I was hit with RedTiger Malware

I was hit with RedTiger malware. Once it executed, i was hit with various things.

**First it hit my discord. Sending crypto adds to all server channels i was in and DMs. Got banned from some discord servers I liked.

It scanned my brave passwords, stored payments, etc.

It got my open session tokens for websites like my Facebook which it had me sending spam messages of crypto adds to my friends getting me blocked there by facebook without anyone logging in.

Same with Amazon had spam orders that got canceled and account blocked by amazon.

It got my steam account where it sent 200+ community awards to Chinese accounts in less than 2 minutes.

It also some how scanned my metamask’s private key data from the extension and drained $25 USDC i had there.

Brave browser needs to look into these things. This is alarming that all of this was possible on a supposedly secure browser.**

Do you have any proof Brave is involved here?

For the most part it’s still up to the user to be aware of the websites they browse, and Brave does it’s best, but nothing is perfect.

However, other than a claim, you’ve prevented zero evidence. Care to do so?

Brave is the only browser I’ve used since 2016. Screenshot is massive list of steam emails i got.

Screenshot_1804×1621 9.81 KB

As for the metamask thing, 1upnode.eth is (was) my address their bot now owns. You’ll see on chain they took $24.XX amount immediately when we checked to see if it was compromised.

I understand the frustration, but it is important to be clear about what actually happened. This was not a browser failure. It was a total system compromise. When you download and run untrusted files without the right security software in place, you are essentially giving that program permission to act as you.

RedTiger is an infostealer. It does not need to “hack” Brave because it is already inside your system walls. It simply reads your local folders and steals active session tokens directly from your hard drive. No browser (Brave, Chrome, or otherwise) can protect you once the operating system itself is compromised.

Expecting a browser to stay secure after you have executed malware is like expecting a deadbolt to work after you have handed a thief the keys to the house. The responsibility here lies in vetting your downloads and ensuring your system has proper security layers. At this point, you need to focus on wiping that machine and changing every password you own.

This is also a great reason to stop saving passwords in your browser. Move them to a dedicated manager like 1Password or Bitwarden. If you keep your passwords, payment info, and keys in a separate, encrypted vault, then malware like RedTiger has a much harder time finding anything useful even if it does get onto your machine.

You’re missing the point here. I’m drawing awareness that brave doesn’t have any safe guards if your system gets infected which unfortunately is clearly the case here. The browser should act independent from the system, because it is its own program.

If you don’t understand how malware works, that’s fine, but to say just because your system is infected and all other programs are now screwed, is a mind blowing claim.

Using your logic, you’re simply saying that if the system is infected, your anti-virus is also infected and rendered useless regardless. That is a pretty clueless stance and baffling logic to use here.

I’m not missing the point at all. I know how all of this works and am explaining it to you.

You are misunderstandings how operating system permissions work. A browser is not a virtual machine. It is an application that runs on top of your operating system. If the operating system is compromised, every application running on it is vulnerable.

When you run malware, it operates with your user-level permissions. This means it can read your local files, including the databases where browsers store session tokens and encrypted data. It does not need to “infect” the browser code itself; it just reads the data folders that the browser uses. No browser can “act independent” of the system it is installed on because it relies on that system for memory, storage, and processing.

Your antivirus analogy actually proves the point. An antivirus is effective because it often runs with higher (kernel-level) permissions than a standard user, allowing it to monitor system calls. A browser does not and should not have that level of authority. If your OS is compromised, your security has failed at a level deeper than any browser can fix.

• Modern OS design (Windows/macOS) does not isolate browsers in a way that protects them from a local user-level process. If a program can see your “Documents” folder, it can likely see your “App Data” folder where Brave stores its info.

• This is the “Mind Blowing” part you need to understand. Malware doesn’t need to crack a password if it can just copy the “cookie” that says you are already logged in. The browser cannot stop a local file-copy command.

• An antivirus is designed to prevent the infection. Once the infection is active and has bypassed the antivirus, even the antivirus can be disabled or blinded by the malware.

You really don’t understand what I’m saying. Are you a bot?

An outside program such as malware stealing data from a browser should not be a thing.

No one is claiming that. Strawman argument.

No. You’re wrong. Antivirus programs have all permissions. Why do you think it can scan all files? Very limited and narrow view.

FALSE. Not all security levels can detect malware. Especially the most recent. That’s is why you run updates (definition updates).

WRONG. The fact that another program can copy sensitive, plain text info, especially brave browser data, is pretty wild. This means that brave isn’t encrypting this information locally. Which is a major red flag. My steam getting hacked or amazon account is proof session tokens aren’t encrypted. If it does, its not very effective.

The malware originated from China, because it sent steam awards to all Chinese steam accounts. Like, every single account is Chinese. If that wasn’t proof enough, we found network traffic going to a Chinese server in Guangdong province.

You seem to be stuck on this topic about how its not brave’s fault though. Which it is.

Ref. material . . .

October 26, 2025

BleepingComputer article by Bill Toulas:

Hackers steal Discord accounts with RedTiger-based infostealer

Excerpts:

RedTiger is a Python-based penetration testing suite for Windows and Linux that bundles options for scanning networks and cracking passwords, OSINT-related utilities, Discord-focused tools, and a malware builder.

RedTiger’s info-stealer component offers the standard capabilities of snatching system info, browser cookies and passwords, crypto wallet files, game files, and Roblox and Discord data. It can also capture webcam snapshots and screenshots of the victim’s screen.

The attackers compiled RedTiger’s code using PyInstaller to form standalone binaries and gave those gaming or Discord-related names.

Once the info-stealer is installed on the victim’s machine, it scans for Discord and browser database files. It then extracts plain and encrypted tokens via regex, validates the tokens, and pulls the profile, email, multi-factor authentication, and subscription information.

October 24, 2025

CyberSecurityNews article by Guru Baran

New Red Teaming Tool RedTiger Attacking Gamers and Discord Accounts in the Wild

Excerpt:

It also edits the hosts file to block security vendors and spawns hundreds of junk files and processes to clog forensics.

Safe Browsing in Brave

https://support.brave.app/hc/en-us/articles/15222663599629-Safe-Browsing-in-Brave

Command prompt tip:

dir /p /o:d

That provides a list of files in chronological order, for your present directory. Very handy for finding recent virus invaders and their associates, that generally appear within a certain time frame (recent).

I asked Perplexity.ai:

Is it possible to recover from RedTiger malware that affects Discord users, by using Windows OS System Restore Point? Or, does such malware disrupt that recovery effort?

Answer: ‘https://www.perplexity.ai/search/is-it-possible-to-recover-from-LiiBCB3SSqac16Cbv8uAKg’

Excerpt:

How RedTiger Persists

RedTiger’s infostealer variants for Discord add persistence on Windows by registering themselves to start automatically at boot and by modifying Discord client files so they continue intercepting tokens and data even after password changes.

Because these changes affect application files and startup entries rather than core system components only, rolling back to a restore point may not undo every modification if the restore point itself is already contaminated or does not cover all affected locations.​

Bah, I can’t sleep and got a notification on this topic for some reason. Let me hit on some things. Before anything, sucks to hear you got hit and dealing with it. And yeah, because I’m tired, will be a bit more direct which may seem rude. I can try to revisit later to clear things up and try to rephrase nicely if need be.

That said…

1. This would have happened regardless of the browser you use.
2. It’s often due to Discord or games where people add this malware to their own devices

You realize malware is like someone breaking into your home, right? You would be correct that it ideally shouldn’t happen. But regardless what security methods you use, it’s going to happen. This is especially true when you don’t properly keep things secured.

You did. You said the browser should act independent from the system. Hikane was explaining to you that there’s no way for it to act independently. The browser itself and all the data is on your computer, which means your OS is going to have controls. It can’t isolate itself like a virtual machine would be.

This is one of your major misunderstandings. You keep wanting to attack and argue as if you can have the browser completely independent and untouchable.

Who said it’s plain text? Everything is encrypted. You just seem to be unaware of the different types of encryptions and seem to have no comprehension about why things are or aren’t possible.

You may want to check out sensitive data storage where they touch on this a bit. You can also see a Google/Chromium article here

When you’re logged in on your computer, things are unencrypted. It needs to be so you can use it. Otherwise if it just kept full encryption then you wouldn’t be able to do anything. All websites would be blocked.

It’s kind of like an alarm system. When you leave the house, it becomes enabled. If anyone enters it will be locked or sound an alarm when someone tries to force an entry. But when you’re home, it isn’t set. Otherwise every time you move it would set off the alarms and be a constant headache.

It is possible to get access to the encrypted file where your seed phrase and private key is stored. They can then move this file elsewhere and brute force password guessing software can be used to get your password.

This is one of the potential dangers of a software wallet and why many recommend hardware wallets, especially if you’ll be using crypto much.

Brave and all the browser companies are always looking into things. OS are always making updates as well. Nothing is perfect and there will always be new bypasses when security is tightened. This isn’t an ideal world where all threats can be neutralized. All that can be done is for everyone to make best effort.

Welcome to the real world. Nothing is perfect. All locks can be picked or bypassed. Computers can be hacked. Data can be stolen. Banks get robbed, houses catch fire, and many other crazy things in life.

Honestly, this whole issue likely is a result of something you carelessly added to your own device. Porn, video games, torrents, crypto faucets or airdrops, or whatever else. At least that tends to be the scenario for this malware.

Okay. Wow! Thanks for this. Very informative. I didn’t know there was already a write up like this for it. I couldn’t find much, because apparently its a new type of malware.

The funny thing is, I thought i was being careful. I ran virus total on the .exe. Virus total found nothing.

Then i did Microsoft defender and it found nothing. So I honestly thought the .exe was safe. Double clicked it and nothing opened up or happened.

A few hours later…

I started spamming discord friends and channels, I downloaded Malwarebytes and it found nothing. About another hour from that, amazon notifies me of order spam. About 7 hours later, the steam thing.

So then I uninstalled discord and restarted the computer. Discord installed itself back on the computer. This was quite odd.

The last resort which finally removed it was a fresh install of windows 11. No more problems.

You satisfied? This is unhinged.

Nothing about this was careless. I ran scans before opening the file. Its just too new which is the problem. Never delt with this level of intrusion before. Its nothing I’ve seen before.

Because its so new, the norms don’t fit here which were the basis for my early claims.

Wow. Thank you very much. I wish i had this before the fresh install.

@L2MICRO

You are new, here, and not aware of how much Brave Support requires of this Brave Community, that the members behave as self-disciplined, self-restrained adults.

Speaking for myself, I am merely a volunteer who tries to take some piece of the weight carried by Brave Support, because I know they are busy people when on deck. I try to give them a little breathing room - but I do not know what, of my efforts, may be a burden for them.

For example, your Original Post - I would tend to try and rescue your effort, though you did not make a full report - Brave Browser details, for example, are missing re your given usage of categories and tags, and your argument against Brave Browser security.

Other members of the Brave Community responded, and I know that they are primarily interested in helping you.

In your case, they generally tried to reorient your course heading. They know that Brave Browser is not at fault. They know alot about Brave Browser, the Windows OS, and this community. I agree with them.

My view of your predicament, is that your involvement with Discord and Steam, was an ambush site that RedTiger Malware was developed to exploit. I base that on the info that I found online.

You did try to avoid trouble with the particular “.exe” - you used the training that you knew - but you walked into the RedTiger ambush.

Yet, you will live, and your experience, despite much frustration, will help others.

At this forum, you must Observe and adhere to the code of conduct.

A lot of us are actually quite qualified to understand what you’re saying. I have 20 years as a sys admin, and a developer for a fruit company. You don’t know their history, you don’t know my history. We certainly don’t know yours, but what’s clear is a complete misunderstanding in how any of this works.

You said you scanned the files and nothing was found. Well, if nothing found it, how would Brave have? Did you even attempt to use VirusTotal?

Good way to really scan deep, while also finding “False Positives” (apps that are genuine, but do things that might be nefarious, even if they don’t do that).

The burden if safety is always on the user. You can only have so many bumpers on your bowling lane, like you can only have so many safeguards on your computer, but the reality is, it’s down to the player to bowl straight, or take on safe computing practices on their PC.

This isn’t new either, we’ve been doing this since the 80’s and early 90’s.

I’m sorry, but we have to be blunt here, you came in with honestly no proof, and the proof provided doesn’t really prove anything other than it’s your choices.

I understand you’ve used Brave since 2016, but again that doesn’t prove anything other than user neglect. Again, your car has safety features, but they are useless if you intentionally drive into a wall.

It’s not unhinged whatsoever, he was completely honest with you as any true IT person would. To the point without sugar coating it.

I’m honestly starting to think you might be using AI to make an argument you know nothing about.

You seem to be stuck on this topic about how its not brave’s fault though. Which it is.

Again lack of evidence other than an email screenshot? You have no network captures, no browser history from when this all started, you basically are making a baseless claim and that we do take offense to. Not to be rude, but because it’s not policy to ever make a claim without facts.

You do realize, your original post is borderline “slander” legally, right? Just think about that for a second.

Let’s be honest, you could have downloaded a file sent to you over Discord, fell for a YouTube scam, don’t wish to tell the whole picture, and well, you blamed Brave for something that may not even have been delivered through Brave. Again, think about that original post potentially being “slander”.

If you want to have a real discussion, we can do that and would be happy to. But if you’re coming here hot-headed with accusations without any single form of hard proof other than screenshots that prove nothing whatsoever as to how the malware “got in”, we aren’t going to accept that as a valid report. Being you’ve already attacked me, and 3 others, I’d be surprised if anyone left would want to help you. But if you try again, chill out a little, and think about some things after taking a step back, and come back more level headed, I’m sure we’d be willing to approach this again, and try and offer ways to track down what happened.

But under no circumstance, even me, a user who has no investment in Brave other than I have my own share of bugs and spend time here helping others with Brave bugs, would ever want to be spoken to this way, nor would we be willing to help.

Saoiray, I won’t tag you since you’re already oddly being tagged in a thread you won’t tagged in, but you’re not along. I got a notification for a thread I never participated in either, so that’s two of us. (Not this one for me).

I think this thread has run its course, no need to keep bickering.

@L2MICRO to summarize what everyone is saying – this is not a Brave specific issue. As others have pointed out, if you were using any other browser (Firefox, Edge, Chrome, Vivaldi, Opera, Safari, etc.) and performed the exact same actions you were performing when this occurred, the same thing would have happened.

Further learning, if desired:
Brave (and pretty much every modern browser) leverage “Safe Browsing” (as stated by @289wk above) to warn and/or block users from visiting potentially unsafe websites and downloading potentially malicious content. If you downloaded an executable file and scanned it with multiple AV programs and they were unable to detect the malware inside, then it’s not likely that safe browsing would be able to detect it as it probably isn’t in the safe browsing database due to the way this malware bypasses detection from both safe browsing and AV programs (more on this below).

The way safe browsing works is by referencing known malicious URLs, hash files, phishing pages and software installers. The limitation here is that it is largely reputation-based, is reactive and is URL/hash based. It is very good at identifying known threats.

From what I’m reading, RedTiger malware is designed to bypasses safe browsing by using several clever methodologies, some of which include:

• Frequently registering new domains
• Using short-lived hosting
• Rapidly rotating IPs/CDNs

This makes it hard for safe browsing to block/detect it as that requires the domain/file(s) be observed, reported, verified and distributed. This can take time, and at that point, the malware campaign may already be using entirely different domains, hosting, etc. and “disappears” before it can be blacklisted.

Further, RedTiger is designed to appear non-malicious by looking like a legitimate installer (often even signed, it seems), not containing obviously exploitive code and only becomes malicious after execution. While AV/malware detection will very likely find a way to detect and prevent these files, it appears that they’re still playing catch up.

TL;DR
This attack does not appear to be the fault of anyone – not the browser, nor the AV programs installed, due to the way the malware is implemented. Not your fault either, given that you scanned the executable with two separate AV programs, nether of which gave you any reason not to trust the file. It’s simply a well designed attack executed exactly the way the attackers intended.

I’m going to go ahead and close this thread so no one is tempted to continue arguing. @L2MICRO if you have further questions or would like additional advice, please feel free to start a new thread and we’ll be happy to assist you the best we can.