Raven Stealer: A Stealthy New Threat in the Malware Ecosystem

Raven Stealer, a new entrant in the commodity malware ecosystem, is emerging as a stealthy yet powerful information stealer targeting both individuals and enterprises. Developed primarily in Delphi and C++, the malware is designed for efficiency, evasion, and rapid exfiltration of sensitive data.

According to Point Wild’s analysis, “Raven Stealer is a contemporary, lightweight information-stealing malware… It steals credentials from various applications, harvests browser data such as cookies, autofill entries, and browsing history, and performs real-time data exfiltration via Telegram bot integration.”

Raven Stealer is distributed through underground forums and is frequently bundled with cracked software, a common lure for unsuspecting users. The report notes, “Its distribution often occurs through underground forums or bundled with cracked software, making it a persistent threat to both personal and enterprise environments.”

The malware is also promoted via a dedicated Telegram channel, where low-skilled cybercriminals can easily access preconfigured builds.

The malware includes a builder interface that allows attackers to generate unique payloads with minimal effort. Each build embeds Telegram bot tokens and chat IDs into the resource section, enabling seamless command-and-control.

Point Wild explains, “Once the user supplies the required credentials such as the Chat ID and Bot Token, the builder proceeds to embed them into the payload… This unencrypted storage method poses a significant risk of credential exposure.”

The builder also ensures evasion by assigning randomized filenames to each payload, complicating signature-based antivirus detection.

Raven Stealer specializes in browser-focused data theft, targeting Chromium-based browsers like Chrome, Edge, and Brave. It collects:

• Passwords (decrypted from browser vaults)
• Cookies (enabling session hijacking)
• Autofill data (personal info & payment details)
• Screenshots of the victim’s desktop

The analysis highlights: “The malware consolidates stolen credentials and system information within a well-defined folder hierarchy under %Local%\RavenStealer… All collected artifacts are compressed into a ZIP archive and sent to the attacker via Telegram using the API endpoint.”

Even though one observed attempt failed due to an invalid token, the workflow demonstrates how quickly data can be stolen and transmitted.

To avoid detection, Raven Stealer employs:

• In-memory DLL decryption using ChaCha20, preventing disk artifacts.
• Process hollowing into Chromium instances, disguising execution under a trusted process.
• Obfuscation and resource embedding, keeping payloads hidden in the .rsrc section.

This allows the malware to operate undetected by basic antivirus solutions.

To defend against Raven Stealer and similar threats, Point Wild recommends:

• Avoid downloading pirated or cracked software.
• Keep antivirus and endpoint detection systems updated.
• Monitor suspicious network activity, especially Telegram API traffic.
• Educate users about phishing and malware-laced downloads.

Related Posts:

• New Ransomware Tactics & Tools: An In-Depth Analysis of Emerging Threats
• Raven Stealer: New MaaS Infostealer Plunders Data via Reflective Process Hollowing & Telegram Exfil
• Following Russian, Iran also issued a signal to ban Telegram
• Malicious npm Packages Backdoor Telegram Bot Developers
• Lumma Stealer: Unpacking Its Evasive Tactics and Complex Infection Chains

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy