{ "id": "a52d266f-4b40-4f2e-8493-cb78eddf28c1", "created_at": "2026-04-06T00:18:52.169487Z", "updated_at": "2026-04-10T13:12:09.968046Z", "deleted_at": null, "sha1_hash": "468abd594130471a9d2428f93d4c7b443c38e63e", "title": "Hunting Raccoon: The New Masked Bandit on the Block", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3020490, "plain_text": "Hunting Raccoon: The New Masked Bandit on the Block\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 22:04:45 UTC\r\nResearch by: Assaf Dahan \u0026 Lior Rochberger\r\nIntroduction\r\nSince April 2019, the Cybereason Nocturnus team has investigated multiple infections of the Raccoon stealer in the wild\r\nacross organizations and individuals. In this research, we focus on two key aspects:\r\nA Glimpse Into the Underground: A survey of Raccoon’s origin, team members, business model, and marketing\r\nefforts, as well as Raccoon’s reception by the underground cybercrime community and the existing feuds between\r\nRaccoon’s team and their direct competitors.\r\nA Technical Breakdown: A comprehensive technical overview of Raccoon’s current capabilities and delivery\r\nmethods, with a look into their future plans for the malware.\r\nThe top 10 malware mentions over seven months in 2019 from Recorded Future.\r\nThe Raccoon stealer is one of the 2019 top 10 most-mentioned malware in the underground economy and is widely known\r\nto have infected hundreds of thousands of devices around the world, despite it not being overly sophisticated or innovative.\r\nThis strain of malware first emerged as recently as 2019, and has already established a strong following among\r\ncybercriminals. Its popularity, even with a limited feature set, signals the continuation of a growing trend of the\r\ncommoditization of malware as they follow a MaaS (Malware-as-a-Service) model and evolve their efforts.\r\nhttps://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block\r\nPage 1 of 19\n\nBuild an iterative defense that addresses threats like these. Read our white paper on how to use MITRE ATT\u0026CK to create a\r\nclosed-loop security process. \r\nKey Points\r\nThe Raccoon Infostealer: The Cybereason Nocturnus team has been investigating multiple incidents involving the\r\nRaccoon infostealer since April 2019, and is now able to give a thorough analysis of the technical aspects of the\r\nmalware alongside a look into the likely Russian team behind it.\r\nSteals a Wide Range of Data: Raccoon lacks sophistication, but leverages several potential delivery methods and is\r\nable to steal a large swath of important data, including credit card information, cryptocurrency wallets, browser data,\r\nand email credentials.\r\nIs Quickly Gaining Traction: Despite being released earlier this year, the Raccoon stealer is exploding in popularity\r\nin the underground community to become one of the top 10 most-referenced malware on the market in 2019,\r\ninfecting hundreds of thousands of endpoints globally across organizations and individuals in North America,\r\nEurope, and Asia.\r\nEnables Any Individual to Easily Commit Cybercrime: Raccoon follows a malware-as-a-service model, allowing\r\nindividuals a quick-and-easy way to make money stealing sensitive data without a huge personal investment or\r\ntechnical know-how.\r\nHas a Strong Following Underground: The team behind Raccoon is lauded in the underground community for their\r\nlevel of service, support, and user experience, but has faced several bouts of public feuds and internal disputes.\r\nTABLE OF CONTENTS\r\nWhat is the Raccoon Infostealer?\r\nThreat Actor Overview\r\nRaccoon’s Reception in the Underground Community\r\nRaccoon Stealer Overview\r\nHow is Raccoon Affecting Businesses and Individuals?\r\nConclusion\r\nAppendix\r\nWhat is the Raccoon Infostealer?\r\nRaccoon, also known as “Mohazo” or “Racealer”, is at its core a simple information stealer often seen delivered by the\r\nFallout and RIG Exploit Kits. It is used to steal data like credit card information, cryptocurrency wallets, browser-related\r\ndata, and mail clients. Although it is not an advanced malware, it is estimated to have infected hundreds of thousands of\r\ndevices around the world and is in the top 10 mentioned in the underground communities for 2019.\r\nRaccoon is written in C++ and works on both 32-bit and 64-bit operating systems. Though it was originally classified as a\r\npassword stealer by many AV companies, we and others in the community see it leverage broader capabilities and categorize\r\nit as an information stealer.\r\nRaccoon searches system files for a range of confidential data which it saves and sends to its operator. It is able to collect the\r\nfollowing data:\r\nCredit Card Data\r\nCryptocurrency Wallets\r\nPasswords\r\nEmails\r\nData from All Popular Browsers Including Credit Card Info, URLs, Usernames, Passwords\r\nCookies\r\nhttps://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block\r\nPage 2 of 19\n\nSystem Information\r\nThreat Actor Overview\r\nThe Raccoon stealer is developed by a team that appears to originate in Russia and be Russian-speaking. The team initially\r\npromoted the stealer in exclusively Russian-speaking hacking forums, but now actively promotes it in English-speeaking\r\ncommunities as well. It is aggressively marketed in the cybercrime underground and has been since April 2019.\r\nRaccoon stealer marketed in a Russian underground forum.\r\nRaccoon is sold as a MaaS with features like an easy-to-use automated backend panel, bulletproof hosting, and 24/7\r\ncustomer support in both Russian and English. As of this writing, it costs $200 per month to use.\r\nHow to contact the Raccoon Team.\r\nMuch like any other software-as-a-service, the Raccoon stealer appears to be in active development. The development team\r\nseems to be quick, responsive, and dedicated, using short development cycles to release updates, bug fixes, and new features\r\nwithin days. They are also highly active in underground communities under the username raccoonstealer. They post daily\r\nand reply to community questions and comments within hours in underground forums and on Telegram.\r\nWho is behind the Raccoon Stealer?\r\nWhile the identity of the team behind Raccoon remains unknown, some members in the underground community attribute\r\nthe project to another well-known member, glad0ff. Alexuiop1337, the author of predator stealer and one of the strongest\r\ncritics of Raccoon, was one of the first to make this allegation. Of course, the accusations made by direct competitors should\r\nbe taken with a grain of salt. However, the leads Alexuiop1337 provided in his blog can potentially tie glad0ff to Raccoon.\r\nAn analysis of the Raccoon stealer’s hacked panel and leaked customer base could imply the admin of Raccoon is a user\r\nwith the online handle glad0ff. The user glad0ff was created in the Raccoon stealers database in February of 2019, roughly\r\ntwo months before the team began aggressively marketing Raccoon to the underground community.\r\nhttps://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block\r\nPage 3 of 19\n\nglad0ff user creation date in Raccoon’s database.\r\nOne of the first mentions of Raccoon in underground forums.\r\nWho is glad0ff?\r\nglad0ff is a long-time threat actor responsible for developing malware like the Decrux and Acrux cryptominers, the Mimosa\r\nRAT and the ProtonBot loader. glad0ff caters to less sophisticated cyber criminals looking for easy-to-use, end-to-end\r\nsolutions. Similar to customers of Raccoon, customers from many of glad0ff’s previous projects praise the quality of service,\r\ndedication, and responsiveness when fixing issues. It was previously believed that glad0ff operated alone, however, there are\r\nindications that the Raccoon stealer involved other members, as we discuss later on.\r\nIt’s also interesting to note that glad0ff stopped posting in many underground forums in April of 2019, which aligns with the\r\nlaunch of the Raccoon stealer.\r\nhttps://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block\r\nPage 4 of 19\n\nLast seen date for the glad0ff  user.\r\nIs Raccoon Tied to Malware from Other Threat Actors?\r\nOther members in the underground community have questioned whether Raccoon is linked to other stealers like Vidar and\r\nBaldr, as they noticed great similarities between the aforementioned infostealers. Raccoon team members consistently deny\r\nany ties to other stealers.\r\n“Do you have any relation to the Vidar team?” Reply: “No.”\r\nRaccoon’s Reception in the Underground Community\r\nIt is interesting to note that many individuals choose to write reviews for Raccoon. As malware authors turn to MaaS, they\r\nfollow many of the same paths as a legitimate SaaS business: marketing efforts, relying on positive reviews, responsive\r\ncustomer support, and regularly improving features in their product.\r\nPositive Feedbacks and Endorsements\r\nGenerally, feedback around Raccoon in the underground community is positive. Many in the community praise and endorse\r\nRaccoon’s malware capabilities and the services the team provides. Some voices in the community even endorse it as a\r\nworthy replacement for the famous Azorult stealer. However, it is important to note that there are some dissenting opinions.\r\nAdvanced members in the community find Raccoon to be simple and lacking in features when compared to other\r\ninformation stealers. With that said, many in the community believe that while the malware may lack in features,\r\nsophistication, or innovation, it largely makes up for it with consistency and an impressive level of service, support, and\r\nquality user experience.\r\nRaccoon’s popularity combined with its limited feature set yet high adoption speaks to a growing trend of the\r\ncommoditization of malware, as malware authors shoot to create platforms for crime instead of committing the crimes\r\ndirectly.\r\nhttps://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block\r\nPage 5 of 19\n\nExample #1: Early Adopter Replaces Azorult\r\nThis early adopter of Raccoon claims he has been using it since the initial launch. After Azorult was shut down at the end of\r\n2018, he tried almost every stealer on the market before settling on Raccoon.\r\n“I am among the first clients of these guys, practically using their product since the initial launch. I have used many other\r\nstealers before, essentially i tried all there is in this market to offer. After the “death” of “azora” (Azorult malware), I\r\nsearched for a long time for a decent replacement and finally, found it in Racoon!\r\nExample #2: Praise for Excellent Service\r\nThis user leveraged a free trial of Raccoon, and deemed it an excellent product they were interested in switching to. They\r\nspecifically reference one instance where there was a bug in the panel’s search engine that was fixed immediately on the fly.\r\n“They let me try the stealer for a few days. In general, first impressions were good. The rate of successful infection is very\r\ngood. Had an issue with the control panel’s search engine. Problem was solved immediately, on the fly ) There is no support\r\nfor IE, and the download of all logs, but i have been told that these features will be added in the near future. Not bad at all.\r\nThinking of getting it as soon as my current lease is over)”\r\nExample #3: User Testimonial - A Worthy Replacement for Azorult\r\nThis user switched from Azorult to Raccoon because of how easy the control panel was to use. In addition, the user\r\nexperiences a very high success rate and is a big supporter of the quality of service.\r\nhttps://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block\r\nPage 6 of 19\n\n“I switched from azor (Azorult) to raccoon and got a great joy of how convenient the admin control panel is, there are no\r\nextra, unnecessary details such as in vidar (Vidar malware) but there are these small, little details that are helpful and\r\nmandatory for people who process a large amount of logs. If judging the build, that everything is alright, with azor i always\r\nhad around 60%+ of successful infection rate and here i found a good crypter and have 90% of rate…[snipped] What\r\nsurprised me is the support that treats you as a VIP class client, they will do whatever you demand and with expressing\r\ngratitude, etc. it is very nice and I have never seen experienced it anywhere else.”\r\nCriticism of Raccoon by Members of the Underground Community\r\nSince day one, some members of the underground community have criticized Raccoon, specifically targeting it's lack of\r\ncapabilities, poor coding, and several security issues in the infrastructure and admin panel code.\r\nPerhaps one of the most negative reviews comes from Alexuiop1337. Alexuiop1337 wrote a very detailed blog dissecting\r\nand criticizing the malware and its infrastructure. According to Alexuiop1337, Raccoon has vulnerabilities that let attackers\r\nDDoS their servers and dump sensitive data. In his review, Alexuiop1337 also tries to expose the identity of one of the\r\ndevelopers behind Raccoon by claiming it is glad0ff/wankfbi, another member of the underground community\r\nOther negative reviews voiced by customers or testers complain that Raccoon has:\r\n1. A low success rate for infection at about 45%.\r\n2. Some bugs that make it difficult to access logs and delete logs from the control panel.\r\n3. Some missing information or version compatibility issues in its stealing modules.\r\n“- The stealer often doesn’t still software or its version, and for me it was important\r\nThe cookies from the stealer are often transferred incomplete,\r\nI don't understand why it does it, but in the previous stealer there were no such problems ”\r\nPublic Disputes and Controversies with the Raccoon Team\r\nWithin the underground community, the Raccoon team is also facing some public disputes and controversies. These disputes\r\noffer an important glimpse into the inner workings of the team and give a broader sense of just how competitive the\r\nhttps://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block\r\nPage 7 of 19\n\ncommodity malware market is.\r\nIn addition, these conflicts validate our hypothesis that Raccoon is not operated by a single user, but by a team. It gives\r\ninsight into the types of relationships the team members have and how fragile and opportunistic those ties can be.\r\nInternal Disputes Shed Light on the Raccoon Team Dynamics\r\nThe first public signs of tension between Raccoon team members began shortly after their launch in April. Following a leak\r\nof their customer database, the team released a statement claiming their servers were not hacked, but that the leak was\r\ncaused by a disgruntled team member using the database as blackmail for more money. When the team member demands\r\nwere not met, they released the database to embarrass the Raccoon team. Though the team explicitly states the blackmailer\r\nwas not working directly with their competitors, they did accuse Alexuiop1337 and overdot of hyping the situation in order\r\nto capitalize on it.\r\n“The aforementioned user had access to the intra-team test API (dock), had all the links, had a password from the admin\r\naccount, which allowed us to document the list of users and register accounts for their unfortunate pentesters. Yes, our\r\nmistake was that after the reorganization of the team, we did not react quickly enough, no one expected such meanness.”\r\n“This person will do what it takes, for personal revenge against the project. On the launch day, he demanded money from\r\nus, threatened us, but even after that we couldn’t believe that he was capable of such baseness.”\r\n“We do not claim that @Alexuiop1337 and @overdot work directly with this person, but an attempt to hype this situation on\r\nbehalf (of the aforementioned person)”\r\nAdditionally, in June of 2019 raccoonstealer published an unusual post that revealed an internal feud with former team\r\nmembers. Allegedly, Participant 777 (777@raccoon.biz) stole $900 from the community balance and left the project.\r\n\"Attention!\r\nhttps://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block\r\nPage 8 of 19\n\nWe do not offer any services except the rental of our software! Participant 777 left the project, taking $900 from the shared\r\ncommon fund. There was scam attempt from the telegram account @enot_support.\r\nIn the “expe” (a Russian slang for the infamous “exploit[.]in” underground hacking community), they blacklisted the\r\naforementioned account.\r\nTHE ONLY CONTACTS FOR CONTACTING US!\r\nJabber: support@raccoon.biz randomuser@ucia.icu green@raccoon.biz Telegram: @ darkgr33n“\r\nThese two incidents make it clear that Raccoon is developed by several individuals that work together, but are not\r\nnecessarily a tight-knit team.\r\nRaccoon Stealer Overview\r\nHow is Raccoon Delivered?\r\nRaccoon is delivered in multiple ways, though we see Raccoon delivered most often through exploit kits, phishing attacks,\r\nand through bundled malware.\r\nDelivery by Exploit Kit\r\nExploit kits automatically exploit vulnerabilities on a victim’s machine while they are browsing the web. In browsing the\r\nweb, the user visits a malicious page that redirects to a landing page containing exploit code, often executed without the\r\nusers consent or interaction.\r\nIn order to deliver Raccoon, the attackers leverage the Fallout exploit kit to spawn a PowerShell instance from Internet\r\nExplorer and subsequently download the main payload of the infostealer.\r\nThe Fallout exploit kit delivers Raccoon, as seen in the Cybereason platform.\r\nDelivery by Phishing\r\nPhishing is a social engineering attack where a user is tricked into executing malicious content. Most commonly, the user\r\nreceives an email with an attached Office document. This document contains embedded malicious macro code that, when\r\nopened, executes.\r\nIn order to deliver Raccoon, the attackers use an email with an attached Word document. Upon opening the Word document\r\nand enabling macros, the macro code creates a connection to a malicious domain and downloads the main payload of the\r\ninfostealer.\r\nhttps://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block\r\nPage 9 of 19\n\nThe malicious Word document downloading the Raccoon stealer payload, as seen in the Cybereason platform.\r\nDelivery by Bundled Malware\r\nBundled malware is malware that is bundled with legitimate software downloaded from “shady” websites. The bundled\r\nmalware is often hidden from the user during installation or makes use of social engineering techniques to enable\r\ninstallation.\r\nIn order to deliver Raccoon, the attackers use legitimate software bundled with the main payload of the infostealer to infect\r\nunsuspecting users. Raccoon installs itself behind-the-scenes, hidden from the user.\r\nExploring Raccoon’s Code and Core Functionality\r\nThe internal path from malware compilation on the attackers machine.\r\nAs mentioned above, the Raccoon team appears to be of Russian origin. A typo found in the internal path also suggests they\r\nare not native English speakers.\r\nhttps://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block\r\nPage 10 of 19\n\nThe Raccoon team issuing a recommendation for a third-party crypter.\r\nThe main payload of Raccoon is not packed and does not include built-in anti-debug or anti-VM protections. It is sold as-is\r\nwithout any protection from analysts or detection. However, the Raccoon team does recommend a third-party crypter call\r\nGreenCrypt to evade antivirus products and protect against detection and analysis.\r\nRaccoon’s Communication with its C2 Server\r\nOnce the loader executes on the target machine, it unpacks itself in memory and connects to its C2 server. Raccoon sends a\r\nPOST request with Base64-encoded parameters bot_id and config_id.\r\nRaccoon sending a POST request with two parameters.\r\nUpon successful connection and verification of Raccoon’s Bot ID, it downloads a compressed zip file with multiple different\r\nDLLs. These DLLs are not necessarily malicious on their own, but Raccoon depends on them to successfully collect and\r\nsteal data on the target machine.\r\nGathering Local Settings on the Target Machine\r\nThe Raccoon stealer code checks the target machine’s local settings.\r\nHowever, the Raccoon stealer does check the target machine’s local settings and compare it against a list of languages,\r\nincluding Russian, Ukrainian, Belarussian, Kazakh, Kyrgyz, Armenian, Tajik, and Uzbek. If the target machine’s local\r\nsettings match one of these languages, the malware immediately aborts. This is common practice by malware originating\r\nfrom CIS countries.\r\nCollecting Sensitive Data\r\nhttps://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block\r\nPage 11 of 19\n\nAfter initial infection, the Raccoon stealer uses several methods to collect sensitive information. It stores any sensitive\r\ninformation it finds in the Temp folder.\r\nCapturing Screenshots from Infected Machine\r\nThe Raccoon stealer code takes a screen capture of the target machine.\r\nRaccoon takes a screen capture of the target machine using GetDesktopWindow and CreateCompatibleBitmap, and stores it\r\nas screen.jpeg in the Temp folder.\r\nStealing System Information\r\nRaccoon collects system information from the infected machine, including username, IP address, language settings, OS\r\nversion, information on installed apps, and CPU and memory information. The information is stored in a text file found in:\r\nC:\\Users\\[user]\\AppData\\Local\\Temp\\machineinfo.txt\r\nInformation collected by the Raccoon Stealer.\r\nStealing Browser Information\r\nA lot of saved browser data is stored within SQLite database files on a local machine. For example, when a user saves their\r\nusername and password in the browser, the browser stores the data in a Login Data SQLite database file. The browser also\r\nstores cookie information in a cookies file, and other autofill data, like credit card data, in a Web Data file.\r\nRaccoon steals this information from over thirty different browser types. It searches the registry software hive for installed\r\nbrowsers and steals credentials, cookies, and autofill data from targeted browsers.\r\nhttps://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block\r\nPage 12 of 19\n\nBrowsers Targeted by the Raccoon Stealer\r\nChrome Amigo RockMelt Sputnik\r\nChromium Orbitum 360Browser Kometa\r\nXpom Bromium Vivaldi uCozMedia\r\nComodo Nichrome Opera QIP Surf\r\nEpic Privacy Browser CocCoc Suhba Chedot\r\nCentBrowser Elements Browser Safer Technologies - Secure Browser Superbird\r\n7Star TorBro Rafotech - Mustang Torch\r\nFirefox WaterFox SeaMonkey Pale Moon\r\nGO!      \r\nExample of Raccoon’s browser stealing configuration code\r\nRaccoon copies targeted browser data files to the Temp folder with random names. It uses a DLL, SQLite3.dll, downloaded\r\nfrom its C2 server to parse the files and extract sensitive data. The stolen information is divided into several text files named\r\nafter their associated browser and saved under Temp/browsers.\r\nRaccoon also creates one master file with the name passwords.txt that contains any and all passwords stolen from the\r\nvictim’s machine.\r\nhttps://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block\r\nPage 13 of 19\n\nExample of the format of passwords.txt, containing passwords stolen by Raccoon.\r\nStealing Outlook Accounts\r\nRaccoon’s code to extract information about Microsoft Outlook accounts.\r\nRaccoon extracts information about Microsoft Outlook accounts from registry keys on the target machine.\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging\r\nSubsystem\\Profiles\\Microsoft Outlook Internet Settings\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging\r\nSubsystem\\Profiles\\Outlook\r\nIn addition, Raccoon searches the Windows Registry for sensitive information stored in Mail clients, such as usernames and\r\npasswords, then saves it to a text file under Temp/mails.\r\nhttps://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block\r\nPage 14 of 19\n\nRaccoon gathering information from Mail client accounts on the target machine.\r\nStealing Cryptocurrency Wallets\r\nRaccoon searches for multiple cryptocurrency wallets on the machine, including:\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\Electrum\\wallets\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\Jaxx\\Local Storage\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\Exodus\\exodus.wallet\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\Ethereum Wallet\r\nIf any cryptocurrency wallets are found, they are saved under Temp.\r\nFor the convenience of the client, Raccoon has a service that automatically processes all cryptocurrency wallets without\r\nneeding to search for specific logs among all the stolen data.\r\nNew features to come?\r\nCurrent versions of Raccoon do not have keylogging functionality. Several users in the underground community are asking\r\nfor this feature, and the Raccoon team has suggested it may be available in the future.\r\nScreenshot from the underground community of the Raccoon team considering adding support for keylogging.\r\nData Exfiltration \u0026 Self Deletion\r\nRaccoon saves all stolen data to a zip file gate.zip and sends the information to its C2 server.\r\nAll stolen data Raccoon has collected on the target machine.\r\nAfter it successfully exfiltrates all sensitive data, Raccoon deletes its binary from the victim’s machine, as can be seen in the\r\nfollowing screenshot of Raccoon’s process spawning cmd.exe with ping.exe and executing the deletion command.\r\nhttps://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block\r\nPage 15 of 19\n\nThe malicious process Raccoon creates to delete any trace on the machine.\r\nHow is Raccoon Affecting Businesses and Individuals?\r\nBased on the logs for sale in the underground community, Raccoon is estimated to have infected over 100,000 endpoints\r\nworldwide within a few months. It is easy to operate for technical and nontechnical individuals alike, lending it mass appeal.\r\nMoreover, the team behind Raccoon is constantly working to improve it and provide responsive service. It gives individuals\r\na quick-and-easy way to make money stealing sensitive data without investing a lot of funds or having a deep technical\r\nbackground.\r\nRaccoon collects a wide swath of information, including credit card information, cryptocurrency wallets, usernames and\r\npasswords, and browsing data, which is used to steal corporate data, money, and other sensitive information. This data is\r\nused against victims as blackmail or monetized by cybercriminals selling it in underground communities.\r\nCybereason Vs. Raccoon?\r\nIn addition to our anomalous behavior detection and investigation capabilities, Cybereason’s NGAV technology can detect\r\nand prevent Raccoon infections.\r\nScreenshot from VirusTotal, Cybereason NGAV detects Raccoon’s executable as malicious.\r\nCybereason platform prevents the malicious executable.\r\nConclusion\r\nhttps://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block\r\nPage 16 of 19\n\nThough the Raccoon stealer may not be the most innovative infostealer on the market, it is still gaining significant traction\r\nin the underground community. Based on testimonials from the underground community, The Raccoon team provides\r\nreliable customer service to give cybercriminals a quick-and-easy way to commit cybercrime without a huge personal\r\ninvestment.\r\nThis has not come without strife. The team has faced several public disputes in underground forums, and has received some\r\ncriticism from competitors. Despite this, Raccoon has quickly become one of the top ten mentioned malware in the\r\nunderground community, despite being launched in early 2019. Overall, sentiment around Raccoon is positive, with some\r\ncalling it the best replacement available for the now defunct Azorult infostealer.\r\nRaccoon’s popularity combined with its limited feature set yet high adoption speaks to a growing trend of the\r\ncommoditization of malware, as malware authors shoot to create platforms for crime instead of committing the crimes\r\ndirectly. As malware authors choose to develop MaaS, they must partake in many of the same activities as a legitimate SaaS\r\nbusiness: marketing efforts, relying on positive reviews, responsive customer support, and regularly improving features in\r\ntheir product. We only expect this trend to continue into 2020 and push the evolution of MaaS forward.\r\nEndpoint protection is key to defending against techniques like these. Learn more during our webinar on Endpoint\r\nProtection Platforms. \r\nAPPENDIX\r\nINDICATORS OF COMPROMISE\r\nReview the Indicators of Compromise for the Raccoon Stealer here. \r\nMITRE ATT\u0026CK TECHNIQUES BREAKDOWN\r\nInitial\r\nAccess\r\nExecution\r\nDefense\r\nEvasion\r\nCredential\r\nAccess\r\nDiscovery Collection Exfiltration\r\nCommand\r\nand Control\r\nSpear\r\nPhishing\r\nAttachment\r\nExecution\r\nthrough\r\nAPI\r\nSoftware\r\nPacking\r\nCredential\r\nDumping\r\nSystem Time\r\nDiscovery\r\nData\r\nfrom\r\nLocal\r\nSystem\r\nData\r\nEncrypted\r\nRemote File\r\nCopy\r\nDrive-by\r\nCompromise\r\nCommand-Line\r\nInterface\r\nDeobfuscate\r\n/ Decode\r\nFiles or\r\nInformation\r\nCredentials\r\nin Files\r\nAccount\r\nDiscovery\r\nScreen\r\nCapture\r\n \r\nStandard\r\nCryptographi\r\nProtocol\r\nExploitation\r\nfor Client\r\nExecution\r\n \r\nObfuscated\r\nFiles or\r\nInformation\r\nInput\r\nCapture\r\nFile and\r\nDirectory\r\nDiscovery\r\n \r\nStandard\r\nNon-Application\r\nLayer\r\nProtocol\r\nhttps://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block\r\nPage 17 of 19\n\nSystem\r\nInformation\r\nDiscovery\r\n   \r\nStandard\r\nApplication\r\nLayer\r\nProtocol\r\n     \r\nQuery\r\nRegistry\r\n     \r\nProcess\r\nDiscovery\r\n     \r\nSystem\r\nOwner/User\r\nDiscovery\r\n     \r\nRemote\r\nSystem\r\nDiscovery\r\n     \r\nSystem\r\nNetwork\r\nConfiguration\r\nDiscovery\r\nAbout the Author\r\nCybereason Nocturnus\r\n \r\nhttps://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block\r\nPage 18 of 19\n\nThe Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and\r\nenterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies,\r\nreverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first\r\nto release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks.\r\nAll Posts by Cybereason Nocturnus\r\nSource: https://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block\r\nhttps://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block" ], "report_names": [ "hunting-raccoon-stealer-the-new-masked-bandit-on-the-block" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434732, "ts_updated_at": 1775826729, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/468abd594130471a9d2428f93d4c7b443c38e63e.pdf", "text": "https://archive.orkl.eu/468abd594130471a9d2428f93d4c7b443c38e63e.txt", "img": "https://archive.orkl.eu/468abd594130471a9d2428f93d4c7b443c38e63e.jpg" } }