Security researchers at Netskope uncover how RedTiger, an open source cybersecurity testing tool, has been repurposed by hackers to target gamers and steal Discord credentials, crypto wallets, and personal data.
Hackers have turned RedTiger, an open source, Python-based red teaming tool released in 2024, into a potent infostealer targeting the global gaming community. Security researchers at Netskope discovered that the tool, originally built for cybersecurity training and audit simulations, has been weaponised into malware capable of stealing Discord accounts, browser passwords, cryptocurrency wallets, and even webcam images.
According to Netskope, attackers repackaged RedTiger’s open source code into a standalone malware executable using PyInstaller, exploiting its accessibility much like previous abuses of frameworks such as Cobalt Strike and Metasploit.
“As is often the case with red team tools, attackers usually adopt them and use them for malicious purposes,” — Netskope Researchers, Blog Post.
The malicious version of RedTiger is being spread through game-related downloads such as mods, boosters, and cracked tools. Once installed, it collects sensitive data and uploads it to GoFile, an anonymous cloud-sharing platform. Attackers then receive the stolen data, along with the victim’s IP, hostname, and location, via Discord webhooks, bypassing conventional detection systems.
Designed with persistence and evasion in mind, RedTiger auto-launches on Windows startup and terminates itself in sandboxed environments. Researchers warn that Linux and macOS variants are in development, suggesting the threat could soon widen beyond gamers to businesses and organisations.
Security experts recommend users delete and reinstall Discord, enable two-factor authentication, and avoid unverified downloads. The RedTiger case underscores the double-edged nature of open source security tools; their openness empowers learning but also invites malicious exploitation.
