Raven Stealer: New MaaS Infostealer Plunders Data via Reflective Process Hollowing & Telegram Exfil

A recent in-depth analysis from Cyfirma has shed light on the alarming capabilities of Raven Stealer, a lightweight yet powerful information-stealing malware rapidly gaining traction across the cybercriminal underworld. Crafted in Delphi and C++, Raven Stealer exemplifies a new generation of modular malware—efficient, stealthy, and disturbingly accessible.

Raven Stealer specializes in siphoning sensitive information from Chromium-based browsers such as Chrome, Edge, and Brave. Its targets include:

• Passwords
• Cookies
• Saved payment details
• Autofill data
• Cryptocurrency wallets
• VPN clients
• Gaming platforms

Using in-memory techniques and reflective process hollowing, the malware avoids touching disk—thereby sidestepping many traditional detection mechanisms. Cyfirma highlights:

“It starts a legitimate browser process in a suspended state, then uses Direct Syscall-based Reflective Process Hollowing to inject its payload… bypassing Chromium’s App-Bound Encryption (ABE),” the report explains.

Rather than relying on conventional C2 servers, Raven Stealer embeds Telegram bot tokens and chat IDs directly into the payload. Once data is exfiltrated, it’s zipped and sent to the attacker’s Telegram bot via the /sendDocument API.

“The malware uses curl.exe… to upload the exfiltrated ZIP file via the Telegram API… enabling real-time data transmission and campaign management.”

The stolen data is neatly organized within the victim’s %Local%\RavenStealer directory and includes:

• passwords.txt
• cookies.txt
• payment.txt
• screenshot.png

The stealer is distributed through GitHub and marketed via Telegram by a developer group known as ZeroTrace Team. Their Telegram channel functions as a marketplace, support forum, and update log.

This organized infrastructure—spanning open-source repositories and real-time Telegram-based exfiltration—makes Raven Stealer a compelling product in the Malware-as-a-Service (MaaS) ecosystem.

With its stealth execution, modular design, and seamless deployment process, Raven Stealer requires minimal skill to use but delivers maximum impact. It lowers the technical bar for cybercriminals and dramatically increases the risk landscape for users.

“Raven Stealer employs encrypted exfiltration and seamless integration with Telegram bots… rendering it accessible even to actors with limited technical expertise,” the report concludes.

Related Posts:

• FormBook Malware Spreads via Sophisticated Phishing Attack
• Lumma Stealer MaaS: Clipboard Hijacking and LOLBins Used in Latest Campaign
• Rhadamanthys Stealer: MaaS Malware Hits Oil & Gas
• The Rise of Mac Malware: 2024 Threat Report Reveals Alarming Trends
• Malicious npm Packages Backdoor Telegram Bot Developers

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.