Discord users, particularly within French-speaking gaming communities, are being targeted by the **RedTiger infostealer**, a weaponized red-teaming tool repurposed for malicious cybercrime. The malware injects itself into Discord’s client application, harvesting credentials, browser-saved passwords, payment card details, cryptocurrency wallet data, and gaming account logins (e.g., Roblox). It also secretly activates webcams for unauthorized surveillance and exfiltrates victim data—including IP addresses, geolocation, and hostnames—via anonymous cloud uploads (GoFile) and Discord webhooks. The attack employs persistence mechanisms to survive reboots across Windows, Linux, and macOS, ensuring long-term access.The breach compromises **sensitive financial and personal information** of users, enabling fraud, account takeovers, and identity theft. While Discord’s corporate systems aren’t directly breached, the exploitation of its platform for large-scale credential theft undermines user trust and exposes the company to reputational damage. The open-source nature of RedTiger allows rapid mutation, evading traditional antivirus detection and amplifying risks for Discord’s 150+ million monthly active users. The incident highlights vulnerabilities in third-party tool abuse and the growing threat of infostealers targeting gaming ecosystems.
Source: https://cyberpress.org/new-redtiger-tool-targets-gamers-compromises-discord-accounts-in-wild/
TPRM report: https://www.rankiteo.com/company/discord
"id": "dis5593255102425",
"linkid": "discord",
"type": "Cyber Attack",
"date": "10/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Gaming/Entertainment',
'location': 'Global (with focus on French-speaking '
'communities)',
'name': 'Global Gaming Community',
'type': 'User Base'},
{'industry': 'Social Media/Communication',
'location': 'Global',
'name': 'Discord Users',
'type': 'Platform Users'}],
'attack_vector': ['Phishing Kits',
'Malicious Executables',
'Discord Client Injection',
'Network Scanning Utilities'],
'customer_advisories': ['Public warnings for gamers to secure accounts and '
'avoid suspicious downloads.'],
'data_breach': {'data_exfiltration': 'Yes (via GoFile + Discord Webhooks)',
'file_types_exposed': ['Text Files (Credentials)',
'Images/Videos (Webcam Recordings)',
'Browser Data (Saved Passwords)'],
'personally_identifiable_information': 'Yes (IP addresses, '
'hostnames, account '
'credentials)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Credentials',
'Financial Data',
'PII',
'Geolocation Data',
'Multimedia (Webcam '
'Recordings)']},
'description': 'A dangerous infostealer called RedTiger, originally a '
'legitimate red-teaming toolkit released in 2024, has been '
'weaponized by cybercriminals to steal Discord credentials, '
'gaming accounts (e.g., Roblox), and sensitive financial '
'information. The malware employs a two-stage data '
'exfiltration process via GoFile and Discord webhooks, targets '
'French-speaking gaming communities, and includes persistence '
'mechanisms across Windows, Linux, and macOS. It also records '
'victims via webcams and harvests browser-saved passwords, '
'payment card details, and cryptocurrency wallet credentials.',
'impact': {'brand_reputation_impact': 'High (Targeting gamers and Discord '
'users, a vulnerable and high-trust '
'community)',
'data_compromised': ['Discord Credentials',
'Gaming Account Logins (e.g., Roblox)',
'Browser-Saved Passwords',
'Payment Card Information',
'Cryptocurrency Wallet Credentials',
'Webcam Recordings',
'IP Addresses',
'Geographic Location',
'Computer Hostnames'],
'identity_theft_risk': 'High (Stolen PII, financial data, and '
'account credentials)',
'payment_information_risk': 'High (Payment card and cryptocurrency '
'wallet credentials targeted)',
'systems_affected': ['Windows', 'Linux', 'macOS']},
'initial_access_broker': {'backdoors_established': 'Yes (Persistence across '
'reboots)',
'data_sold_on_dark_web': 'Likely (Given focus on '
'credentials and financial '
'data)',
'entry_point': ['Malicious Executables '
'(Phishing/Untrusted Downloads)',
'Discord Client Injection'],
'high_value_targets': ['Gaming Accounts',
'Financial Data',
'Discord Credentials']},
'investigation_status': 'Ongoing (Multiple variants active; expected to '
'evolve)',
'lessons_learned': ['Open-source red-teaming tools can be weaponized by '
'threat actors, necessitating stricter access controls or '
'monitoring.',
'Gaming communities are high-value targets due to '
'financial data and account reuse across platforms.',
'Multi-stage exfiltration (e.g., cloud storage + '
'webhooks) complicates detection and attribution.',
'Persistence mechanisms across multiple OSes increase '
'malware longevity and impact.'],
'motivation': ['Financial Gain',
'Credential Theft',
'Privacy Violation',
'Data Exfiltration'],
'post_incident_analysis': {'corrective_actions': ['Discord: Implement '
'client-side protections '
'against code injection.',
'Gaming Platforms: Enforce '
'MFA and monitor for '
'credential stuffing '
'attacks.',
'Security Vendors: Develop '
'signatures for RedTiger '
'variants and track '
'GoFile/Discord webhook '
'abuse.',
'User Education: Campaigns '
'on secure download '
'practices and phishing '
'recognition.'],
'root_causes': ['Abuse of legitimate red-teaming '
'tool (RedTiger) for malicious '
'purposes.',
'Lack of user awareness in gaming '
'communities regarding '
'phishing/malware risks.',
'Inadequate protection for Discord '
'client against code injection.',
'Open-source nature of the tool '
'enabling rapid modification and '
'evasion.']},
'recommendations': ['Gamers should avoid downloading executables from '
'untrusted sources and verify file integrity.',
'Enable MFA on Discord, gaming, and financial accounts to '
'mitigate credential theft.',
'Use endpoint detection solutions to monitor for '
'anomalous uploads (e.g., GoFile) or Discord webhook '
'activity.',
'Security teams should track open-source tool abuse and '
'proactively hunt for weaponized variants.',
'Regularly update systems and applications to patch '
'vulnerabilities exploited by infostealers.',
'Educate users on phishing risks, especially in '
'gaming/Discord communities where social engineering is '
'prevalent.'],
'references': [{'source': 'Security Research Reports (Generic Placeholder)'}],
'response': {'communication_strategy': ['Public Advisories for Gamers',
"Security Researchers' Warnings"],
'containment_measures': ['User Awareness Campaigns (e.g., '
'avoiding untrusted executables)',
'System Updates and Security Patches'],
'enhanced_monitoring': ['Monitoring for Anomalous Discord '
'Webhook Activity',
'Detection of GoFile Uploads from '
'Endpoints'],
'remediation_measures': ['Strong, Unique Passwords for '
'Gaming/Discord Accounts',
'Multi-Factor Authentication (MFA) '
'Enforcement']},
'stakeholder_advisories': ['Gaming Platforms (e.g., Roblox, Steam)',
'Discord',
'Cybersecurity Firms'],
'title': 'RedTiger Infostealer Targeting Gamers and Discord Users',
'type': ['Malware', 'Infostealer', 'Red-Teaming Tool Abuse']}