RedTiger Infostealer Steals Discord Accounts and Payment Data

October 27, 2025 Faeem BLOGS 0

A recently weaponised open‑source red‑team tool called RedTiger is being used in the wild to build an infostealer that targets Discord users and gamers. Attackers compile RedTiger’s info‑stealer into standalone binaries disguised as game tools or Discord utilities. Once executed, the malware harvests Discord tokens, profile metadata, saved browser credentials, cryptocurrency wallet files, screenshots, and payment information, then exfiltrates stolen data to anonymous cloud storage and notifies operators via Discord webhooks.

What happened and why it matters

  • Attackers are abusing an open‑source red‑teaming project to create turnkey infostealers that are easy to compile, distribute, and weaponise.
  • The malware locates Discord and browser storage, extracts tokens and credentials, injects JavaScript into Discord to intercept API activity, and captures payment and subscription details.
  • Evasion features include anti‑sandboxing, debugger detection, and noise generation to complicate forensics.
  • Distribution vectors are typical for gaming audiences: malicious mods, unofficial “boosters” and trainers, infected downloads shared in Discord servers, forums, and third‑party sites.
  • Compromise results in account takeover, payment fraud, access to private channels, and pivot opportunities into other services where reused credentials or tokens are valid.

Executive Summary for CEOs

  • Business risk: Brand damage, fraud, and operational disruption if corporate or community accounts are compromised; elevated risk when company employees use consumer platforms without corporate controls.
  • Priority ask: Confirm whether any employees or contractors use unmanaged Discord instances for work communication; instruct immediate token revocation and credential hygiene if compromise is suspected.
  • Board talking points: This is a supply‑chain‑of‑convenience problem—tooling designed for defensive testing is being reused offensively; governance must include posture for consumer and community platforms used by staff.

Practical Priorities for IT and Security Managers

  • Containment and recovery
    • Revoke suspect Discord tokens and force re‑authentication for high‑risk accounts.
    • Require MFA on Discord and all identity providers, and rotate credentials for any accounts that may have been accessed.
    • Reinstall official Discord clients from vendor sites and clear local browser saved credentials and cookies where compromise is suspected.
  • Detection and hunting
    • Hunt endpoints for recently created binaries and PyInstaller artifacts, unusual GoFile upload traffic, and spawn‑heavy process trees or large counts of random files.
    • Scan file systems for webhooks, obfuscated JS, and directories with suspicious names; look for injected modifications to Discord’s index.js or other local client files.
    • Monitor for notifications or messages sent from webhook endpoints that include exfiltration links.
  • Prevention
    • Block downloads from untrusted sources at perimeter and endpoint layers; use secure web gateways and endpoint protection to quarantine unknown executables.
    • Enforce application control policies or allow‑listing for developer and user machines that interact with community platforms.
    • Educate staff and community moderators on the risks of unofficial mods and the indicators of malicious downloads.

Checklist You Can Use Right Away

  1. Revoke OAuth tokens and force password resets for suspected accounts.
  2. Enable or enforce MFA for all Discord accounts used by employees.
  3. Scan and remediate endpoints with AV, EDR, and anti‑tamper checks.
  4. Block or warn against downloading unofficial game mods and executables.
  5. Search for and remove rogue webhooks or uploaded archives referenced in telemetry.
  6. Restore from clean backups for any altered client installations.
  7. Add detection rules for PyInstaller binaries, suspicious GoFile patterns, and rapid process spawning.

Communication Guidance for Managers

  • Be clear and calm: explain what happened, what you know, and immediate steps employees should take.
  • Provide an action template: how to rotate passwords, reissue tokens, and validate client integrity.
  • Offer support: provide a single contact point for suspected compromises and timeline expectations for remediation.

Longer Term Controls and Strategic Lessons

  • Treat consumer collaboration platforms as part of your attack surface; include them in asset inventories and threat models.
  • Harden endpoints with allow‑listing and telemetry that specifically looks for common builder artefacts like PyInstaller signatures.
  • Limit data stored in client apps and browsers; promote secure password managers and discourage credential storage in browsers.
  • Run tabletop exercises that include scenarios where open‑source offensive tooling is repurposed against you.

This incident is a practical reminder that convenience breeds risk: community tools and modding culture create valuable social engineering pathways. Protect accounts with technical controls, reduce the value of tokens through rapid revocation and MFA, and combine detection with clear user guidance to shrink the attacker’s window. If you want, I will convert the checklist into a one‑page incident playbook or create LinkedIn posts tailored to executive, manager, and recruiter audiences.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.