitive information, particularly within Discord. Its operational processes enhance its ability to evade detection while efficiently exfiltrating data. Monitoring developments in threats like RedTiger remains critical for IT leaders.

Related Perspectives