Raven Stealer Attacking Google Chrome Users to Steal Sensitive Data

Raven Stealer has emerged as a potent information‐stealing threat targeting users of Chromium‐based browsers, most notably Google Chrome.

First observed in mid-2025, this lightweight malware distinguishes itself through a modular architecture and stealthy design, allowing it to harvest sensitive information without alerting victims.

Delivered predominantly via cracked software bundles and underground forums, Raven Stealer capitalizes on social engineering tactics and repackaged installers to convince users to execute its malicious payload.

Once unleashed on a host system, Raven Stealer begins by probing local storage paths associated with Chrome, Edge, Brave, and similar browsers to locate encryption keys and credential vaults.

It then leverages native Windows API calls to decrypt and extract saved passwords, cookies, autofill entries, and payment data. During this phase, the malware avoids writing any components to disk by executing payload modules directly from its resource section, encrypted using ChaCha20.

This in-memory execution strategy enables Raven Stealer to evade signature-based detection and disk-monitoring defenses.

Point Wild analysts identified that the resource‐embedding technique streamlines deployment and complicates forensic analysis, as configuration data and modules are retrieved dynamically at runtime.

After initial credential harvesting, Raven Stealer compiles the stolen artifacts into plain text files within the user’s AppData directory, organized under a folder named “RavenStealer.”

The resulting files—cookies.txt, passwords.txt, and payments.txt—are then prepared for exfiltration.

Data transmission is carried out via Telegram’s Bot API: Raven Stealer embeds a user-supplied Bot Token and Chat ID into its payload, which it retrieves from its own resource configuration.

This integration offers attackers a familiar command-and-control channel while bypassing many corporate network filters.

Despite its reliance on Telegram, the malware maintains resilience against token expiration by prompting the builder UI to accept new credentials upon each payload generation.

Infection Mechanism Deep Dive

Raven Stealer’s infection mechanism hinges on reflective process hollowing to inject its main DLL payload into a suspended Chrome process.

Upon execution, the malware locates the Chrome binary path and launches a new instance in a suspended state:-

STARTUPINFO si = { sizeof(si) };
PROCESS_INFORMATION pi;
CreateProcessA(chromePath, NULL, NULL, NULL, FALSE,
    CREATE_SUSPENDED | CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi);

LPVOID remoteBuffer = VirtualAllocEx(pi.hProcess, NULL,
    payloadSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(pi.hProcess, remoteBuffer,
    encryptedPayload, payloadSize, NULL);

Point Wild analysts noted that the payload uses ChaCha20 decryption in memory to reconstruct the DLL before execution.

After writing the decrypted payload into the allocated memory, the malware adjusts thread context to point to the remote buffer and resumes the thread:

DWORD oldProtect;
VirtualProtectEx(pi.hProcess, remoteBuffer,
    payloadSize, PAGE_EXECUTE_READ, &oldProtect);
SetThreadContext(pi.hThread, &modifiedContext);
ResumeThread(pi.hThread);

This approach masks malicious activity under the guise of a legitimate Chrome process, reducing detection likelihood.

Once injected, the DLL enumerates browser profiles, decrypts stored credentials using the AES key found in Chrome’s Local State file, and writes the cleartext data to disk.

Finally, the compiled archive RavenStealer.zip is sent to the attacker’s Telegram channel via the endpoint https://api.telegram.org/bot/sendDocument.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.