Raven Stealer: The New Infostealer Using Telegram to Steal Your Data
Researchers from the Lat61 Threat Intelligence Team have published a comprehensive analysis of Raven Stealer, a lightweight, furtive infostealer written in Delphi and C++. The report details its credential-theft capabilities, methods for clandestine exfiltration via Telegram, and its distribution through pirated software and underground channels.
Raven Stealer emerges as a new-generation data-stealing tool distinguished by minimal user interaction, deliberate obfuscation, and near-instantaneous delivery of stolen data through native Telegram integration. It harvests accounts from applications, extracts passwords, cookies, browsing history and autofill data from Chromium-based browsers, and relays this intelligence to operators in real time—rendering it particularly menacing for both home and enterprise environments.
Propagation occurs via cracked installers and shadowy forums. An embedded resource editor allows operators to inject Telegram configuration—Bot Token and Chat ID—directly into the binary, lowering the technical threshold for even inexperienced thieves. The builder produces executables with randomized 12-character names and optionally packs them with UPX, complicating static analysis and signature-based detection.
Examination of a sample revealed binaries compiled in Delphi and Visual C++, with Telegram credentials stored in clear text. A heavily obfuscated DLL was also found; it is loaded into memory via the BeginUpdateResource API and later used for injection into a trusted browser process.
The injection employs reflective process hollowing: Chromium is launched in a suspended state, then a decrypted module (protected with ChaCha20) is mapped into its address space. This technique cloaks the stealer as a legitimate process and helps it evade behavioral detection. Harvested artifacts are written to %Local%\RavenStealer—with cookies.txt, passwords.txt, and payment.txt containing cookies, credentials and payment details—and a desktop screenshot is captured. All artefacts are archived as admin_RavenStealer.zip and transmitted via the Telegram API; in the analyzed instance the transmission failed with a 404 owing to an incorrect token.
Analysis confirmed that Raven Stealer retrieves the AES key from the Edge Local State file to decrypt cookies and stored credentials. Once extracted and written as plaintext, these secrets facilitate session hijacking, account takeovers and fraudulent transactions.
Mitigation requires eschewing pirated software, keeping systems and applications up to date, and monitoring process activity and network connections—particularly those invoking the Telegram API. Behavioral analytics and real-time monitoring solutions that detect suspicious encryption patterns and process injections are effective defenses.
Raven Stealer exemplifies a commodified infostealer: easy to configure, stealthy in operation, and capable of bypassing traditional protections. Its modular design and use of a messenger for exfiltration render it a persistent threat to organizations and individuals alike, underscoring the need for layered security and vigilant endpoint oversight.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
