Security researchers have uncovered a new wave of account takeover attacks targeting users of the Discord platform. The intrusions are driven by a repurposed open-source red-teaming toolkit called RedTiger, which is being weaponised to harvest Discord credentials, payment and crypto wallet information, and gaming account data from victim machines.
RedTiger Tool was Originally Designed for Red-Teaming but is Now Weaponised
RedTiger, released publicly in 2024, was built as a modular red-teaming framework that bundles network-scanning, OSINT, phishing and infostealer components. However, attackers have adopted its infostealer module and launched campaigns against gamers and Discord users. The malware is compiled using PyInstaller and masquerades as game-related or Discord-adjacent executables. Once executed, it targets Discord client files and browser-stored data on Windows, Linux and macOS.
“When the info-stealer is installed on the victim machine, it scans Discord database files, extracts tokens and validates them through the Discord API before harvesting email, MFA status and payment details.”
By injecting custom JavaScript into Discord’s index.js file, RedTiger can intercept API calls and monitor events like password changes, Nitro purchases, and billing-source modifications to continuously exfiltrate data even after victims update their credentials.
Attack Chain Enables Complete Account Takeover, Crypto Theft and Persistent Surveillance
The infection begins with delivery vectors such as Trojan-style “mods”, counterfeit game trainers or cracked software promising free Discord Nitro. Once the payload runs, it locates Discord token files and browser cookies, applies regex to harvest valid tokens, and sends a validation request to users/@me to gather user metadata. After token validation, the module collects sensitive information including email, subscription status, MFA state and stored payment information.
The malware then archives browser-saved passwords, credit-card details, cryptocurrency wallet data (MetaMask, etc.), and game-specific files (Roblox, Steam). It uploads the archive to an anonymous file-hosting service and passes the download link to the attacker via a Discord webhook, including victim IP and host-name details. Further, to evade forensic analysis, the tool spawns hundreds of dummy processes and creates random files to clutter system logs, and modifies the hosts file to block access to security vendor domains.
Implications for Gamers and Enterprise Users Alike
While the campaign focuses on Discord and gaming accounts, security experts warn the same approach could be extended to corporate communication platforms like Slack or Microsoft Teams. Corporate tokens and cookies can similarly be stolen, enabling persistent access despite password or MFA-changes. For gamers, the impact is immediate: account takeover, stolen wallet funds, loss of premium subscriptions and unauthorized transactions.
Because Discord accounts often link to payment methods, even compromised game accounts can be monetised. The modular escape of RedTiger also suggests attackers might reuse the same infrastructure for broader enterprise campaigns.
Recommended Defensive Actions for Users and IT Teams
Defenders must act quickly:
- Revoke all elevated tokens and log out of all sessions on Discord and other sign-on services.
- Run full-system malware scans and remove suspicious “mod” or “trainer” executables.
- Enable hardware MFA on all gaming and communication accounts—tokens alone are not sufficient.
- Clear browser-saved credentials and export only trusted extensions; disable auto-sign-in features.
- For enterprise environments, monitor for unusual long-lived tokens, inspect internal applications for unexpected JS-injection or foreign webhook calls and hunt for elevated sessions even after password resets.
Strategic Takeaways for Account-Takeover Prevention
The RedTiger campaign underscores that credential and token theft remain the core enablers of modern attacks—especially where account linking enables downstream monetisation or escalation. Game-centric attacks often serve as a foothold into broader infrastructures. Organisations must therefore treat tokens as first-class security objects: managing lifespan, revocation and monitoring usage patterns. Gamers and hobbyist communities, meanwhile, are emerging attack surfaces for infostealer campaigns given their high-value payment links and minimal protection.
