Cybercriminals have launched a new wave of attacks aimed at repurposing an open-source penetration testing tool and hijacking Discord and browser accounts. Designed for security researchers, the Python-based tool, RedTiger, has evolved into a powerful information theft tool in the hands of malicious actors.

What is RedTiger, and how is it being exploited?

RedTiger was initially developed as a penetration testing tool capable of network scanning, password cracking, gathering open-source intelligence, and generating malicious samples. However, attackers use compilers like PyInstaller to compile the tool’s code into standalone executable .exe files and distribute them as fake distributions with deceptive names, such as game plugins or Discord helpers. When users execute these files, malware that functions as a backdoor is installed on their systems.

Once exploited, RedTiger-based versions are deployed, they first scan the databases of the Discord client and popular web browsers. It uses regular expressions (regex) to extract Discord tokens, verify valid ones, and collect account-related email, profile information, saved payment options, two-factor information, and subscription data. Code injected into Discord’s index.js file can also monitor logins, password changes, and purchases in real time. This allows attackers to access credit card and PayPal data.

On the browser side, saved passwords, cookies, history, saved credit card information, and extensions are targeted. The software can capture desktop screenshots and search files such as .TXT, .SQL, and .ZIP on the system.

The collected information is archived and uploaded to third-party file-sharing platforms. Attackers receive and manage the download links for these files through Discord webhooks. Some malicious versions stop working when they detect analytics tools or virtual environments, making them difficult for security researchers to investigate. Some examples even attempt to deceive behavioral analysis processes by launching thousands of fake processes and generating random files.

Security analysis indicates that this wave of attacks specifically targeted French Discord users. However, the distribution methods and operating logic used suggest that the same technique can spread rapidly across different geographies. Attacks typically begin with gaming communities, groups where cheats/mods are shared, and users seeking third-party add-ons.

Security experts emphasize that executable files from unverified sources should never be opened. Files promising game-focused add-ons like mods, trainers, and boosters pose a particularly high risk.

Users who notice suspicious activity should take the following steps:

Invalidating login tokens on Discord, changing passwords on all accounts, and, if possible, clearing saved passwords in the browser are among the first steps. Reinstalling the app from the official source, enabling two-factor authentication (2FA), and running a full system scan with reputable antivirus/EDR software are essential. Other steps include reviewing browser extensions, removing unknown add-ons, isolating backups of suspicious files, and seeking professional assistance.

RedTiger-based malicious samples, thanks to their ability to evade analysis and generate fake behavior, make detection difficult. By stopping debuggers or analysis tools when detected, and by generating random files and processes to obfuscate behavior, they can deceive traditional signature-based defenses. These techniques make it difficult for security teams to quickly identify and isolate infected samples.

The RedTiger example demonstrates how open-source security tools can become dangerous weapons in the hands of malicious actors.