{ "id": "d7fc9423-0c15-4332-8973-99322192d8b6", "created_at": "2026-04-06T00:15:56.519803Z", "updated_at": "2026-04-10T03:37:08.666697Z", "deleted_at": null, "sha1_hash": "4937c73c95a0915f7928fa23aed028f560f57930", "title": "Raccoon Stealer v2 – Part 1: The return of the dead", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 663356, "plain_text": "Raccoon Stealer v2 – Part 1: The return of the dead\r\nBy Quentin Bourgue,\u0026nbsp;Pierre Le Bourhis\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2022-06-28 · Archived: 2026-04-05 19:43:00 UTC\r\nRaccoon Stealer was one of the most prolific information stealers in 2021, being used by multiple cybercriminal\r\nactors. Due to its wide stealing capabilities, the customizability of the malware and its ease of use, Raccoon\r\nStealer was highly popular among threat actors. The malware was mainly distributed using fake installers, or as\r\ncracked versions of popular software.\r\nPreviously sold as a malware-as-a-service on underground forums since early 2019, its operations suddenly\r\nstopped on March 25, 2022. This abrupt shutdown was purportedly due to the loss of a developer of the project\r\nRaccoon Stealer during the “special operation”, likely in reference to the Russian conflict in Ukraine. At the time,\r\nthe raccoonstealer profile stated on several forums they “don’t say goodbye forever”, and that they were already\r\nworking on a second version.\r\nFigure 1. Raccoonstealer’s statement on the shutdown of the Raccoon Stealer project on the XSS forum\r\nSekoia.io kept a close eye on activities related to Raccoon Stealer as it is assessed to make a strong comeback in\r\nthe information stealer market.\r\nWe have reverse-engineered the new version of Raccoon Stealer and our in-depth analysis is available in part 2\r\nat: https://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/.\r\nFirst signs of life\r\nOn June 10, 2022, while searching for stealers’ administration panels on the Shodan search engine, SEKOIA.IO\r\nanalysts stumbled upon active servers hosting a web page named “Raccoon Stealer 2.0”.\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/\r\nPage 1 of 15\n\nFigure 2. Server hosting a web page named “Raccoon Stealer 2.0” on Shodan\r\nAfter analysis of the files on the server, we could assert with high confidence that these servers belong to the\r\nRaccoon Stealer infrastructure. Indeed several technical artefacts suggest that this panel is linked to the malware:\r\nthe HTTP title: Raccoon Stealer 2.0 ;\r\nthe issued domain in the SSL certificates: raccoonstealer[.]app ;\r\nseveral references to the raccoonstealer profile in the Javascript code: contacts:\r\n[{title:\"Jabber\",content:\"raccoonstealer[@]exploit[.]im\"}, {title:\"Telegram\",content:\"\r\n[@]raccoonstealer\"}]\r\nBased on this information, we came across raccoonstealer‘s publications on the underground forum Exploit and\r\ntheir Telegram channel confirming that a first release of Raccoon Stealer v2 is sold on Telegram since May 17.\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/\r\nPage 2 of 15\n\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/\r\nPage 3 of 15\n\nFigure 3. Publication in the raccoonstealer’s Telegram channel advertising the malware\r\nHowever, we were not able to find malware samples distributed in the wild at the time.\r\nSamples in the wild\r\nOn June 16, 2022, S2W published a comprehensive analysis1 of the new version of Raccoon Stealer. Based on a\r\nfile created by the malware (System Info.txt), they attributed payloads distributed in the wild to the Raccoon\r\nStealer V2. This file contains information about the victim’s system.\r\nThe sample analysed by S2W matches a newly discovered malware family discussed on Twitter by cybersecurity\r\nresearchers, which was later named RecordBreaker by @James_inthe_box (related tweet). Raccoon Stealer v2\r\nand RecordBreaker could be two different names for the same malware family.\r\nSamples of Raccoon Stealer v2 were therefore observed in the wild since May 16, 2022. As for the previous\r\nversion, threat actors mainly distribute the information stealer using fake installers, or cracked versions of popular\r\nsoftware. Here are a few samples faking legitimate software installers:\r\nF‑Secure FREEDOME VPN installer (F-Secure Freedome VPN 2.50.23.0.licensesrv.exe_KaHCr.exe);\r\nR-Studio Network installer (R-Studio.v9.0.190312.licencekey.exe_v3G9m.exe);\r\nProton VPN installer (ProtonVPN.exe).\r\nMalware sample attribution\r\nIn order to confirm that the sample analysed by S2W corresponds to a Raccoon Stealer v2 sample, we compared\r\nthe content of raccoonstealer‘s publications on their Telegram channel with our technical analysis of the\r\nstealer.\r\nThe publications advertising Raccoon Stealer v2 are promoted by its developers to the user community. The\r\nauthors are therefore focused on the user experience of attackers (performances, log processing, integrity, etc.)\r\nwhich can be embellished. However, raccoonstealer shared technical features of their malware. In the following\r\ntable, we have listed these descriptions to compare with our observations during analysis.\r\nDescriptions from the\r\nraccoonstealer‘s Telegram\r\nSEKOIA.IO‘s commentary\r\n“the styler is written in C/C++”\r\nBased on the samples analysis, we observed the malware\r\ncode written in C/C++ and a bit of ASM.\r\n“Raccoon collects: passwords,\r\ncookies and autocomplete from all\r\npopular browsers (including\r\nFireFox x64), CC data”\r\nBy default (a specific configuration is not needed), the\r\nmalware samples collect data from browsers SQL\r\ndatabases.\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/\r\nPage 4 of 15\n\nDescriptions from the\r\nraccoonstealer‘s Telegram\r\nSEKOIA.IO‘s commentary\r\n“Raccoon collects system\r\ninformation”\r\nThe malware fingerprints the infected system using\r\nWindows Registry queries and other WinApi functions\r\n(e.g. RAM, CPU, display, installed softwares).\r\n“almost all existing desktop\r\ncryptocurrency wallets”\r\nIt is confirmed by the malware configuration which\r\nembeds many cryptocurrency wallets browser extensions\r\nand Desktop apps. The configuration can be customized\r\nto collect data from other wallets, just by setting the path\r\nand the targeted file.\r\n“Built-in file downloader”\r\nThe malware implements its own directory listening\r\nfunction to grab files.\r\n“Works on both 32 and 64-bit\r\nsystems without dependencies on\r\n.NET.”\r\nThe malware doesn’t need any dependencies, it rather\r\ndownloads 8 DLLs once executed.\r\n“Private key, gate address and all\r\nother string values are heavily\r\nencrypted.”\r\nC2 address(es) and strings are encrypted using (RC4 and\r\nBase64), not heavily, perhaps raccoonstealer used this\r\nterm for marketing? Does the private key correspond to\r\nthe RC4 key, stored in the .rdata section?\r\n“HTTP for sending to handlers\r\nand file servers are encrypted.”\r\nWe didn’t observed any encryption of exfiltrated data.\r\n“Screenshot, system info, each\r\nbrowser profile is sent separately.\r\nEach wallet – sent separately”\r\nQuite discriminating, the malware sends data each time\r\nit collects a new one: the system information, the\r\nbrowsers data, the wallets data (for each wallet\r\nextension/desktop found) and the screenshot.\r\n“Reworked file grabber (…) going\r\nthrough all disks including usb\r\nwith search depth”\r\nThe malware implements its own directory listening\r\nfunction to grab files.\r\n“The weight of the executable file\r\nof the Stiller is only 50 KB”\r\nAll stand-alone observed samples are 55KB or 56KB.\r\n“We also redesigned the loader.\r\nYou can now choose where to\r\ninstall the file (Low, Temp,\r\nAppData). CMD/DLL/EXE”\r\nTwo ways to execute a payload are implemented in the\r\nmalware, but we only took a look at the downloaded PE\r\nexecution function.\r\nFigure 4. Comparative table of features shared by raccoonstealer and the SEKOIA.IO’s analysis\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/\r\nPage 5 of 15\n\nAlmost all the capabilities or technical details advertised by raccoonstealer, correspond to those observed during\r\nour malware analysis. Some properties of the malware are quite generic (collecting browser data and system\r\ninformation, capturing screenshot, encrypting the C2 address and strings) among the information stealing malware\r\nfamily, but others are rather specific and validate the attribution to Raccoon (sending data separately, the built-in\r\nfile downloader, the file grabber going through all disks, and the specific loader).\r\nIt is worth mentioning that the authors announce that Raccoon Stealer v2 exfiltrate encrypted data , but we didn’t\r\nobserve any encryption or obfuscation in C2 communications during our analysis. This seems to be the only point\r\nthat differs between the raccoonstealer‘s advertising and our observations. However, it should not be forgotten\r\nthat their goal is to market the malware, and they might overuse some expressions to do so. Indeed, we have\r\nalready seen such discrepancies on the MarsTeam‘s publications about Mars Stealer on the XSS forum2.\r\nIn addition, the date of appearance of the first samples matches that of the aforementioned “Raccoon Stealer 2.0”\r\nservers, as well as the date of the publication of raccoonstealer in their Telegram channel (arround May 17, 2022).\r\nTechnical analysis\r\nIn the raccoonstealer‘s Telegram channel, the new version of the malware has been advertised with an improved\r\nsoftware, back-end and front-end. Raccoon Stealer’s developers rewrote the malware and the administration panel\r\nfrom scratch, with a focus on performance and efficiency. In the next part, SEKOIA.IO analysed the malware and\r\nits communication in depth.\r\nMalware capabilities\r\nRaccoon Stealer’s capabilities are those of a classic stealer, with a focus on cryptocurrency wallets. The malware\r\nis also advertised as a loader and a file grabber.\r\nHere is an overview of its capabilities:\r\nTargeting of popular browsers (to steal passwords, cookies, autoforms and credit cards);\r\nTargeting of almost all desktop cryptocurrency wallets and extension for cryptocurrency wallets\r\n(MetaMask, TronLink, BinanceChain, Ronin, Exodus, Atomic, JaxxLiberty, Binance, Coinomi, Electrum,\r\nElectrum-LTC, ElectronCash, etc.);\r\nFile downloading;\r\nFile loading (cmd, dll, exe);\r\nFile grabbing in all disks;\r\nScreenshot capturing;\r\nSystem fingerprinting;\r\nInstalled applications listing.\r\nThe capabilities advertised on Telegram match those identified during our analysis.\r\nIn-depth analysis\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/\r\nPage 6 of 15\n\nRaccoon Stealer v2 is written in C/C++ using WinApi. Sample size is around 56KB, working on both 32 and 64-\r\nbit systems without any dependencies. The malware downloads legitimate third-party DLLs from its C2 server(s).\r\nThe C2 configuration and strings are encrypted using RC4 and Base64 encoding.\r\nSEKOIA.IO reverse engineered the malware and will soon publish an in-depth analysis to share further details.\r\nIn the meantime, here is a description of the step-by-step execution of Raccoon Stealer v2:\r\n1. Dynamic Loading of DLLs;\r\n2. Run-Time Dynamic Linking of WinApi functions;\r\n3. Strings deobfuscation (base64 decoding and RC4 decryption);\r\n4. C2 server(s) deobfuscation;\r\n5. Checks (mutex, user privileges);\r\n6. Host fingerprint (MachineGuid, Username) and data exfiltration;\r\n7. Retrieving its configuration from its C2;\r\n8. Downloading, then loading the legitimate third-party DLLs;\r\n9. Fingerprint the infected host (CPU, RAM, OS version, Display info) and send this data to the C2;\r\n10. Collecting personal information and exfiltrating it (system information, browsers, crypto wallets);\r\n11. Capturing a screenshot and exfiltrating it;\r\n12. Removal of files created by the malware.\r\nInterestingly, during the collection stage, the malware collects the data and sends it directly in a file via a POST\r\nrequest to the C2 server. It repeats this step for each new type of data (system information, cookies, screenshot,\r\netc.).\r\nIt is worth noting that the malware implements almost no defense evasion techniques, such as anti-analysis,\r\nobfuscation, or impair defenses.\r\nNetwork communications\r\nThe malware first sends a POST request to its C2 server with the machineId, username and configurationId\r\n(which corresponds to the RC4 key). The server replies with the full malware configuration including, as shown in\r\nthe following figure:\r\nApplications to target;\r\nURLs hosting the legitimate third-party DLLs;\r\nToken used for data extraction (corresponds to the C2’s endpoint);\r\nFile grabber configuration, etc.\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/\r\nPage 7 of 15\n\nFigure 5. Network capture of the communication initiated by the malware on the infected machine and its C2\r\nserver\r\nRaccoon Stealer v2 then downloads every DLLs, which are sometimes hosted on another server.\r\nFinally, it exfiltrates data by sending POST requests to its C2 server. The URLs used by the malware are built\r\nusing the token received in the configuration.\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/\r\nPage 8 of 15\n\nFigure 6. Overview of Raccoon Stealer v2 communications\r\nTo conclude, we expect a resurgence of Raccoon Stealer v2, as developers implemented a version tailored to the\r\nneeds of cybercriminals (efficiency, performance, stealing capabilities, etc.) and scaled their backbone servers to\r\nhandle large loads. In addition, the malware benefits of the threat actors’ popularity gained in recent years.\r\nWe can assess with high confidence that possible future updates will implement more anti-analysis techniques to\r\navoid detection by antiviruses.\r\nMITRE ATT\u0026CK TTPs\r\nTactic Technique Description\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/\r\nPage 9 of 15\n\nDefense\r\nEvasion\r\nT1140 –\r\nDeobfuscate/Decode\r\nFiles or Information\r\nRaccoon Stealer v2 decodes strings and the C2 configuration in the\r\nmalware using RC4 and base64.\r\nDefense\r\nEvasion\r\nT1027 – Obfuscated\r\nFiles or Information\r\nRaccoon Stealer v2 uses RC4-encrypted strings. \r\nCredential\r\nAccess\r\nT1539 – Steal Web\r\nSession Cookie\r\nRaccoon Stealer v2 harvests cookies from popular browsers.\r\nCredential\r\nAccess\r\nT1555.003 –\r\nCredentials from\r\nPassword Stores:\r\nCredentials from\r\nWeb Browsers\r\nRaccoon Stealer v2 collects passwords from popular browsers.\r\nDiscovery\r\nT1083 – File and\r\nDirectory Discovery\r\nRaccoon Stealer v2 lists files and directories to grab files through\r\nall disks.\r\nDiscovery\r\nT1057 – Process\r\nDiscovery\r\nRaccoon Stealer v2 lists the current running processes on the\r\nsystem.\r\nDiscovery\r\nT1012 – Query\r\nRegistry\r\nRaccoon Stealer v2 queries the Windows Registry key at\r\nHKLM\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid to\r\nretrieve the MachineGuid value.\r\nDiscovery\r\nT1518 – Software\r\nDiscovery\r\nRaccoon Stealer v2 lists all installed software for the infected\r\nmachine, by querying the Windows Registry key at\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\uninstall\r\nDiscovery\r\nT1082 – System\r\nInformation\r\nDiscovery\r\nRaccoon Stealer v2 collects OS version, host architecture, CPU\r\ninformation, RAM capacity and display device information.\r\nDiscovery\r\nT1614 – System\r\nTime Discovery\r\nRaccoon Stealer v2 collects the time zone information from the\r\nsystem.\r\nCollection\r\nT1119 – Automated\r\nCollection\r\nRaccoon Stealer v2 scans the disks and automatically collects files.\r\nCollection\r\nT1005 – Data from\r\nLocal System\r\nRaccoon Stealer v2 collects credentials of cryptocurrency wallets\r\nfrom the local system.\r\nCollection\r\nT1113 – Screen\r\nCapture\r\nRaccoon Stealer v2 captures a screenshot of the victim’s desktop.\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/\r\nPage 10 of 15\n\nCommand\r\nand\r\nControl\r\nT1071.001 –\r\nApplication Layer\r\nProtocol: Web\r\nProtocols\r\nRaccoon Stealer v2 uses HTTP for C2 communications.\r\nCommand\r\nand\r\nControl\r\nT1041 – Exfiltration\r\nOver C2 Channel\r\nRaccoon Stealer v2 exfiltrates data over the C2 channel.\r\nCommand\r\nand\r\nControl\r\nT1105 – Ingress\r\nTool Transfer\r\nRaccoon Stealer v2 downloads legitimate third-party DLLs for\r\ndata collection onto compromised hosts.\r\nExecution T1106 – Native API\r\nRaccoon Stealer v2 has the ability to launch files using\r\nShellExecuteW.\r\nDefense\r\nEvasion\r\nT1055.001 –\r\nProcess\r\nInjection: Dynamic-link Library\r\nInjection\r\nRaccoon Stealer v2 has the ability to load DLLs via\r\nLoadLibraryW and GetProcAddress.\r\nDefense\r\nEvasion\r\nT1407 – Download\r\nNew Code at\r\nRuntime\r\nRaccoon Stealer v2 downloads its next stage from a remote host.\r\nIOCs \u0026 Technical Details\r\nRaccoon Stealer v2’s C2 servers\r\n136.244.65[.]99\r\n138.197.179[.]146\r\n140.82.52[.]55\r\n142.132.180[.]233\r\n142.132.225[.]253\r\n142.132.229[.]12\r\n146.19.247[.]28\r\n146.70.124[.]71\r\n146.70.125[.]95\r\n149.202.65[.]236\r\n164.92.172[.]4\r\n167.235.245[.]75\r\n178.128.94[.]180\r\n179.43.154[.]171\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/\r\nPage 11 of 15\n\n185.106.94[.]148\r\n185.225.19[.]190\r\n185.225.19[.]198\r\n185.227.111[.]81\r\n185.62.56[.]113\r\n188.40.147[.]166\r\n192.248.184[.]34\r\n193.106.191[.]146\r\n193.233.193[.]50\r\n193.38.54[.]50\r\n193.43.146[.]17\r\n193.43.146[.]26\r\n194.156.98[.]151\r\n194.180.174[.]180\r\n194.87.216[.]18\r\n194.87.31[.]186\r\n194.87.45[.]2\r\n2.58.56[.]247\r\n206.189.234[.]222\r\n213.226.100[.]106\r\n23.88.55[.]150\r\n31.13.195[.]44\r\n45.133.216[.]145\r\n45.133.216[.]170\r\n45.133.216[.]249\r\n45.138.74[.]104\r\n45.142.212[.]100\r\n45.142.215[.]50\r\n45.142.215[.]92\r\n45.144.30[.]91\r\n45.150.67[.]175\r\n45.152.86[.]98\r\n45.153.230[.]183\r\n45.67.34[.]234\r\n45.67.35[.]251\r\n45.84.0[.]80\r\n46.101.30[.]175\r\n46.249.58[.]152\r\n5.252.22[.]107\r\n5.252.22[.]62\r\n5.252.22[.]66\r\n51.195.166[.]175\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/\r\nPage 12 of 15\n\n51.195.166[.]178\r\n51.195.166[.]184\r\n51.195.166[.]186\r\n51.195.166[.]201\r\n51.195.166[.]204\r\n51.210.87[.]110\r\n62.113.255[.]110\r\n65.108.20[.]64\r\n77.91.102[.]115\r\n77.91.102[.]44\r\n77.91.73[.]162\r\n77.91.74[.]67\r\n82.202.172[.]185\r\n83.149.87[.]220\r\n85.202.169[.]112\r\n89.108.102[.]157\r\n89.185.84[.]7\r\n91.194.11[.]43\r\n91.242.229[.]166\r\n93.115.28[.]51\r\n94.158.244[.]21\r\n94.158.247[.]13\r\n94.158.247[.]24\r\n94.158.247[.]44\r\n95.216.251[.]186\r\nRaccoon Stealer v2’s SHA-256\r\n0123b26df3c79bac0a3fda79072e36c159cfd1824ae3fd4b7f9dea9bda9c7909\r\n022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e03\r\n048c0113233ddc1250c269c74c9c9b8e9ad3e4dae3533ff0412d02b06bdf4059\r\n0c722728ca1a996bbb83455332fa27018158cef21ad35dc057191a0353960256\r\n2106b6f94cebb55b1d55eb4b91fa83aef051c8866c54bb75ea4fd304711c4dfc\r\n263c18c86071d085c69f2096460c6b418ae414d3ea92c0c2e75ef7cb47bbe693\r\n27e02b973771d43531c97eb5d3fb662f9247e85c4135fe4c030587a8dea72577\r\n2911be45ad496dd1945f95c47b7f7738ad03849329fcec9c464dfaeb5081f67e\r\n47f3c8bf3329c2ef862cf12567849555b17b930c8d7c0d571f4e112dae1453b1\r\n516c81438ac269de2b632fb1c59f4e36c3d714e0929a969ec971430d2d63ac4e\r\n5d66919291b68ab8563deedf8d5575fd91460d1adfbd12dba292262a764a5c99\r\n62049575053b432e93b176da7afcbe49387111b3a3d927b06c5b251ea82e5975\r\n7299026b22e61b0f9765eb63e42253f7e5d6ec4657008ea60aad220bbc7e2269\r\n7322fbc16e20a7ef2a3188638014a053c6948d9e34ecd42cb9771bdcd0f82db0\r\n960ce3cc26c8313b0fe41197e2aff5533f5f3efb1ba2970190779bc9a07bea63\r\n99f510990f240215e24ef4dd1d22d485bf8c79f8ef3e963c4787a8eb6bf0b9ac\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/\r\nPage 13 of 15\n\n9ee50e94a731872a74f47780317850ae2b9fae9d6c53a957ed7187173feb4f42\r\nbd8c1068561d366831e5712c2d58aecb21e2dbc2ae7c76102da6b00ea15e259e\r\nc6e669806594be6ab9b46434f196a61418484ba1eda3496789840bec0dff119a\r\ne309a7a942d390801e8fedc129c6e3c34e44aae3d1aced1d723bc531730b08f5\r\nf7b1aaae018d5287444990606fc43a0f2deb4ac0c7b2712cc28331781d43ae27\r\nRaccoon Stealer’s C2 servers hosting administration panel\r\n45.61.136[.]191\r\n45.92.156[.]53\r\n45.92.156[.]52\r\n89.39.106[.]64\r\n109.236.82[.]58\r\nMore IoCs are available on the SEKOIA.IO Community Github: https://github.com/SEKOIA-IO/Community/blob/main/IOCs/raccoonstealer/raccoon_stealer_iocs_20220628.csv\r\nExternal References\r\n1\r\n Raccoon Stealer is Back with a New Version, S2W, June 16, 2022\r\n2\r\n Mars, a red-hot information stealer, April 7, 2022\r\nThank you for reading this article. You can also read our article on:\r\nChat with our team!\r\nWould you like to know more about our solutions?\r\nDo you want to discover our XDR and CTI products?\r\nDo you have a cybersecurity project in your organization?\r\nMake an appointment and meet us!\r\nDiscover our:\r\nCyber Threat Intelligence platform\r\nXDR platform\r\nSOC platform\r\nTools for SOC analyst\r\nSIEM solution\r\nCTI Cybercrime Dark Web Malware Stealer\r\nShare this post:\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/\r\nPage 14 of 15\n\nSource: https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia" ], "references": [ "https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/" ], "report_names": [ "raccoon-stealer-v2-part-1-the-return-of-the-dead" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434556, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4937c73c95a0915f7928fa23aed028f560f57930.pdf", "text": "https://archive.orkl.eu/4937c73c95a0915f7928fa23aed028f560f57930.txt", "img": "https://archive.orkl.eu/4937c73c95a0915f7928fa23aed028f560f57930.jpg" } }