Hackers hijack Discord Accounts and infect gaming PCs with RedTiger tool

A new and potent threat is targeting Discord users and gamers, with hackers abusing the open-source penetration testing tool RedTiger to create a dangerous info-stealer.

This malware is designed to harvest sensitive account and payment data, raising a fresh cybersecurity alarm for the platform’s community.

RedTiger is a Python-based red-team suite that includes a malware builder, which threat actors are now leveraging. The resulting infostealer is particularly sinister as it modifies the Discord client’s files with custom JavaScript.

This allows it to intercept traffic and steal valuable data, including Discord account information, payment details (including PayPal and credit cards), and cryptocurrency wallet data.

The malware’s capabilities go beyond initial theft. It is able to monitor a victim’s activity and steal new login information, even after the user changes their password to secure the account. By injecting code into Discord’s files, it can intercept API calls for events like logins or purchases, making it highly effective at maintaining access.

The RedTiger-based threat is comprehensive, not just limited to Discord. It also snatches credentials, cookies, and saved credit cards from web browsers. Even more alarmingly, the malware can take snapshots of the victim’s desktop and use a webcam to capture photos, opening the door for potential blackmail alongside data theft.

Currently, the malware persists on Windows-based machines by adding itself to startup items, with similar functionality being developed for Linux and macOS. To evade detection, it features anti-sandbox mechanisms and overloads forensic analysis by spawning hundreds of random processes and files.

Users are urged to be highly cautious: avoid downloading executables or game utilities like mods and “trainers” from unverified sources. Users who suspect an account has been compromised must revoke Discord tokens, change passwords, and reinstall the Discord desktop client from the official site, as well as enabling Multi-Factor Authentication (MFA) everywhere.