{ "id": "f7e7d867-0dae-4a1a-b11d-70b61ed0cf5f", "created_at": "2026-04-06T00:06:55.727154Z", "updated_at": "2026-04-10T03:35:34.315864Z", "deleted_at": null, "sha1_hash": "13e58dd9cc038b68fb26f55dbd056d855e57f8d8", "title": "Inside the V1 Raccoon Stealer’s Den", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1851977, "plain_text": "Inside the V1 Raccoon Stealer’s Den\r\nBy Team Cymru\r\nPublished: 2025-04-08 · Archived: 2026-04-05 21:02:29 UTC\r\nExposing links to Kharkiv (Ukraine) and the CC2BTC Marketplace\r\nIntroduction\r\nTeam Cymru’s S2 Research Team has blogged previously on the initial Raccoon stealer command and\r\ncontrol methodology (Raccoon Stealer - An Insight into Victim “Gates”), which utilized “gate” IP addresses\r\nto proxy victim traffic / data to static threat actor-controlled infrastructure.\r\nSince the publication of our previous blog, the following timeline of events has occurred:\r\n1. Raccoon Stealer version one (V1) ceased operations in late March 2022, citing the loss of a developer during\r\nthe Russian invasion of Ukraine.\r\nFigure 1 - Suspension of Raccoon Stealer V1\r\n2. Raccoon Stealer re-emerged with version two (V2) in early June 2022.\r\n3. The US Department of Justice unseals the indictment of Mark Sokolovsky, for crimes related to the operation of\r\nRaccoon Stealer (V1), on 25 October 2022.\r\nhttps://www.team-cymru.com/post/inside-the-v1-raccoon-stealer-s-den\r\nPage 1 of 15\n\nFollowing the unsealed indictment, we wanted to share additional insights from our long-term tracking of\r\nRaccoon Stealer V1 operations, which were previously shared with law enforcement and industry partners.\r\nWhile our previous blog post focused on victim-facing infrastructure, this post will highlight aspects of upstream\r\ninfrastructure and management of Raccoon Server V1 and its associated services.\r\nNote, from this point onwards we will refer to Raccoon Stealer V1 simply as Raccoon.\r\nKey Findings\r\nKey elements of the Raccoon infrastructure identified, including the likely location of victim data storage,\r\na Tor .onion control panel, and a Telegram update server. Providing a snapshot into threat actor TTPs with\r\nregards to ‘internal’ architecture.\r\nPivoting from these key elements identified threat actor infrastructure located in Kharkiv, Ukraine, likely\r\nused to operate the service (MaaS).\r\nAttribution of the CC2BTC marketplace to the Raccoon operators, a business model which allowed the\r\nthreat actors to profit twice from the theft of victim data.\r\nStarting at the “Gate”\r\nTo paraphrase our previous blog:\r\nAt the time of execution, Raccoon samples retrieve the URL of the active “gate” from a Telegram channel unique\r\nto the “customer”. The URL is stored in an encrypted string located in the public description of the Telegram\r\nchannel.\r\nThe full decryption process has been covered verbosely by other vendors, and therefore it is unnecessary to repeat\r\nit here.\r\nThough each “customer” had their own Telegram channel, our research found that the “gate” URL, once\r\ndecrypted, was common across all samples at any particular time, indicating this detail was updated centrally.\r\nThe initial infection traffic, where Raccoon checked-in for the first time with the C2 server, therefore appeared as\r\nfollows:\r\nhttps://www.team-cymru.com/post/inside-the-v1-raccoon-stealer-s-den\r\nPage 2 of 15\n\nFigure 2: Initial Infection Traffic\r\nBy examining common upstream peers of the Raccoon “gate” IPs over time, we were able to identify two key\r\nhosts involved in these C2 communications (Step 3 in Figure 2).\r\nBoth IP addresses were assigned to an Italian VPS provider and, with a small number of exceptions, remained\r\nstatic up to the point the Raccoon infrastructure was dismantled.\r\nNote, all threat actor-controlled IP addresses have been redacted from this blog post and are instead\r\nreplaced with descriptive names. Researchers requiring sight of these IPs should contact\r\noutreach@cymru.com for further information.\r\nhttps://www.team-cymru.com/post/inside-the-v1-raccoon-stealer-s-den\r\nPage 3 of 15\n\nFigure 3: Raccoon C2 Infrastructure\r\nThe Italian IPs both communicated with an IP address assigned to a Dutch provider (C2 Proxy), which appeared\r\nto manage the proxying of data between the two, specifically from C2 Server B to C2 Server A.\r\nIt was noted throughout the threat actors’ infrastructure that communications would alternate between\r\nhosts assigned to either the Dutch or Italian VPS provider (the same two providers were used in all cases).\r\nWe assess this was likely a mechanism intended to cover / disguise activities, whereby one VPS provider\r\nwould not have the complete picture without the other.\r\nWe also observed communications originating from a second IP address assigned to the Dutch provider (Raccoon\r\nCore Server), connecting to C2 Server A on TCP/443. It is our assessment that this IP hosted the core Raccoon\r\nserver, where much of the victim data was likely stored.\r\nPassive DNS data for Raccoon Core Server showed it hosting a domain containing the string “enot”. “Enot” is\r\nthe romanized version of the Russian / Ukrainian word for Raccoon (“енот / єнот”).\r\nhttps://www.team-cymru.com/post/inside-the-v1-raccoon-stealer-s-den\r\nPage 4 of 15\n\nTor Control Panel\r\nOne of the “selling points” of Raccoon was the provision of a control panel for its customers, accessible over the\r\nTor network as a .onion site. The control panel was most recently hosted at:\r\ndq7shlx5o67t64ljuzisyp34s3n7vepnhc5ijt5hjh433qzaatyj5bid[.]onion\r\nFigure 4: Login Page for the Raccoon Control Panel\r\nWhen assessing inbound connections to the Raccoon Core Server, we observed a high volume of\r\ncommunications originating from Possible Tor Host (assigned to the Italian VPS provider), an IP which in turn\r\nexchanged a large number of communications with known Tor relays; based on available Consensus data at the\r\ntime of analysis.\r\nhttps://www.team-cymru.com/post/inside-the-v1-raccoon-stealer-s-den\r\nPage 5 of 15\n\nFigure 5: Communications with Raccoon Core Server\r\nOur hypothesis is that Possible Tor Host hosted the back-end infrastructure for the Tor .onion site, which Raccoon\r\n“customers” used to access / manage stolen data stored on the Raccoon Core Server, and to provide further\r\nupdates to victim machines back through the infrastructure described in Figure 3.\r\nTelegram Updates\r\nAnother element of Raccoon’s core functionality, as already described above, was the use of Telegram channels -\r\nwhich we believe were updated centrally.\r\nWhilst building out infrastructure communicating with key elements of the threat actors’ operation, and also\r\nhosted on IPs assigned to the Dutch and Italian VPS providers, we identified a candidate for the Telegram update\r\nserver.\r\nTelegram Update Server was observed in regular communications with IPs overtly assigned to Telegram,\r\ngenerally coinciding with when “gate” IPs were updated in the Raccoon campaigns we were tracking. In addition,\r\nTelegram Update Server received regular inbound connections from a number of Cloudflare IPs, potentially\r\nindicating a clearweb service hosted on this IP behind Cloudflare’s infrastructure.\r\nhttps://www.team-cymru.com/post/inside-the-v1-raccoon-stealer-s-den\r\nPage 6 of 15\n\nPassive DNS data for Telegram Update Server showed it hosting a domain containing the string “raccoon-core”\r\nas of late 2019.\r\nFigure 6: Infrastructure Overview\r\nTelegram Update Server also communicated with Possible Tor Host, believed to host the Tor .onion site\r\nreferenced above, via an intermediary (XMPP Proxy). Open ports information, particularly relating to the use of\r\nTCP/4443 in these communications, indicated the use of a XMPP file transfer protocol. It is possible these\r\ncommunications were indicative of a “closing of the loop” between the Telegram channel updates and the\r\ninformation presented to the Raccoon “customers” in the .onion control panel.\r\nManagement Leads to Kharkiv, Ukraine\r\nWith several key elements of infrastructure identified, we began to look for IPs outside of the network which\r\nmight be used for management purposes, i.e., connecting into the Dutch and Italian hosts.\r\nFortunately, like many aspects of the Raccoon infrastructure, the external management IPs remained consistently\r\nstatic. From 2021 onwards, we observed the same two IP addresses connecting to several key hosts, including the\r\nTor .onion site and Telegram update servers, on TCP/22 (SSH).\r\nWHOIS information for both IPs pointed to a Ukrainian ISP called TRIOLAN (AS13188), and in particular to the\r\ncompany’s Kharkiv infrastructure.\r\nhttps://www.team-cymru.com/post/inside-the-v1-raccoon-stealer-s-den\r\nPage 7 of 15\n\nFigure 7: Management IP WHOIS Information\r\nBased on the available information, TRIOLAN appears to be a provider of home / small office broadband services\r\n- indicating to us that these may in fact be the ultimate source of the threat actors’ Internet access.\r\nWhere Else Does the Management Lead Us?\r\nHaving identified the threat actors’ management IPs, we decided to look in more detail at the other IP addresses\r\nthey were accessing via SSH (TCP/22).\r\nOne such IP quickly became very intriguing to us.\r\nhttps://www.team-cymru.com/post/inside-the-v1-raccoon-stealer-s-den\r\nPage 8 of 15\n\nFigure 8: Is this a Marketplace?\r\nPossible Marketplace, assigned to the same Italian VPS as referenced previously, received inbound management\r\nconnections from both Ukrainian IPs. Additionally, it made outbound connections to two cryptocurrency platforms\r\nand a number of Tor relays.\r\nOur initial thoughts were that this IP address was connected to the operation of a marketplace or payment service.\r\nIn October 2021 we hit gold.\r\nWe began to observe outbound connections from Possible Marketplace to an IP assigned to a Lithuanian VPS\r\nprovider (NFS Server) on TCP/2049. Port 2049 is commonly associated with Network File System (NFS), a file\r\nsystem protocol from the prehistoric age of the Internet.\r\nNFS is generally deployed within networks and is used to mount exported shares on remote servers - enabling\r\nusers to access data as if it were stored locally, but without the hard disk constraints.\r\nUsing NFS across the Internet is NOT advisable in 2022 (or in this case also 2021).\r\nBut in this case, this is exactly what the threat actors were doing. Internet scan data for NFS Server listed its\r\nexported shares, and from which IP addresses in particular they were accessible from.\r\nNote, we did not seek to access any of the data stored on NFS Server and therefore cannot comment on its\r\ncontents.\r\nFigure 9: Shares Mounted on NFS Server\r\nA few things in Figure 9 stood out to us:\r\n1. The first share, entitled “rst” mapped to Raccoon Core Server - the IP identified above (Figure 3) as the\r\nlikely Raccoon core server.\r\n2. The likelihood that “rst” = Raccoon stealer.\r\n3. The second share, entitled “cbtc” mapped to Possible Marketplace (Figure 8).\r\nBased on our initial assessments of Possible Marketplace, we began to look at candidate underground economy\r\nmarketplaces for potential matches with the string “cbtc”.\r\nCC2BTC Marketplace\r\nhttps://www.team-cymru.com/post/inside-the-v1-raccoon-stealer-s-den\r\nPage 9 of 15\n\nOur search led us to CC2BTC, a marketplace intended specifically for trade of stolen credit card information;\r\nhandily one of the key targets of Raccoon.\r\nFigure 10: Advertisement for CC2BTC\r\nReviewing the advertisements for CC2BTC, it appeared that the business model was to charge “customers” to\r\naccess the marketplace, limiting the number of credit card details they could purchase per day based on their\r\nmembership tier; Aluminum, Bronze, Silver, Gold, or Platinum.\r\nA post from May 2020 identified the cost of each tier - although it is not clear if this was a one-off payment or a\r\nsubscription.\r\nhttps://www.team-cymru.com/post/inside-the-v1-raccoon-stealer-s-den\r\nPage 10 of 15\n\nFigure 11: CC2BTC Membership Tiers\r\nWe were also able to identify a Telegram channel utilized by the operators of CC2BTC to update “customers” on a\r\ndaily basis, and often several times per day, on the latest “merchandise” available for purchase.\r\nhttps://www.team-cymru.com/post/inside-the-v1-raccoon-stealer-s-den\r\nPage 11 of 15\n\nFigure 12: Example of the CC2BTC Telegram Updates\r\nIn Figure 12, credit cards from Canada, the United States, Singapore, the United Kingdom, and Brazil (in order of\r\nappearance) were offered for sale on 2 February 2022.\r\nAt this stage, the idea that “cbtc” = CC2BTC seemed plausible, however the following series of events in March\r\n2022 helped us to solidify this assessment.\r\nFirstly, on 20 March 2022, the “last” update was made to the CC2BTC Telegram channel.\r\nhttps://www.team-cymru.com/post/inside-the-v1-raccoon-stealer-s-den\r\nPage 12 of 15\n\nFigure 13: Final Update in the CC2BTC Telegram Channel\r\nSecondly, around 25 March 2022, users of CC2BTC begin to realize something had “gone wrong”, discussing this\r\nfact in other underground forums.\r\nFigure 14: Concern is Raised About the Fate of CC2BTC\r\nIt was around this time that CC2BTC disappeared completely, with no response to any of their concerned\r\ncustomers.\r\nBy the end of March 2022, the user “cc2btc” was banned from one carding forum, and the CC2BTC logo removed\r\nas a ‘sponsor’ from another.\r\nhttps://www.team-cymru.com/post/inside-the-v1-raccoon-stealer-s-den\r\nPage 13 of 15\n\nFigure 15: User ‘cc2btc’ Banned from Carding Forum\r\nWithout wanting to state the obvious, the disappearance of CC2BTC coincided completely with the cessation of\r\nRaccoon operations.\r\nConclusion\r\nhttps://www.team-cymru.com/post/inside-the-v1-raccoon-stealer-s-den\r\nPage 14 of 15\n\nBased on our assessment that the operators of Raccoon and CC2BTC are one and the same, it appears that they\r\nhad established a savvy business model prior to the disappearance of both services. By firstly charging\r\n“customers” of Raccoon for access to their malware, which was subsequently used by those customers to steal\r\nvictim data, and secondly charging “customers” of CC2BTC access to their marketplace to, in theory, purchase\r\ncredit card information stolen via Raccoon deployments, they were in effect able to profit twice from the same\r\ndata theft.\r\nFigure 16: Hypothetical Business Model\r\nWe hope that in sharing these findings that we have provided another snapshot into the ‘business world’ of cyber-crime, providing additional considerations to investigators when assessing the extent and impacts of data theft\r\nover the Internet.\r\nThe news of an arrest in the case of Raccoon demonstrates that offenders can and will face justice.\r\nSource: https://www.team-cymru.com/post/inside-the-v1-raccoon-stealer-s-den\r\nhttps://www.team-cymru.com/post/inside-the-v1-raccoon-stealer-s-den\r\nPage 15 of 15\n\nAt this stage, the idea 2022 helped us to solidify that “cbtc” = CC2BTC this assessment. seemed plausible, however the following series of events in March\nFirstly, on 20 March 2022, the “last” update was made to the CC2BTC Telegram channel.\n Page 12 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.team-cymru.com/post/inside-the-v1-raccoon-stealer-s-den" ], "report_names": [ "inside-the-v1-raccoon-stealer-s-den" ], "threat_actors": [ { "id": "7d8ef10e-1d7b-49a0-ab6e-f1dae465a1a4", "created_at": "2023-01-06T13:46:38.595679Z", "updated_at": "2026-04-10T02:00:03.033762Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "TwoForOne", "G0068", "ATK33" ], "source_name": "MISPGALAXY:PLATINUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e61c46f7-88a1-421a-9fed-0cfe2eeb820a", "created_at": "2022-10-25T16:07:24.061767Z", "updated_at": "2026-04-10T02:00:04.854503Z", "deleted_at": null, "main_name": "Platinum", "aliases": [ "ATK 33", "G0068", "Operation EasternRoppels", "TwoForOne" ], "source_name": "ETDA:Platinum", "tools": [ "AMTsol", "Adupib", "Adupihan", "Dipsind", "DvDupdate.dll", "JPIN", "LOLBAS", "LOLBins", "Living off the Land", "RedPepper", "RedSalt", "Titanium", "adbupd", "psinstrc.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "33f527a5-a5da-496a-a48c-7807cc858c3e", "created_at": "2022-10-25T15:50:23.803657Z", "updated_at": "2026-04-10T02:00:05.333523Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "PLATINUM" ], "source_name": "MITRE:PLATINUM", "tools": [ "JPIN", "Dipsind", "adbupd" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434015, "ts_updated_at": 1775792134, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/13e58dd9cc038b68fb26f55dbd056d855e57f8d8.pdf", "text": "https://archive.orkl.eu/13e58dd9cc038b68fb26f55dbd056d855e57f8d8.txt", "img": "https://archive.orkl.eu/13e58dd9cc038b68fb26f55dbd056d855e57f8d8.jpg" } }