RedTiger Infostealer Targets Discord Users via Fake Game Mods
Oct 27, 2025
Summary
Attribute | Details |
|---|---|
Attack Type | Infostealer (RedTiger-based) |
Target | Discord users (primarily in France) |
Impact | Theft of authentication tokens, browser data, and crypto wallets |
Attack Vector | Malicious game mods, Discord utilities, and executables |
Data Exfiltration | Uploaded to GoFile via Discord webhooks |
Detection Evasion | Anti-sandboxing, dummy process spawning |
Recommended Action | Revoke tokens, reinstall Discord, scan for malware |
Incident Overview
Hackers have weaponized the open-source RedTiger penetration testing tool into a potent infostealer that targets Discord users. The malware masquerades as game mods or Discord utilities and spreads through unverified download sites and Discord servers.
Once installed, the malicious binary scans systems for Discord tokens, browser credentials, and cryptocurrency wallets. It injects code into Discord’s core files to intercept user actions and exfiltrates stolen data to anonymous cloud services like GoFile, sending the link to attackers via Discord webhooks.
Technical Breakdown
Distribution: Fake game mods, cheats, and “boost” tools shared via Discord or forums.
Data Stolen: Discord tokens, passwords, browser cookies, crypto wallets, game accounts.
Evasion: RedTiger’s modified build spawns multiple fake processes to evade analysis.
Command & Control: Exfiltrated data sent through webhooks and cloud file-sharing links.
These attacks bypass traditional password protection — once a Discord token is stolen, it can grant full account access, even with MFA enabled.
Recommended Actions
For Users:
Revoke all Discord sessions and reset passwords immediately.
Reinstall Discord from official sources.
Clear browser-saved passwords and cookies.
Run a full malware scan.
Avoid downloading “mods” or “tools” from unofficial sources.
For Organizations:
Monitor outbound traffic to GoFile and other anonymized upload domains.
Deploy endpoint detection rules to flag unusual process creation.
Include “free tool traps” in cybersecurity awareness simulations.
ClearPhish Insight
The RedTiger Discord campaign highlights how legitimate tools can be turned into attack weapons through human trust exploitation.
At ClearPhish, we simulate similar “Free Tool Trap” scenarios in our awareness programs—demonstrating how a single careless download can lead to a full-scale compromise.
By blending cinematic storytelling and micro-simulations, organizations can train users to pause before downloading anything that looks “helpful” but comes from unverified sources.
Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.
