RedTiger: New Red Teaming Tool in the Wild Targeting Gamers and Discord Accounts

RedTiger is an open-source, Python-based infostealer (released 2024) that targets gamers by stealing Discord tokens and account data, browser-stored credentials and payment info, game accounts (e.g., Roblox), cryptocurrency wallets, screenshots, and webcam images. Stolen data is archived, uploaded to GoFile, and the download link is sent to attackers via Discord webhook; samples are PyInstaller binaries with some targeting French-speaking users. #RedTiger #GoFile

Keypoints

RedTiger is an open-source Python red-team tool (2024) whose infostealer module has been observed in the wild as PyInstaller-compiled binaries.
The infostealer focuses on Discord account theft by injecting JavaScript into the Discord client and intercepting API calls to capture tokens, credentials, and billing info.
Exfiltration is two-stage: stolen data is archived and uploaded to GoFile, then the generated download link and victim metadata are sent to the attacker via a Discord webhook.
RedTiger collects browser data (passwords, cookies, credit cards), game files and accounts (including Roblox via cookies), cryptocurrency wallet files, screenshots, and webcam images.
It includes persistence options for Windows (startup folder) and incomplete mechanisms for Linux and macOS; persistence must be enabled by the attacker when building the payload.
Defense-evasion includes terminating in sandbox-associated processes/users/hostnames/hardware IDs and modifying hosts file to block security vendor domains; it also performs mass file and process spamming to overwhelm resources and forensic timelines.
Samples and features indicate a primary focus on gaming users, with some samples containing French-language messages targeting French-speaking victims.

MITRE Techniques

[T1547 ] Boot or Logon Autostart Execution – Adds payload to startup folder on Windows to run at login (persistence enabled during build).
[T1543 ] Create or Modify System Process – Copies scripts to LaunchAgents (.plist missing) on Darwin and autostart folder on Linux (incomplete persistence requiring extra config files).
[T1005 ] Data from Local System – Collects local files matching keywords (.txt, .sql, .zip), game files, wallet files, and browser stores and archives them for exfiltration.
[T1530 ] Data from Information Repositories – Extracts browser-stored credentials, cookies, credit card info, and browser history from multiple browser folders and channels.
[T1056 ] Input Capture (Webcam Capture) – Uses OpenCV (cv2) to capture a webcam image of the victim and includes it in the archive (“capture a single image… save into the ZIP archive”).
[T1113 ] Screen Capture – Uses Pillow ImageGrab().grab to take a screenshot of the primary desktop and store it in the ZIP archive (“capture the desktop… save as ‘Screenshot.png’”).
[T1071 ] Application Layer Protocol – Uses Discord API calls with stolen tokens to validate tokens and retrieve user details, and uses Discord webhooks to send links to attackers.
[T1567 ] Exfiltration Over Web Service – Uploads archived stolen data to GoFile cloud storage (no account required) and sends the GoFile link to the attacker via Discord webhook.
[T1490 ] Inhibit System Recovery – Mass file and process spamming to overload system resources and flood forensic timelines (creates 100 files and spawns 400 processes across threads).
[T1562 ] Impair Defenses – Modifies hosts file to redirect security vendor domains to localhost to block access to those vendors.
[T1486 ] Data Encrypted for Impact (Token validation/interception) – Injects custom JavaScript into Discord client (discord_desktop_core/index.js) to intercept API calls and capture tokens and payment events (monitors API calls to Discord, Braintree, and Stripe for event-specific keywords).
[T1036 ] Masquerading – Distributed as PyInstaller-compiled binaries with filenames suggesting gaming focus to entice victims (samples named to target gamers).

Indicators of Compromise

[File Names ] distribution and targeting – PyInstaller-built binaries with gaming-oriented filenames and some French-language warning messages (examples not provided in article).
[Domains/Services ] exfiltration channel – GoFile cloud storage (uploads without account) and Discord webhook URLs used to deliver download links.
[File paths/Artifacts ] targeted data locations – Discord client files (discord_desktop_core/index.js), browser database files (*.log, *.ldb), and user profile files (.txt, .sql, .zip).
[Processes/Programs ] defense-evasion/process detection – Presence or termination attempts against debugger/RE tools like cheatengine, x32dbg, x64dbg, ollydbg, windbg, ida, ghidra, radare2, frida, Procmon/Process Explorer (listed process names).
[Hosts file changes ] local redirection – Modified hosts file entries redirecting security vendor domains to localhost (specific domains not listed in article).
[Cookies/Endpoints ] account theft indicators – Cookies for “roblox.com” and API requests to Discord endpoints (e.g., /users/@me, /auth/login) used to validate and extract account info.