New wave of attacks on Discord: Cybercriminals use RedTiger — a legal pentesting tool — to steal users’ credentials, tokens, payment information, and crypto wallets. RedTiger is a Python ethical hacking kit that includes scanners, OSINT utilities, and even a malware “builder.” Although the authors mark it as “for legal use,” the open source code has made it easy for attackers to create infostealers.
According to Netskope, the main wave of attacks is targeting French Discord users. Using PyInstaller, hackers create executable files with names similar to game utilities or Discord applications. Once launched, the program reads browser and Discord databases, steals tokens, logins, passwords, history, PayPal payment information, and even takes screenshots. The collected files are archived, uploaded to GoFile, and a link is sent to the hackers via Discord webhook.
To complicate the analysis, RedTiger generates hundreds of random processes and files, and when a debugger is detected, it terminates its work.
RedTiger was originally created as a tool for training and testing network security. But due to the lack of protection against abuse, it quickly fell into the shadow sector. Such abuses are not new: previously disclosed pentest utilities such as Evilginx or Metasploit were also used in real attacks.
Do not download “gaming tools” or Discord mods from unverified sources. If you suspect infection, revoke tokens, change passwords, reinstall Discord from the official website, clear browser cache and activate two-factor authentication.
