{ "id": "60287a26-a816-4803-95df-96ade214c0a6", "created_at": "2026-04-06T00:21:13.960943Z", "updated_at": "2026-04-10T03:36:48.240036Z", "deleted_at": null, "sha1_hash": "91f71c28da2f4e7b9f8af337077cbce0a8fe05db", "title": "Raccoon Stealer Pivots Towards Self-Protection", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 980999, "plain_text": "Raccoon Stealer Pivots Towards Self-Protection\r\nArchived: 2026-04-05 17:36:39 UTC\r\nMalware has become an ever-growing threat in the cyber landscape with the rise in ransomware and as-a-service\r\nofferings. ZeroFox Threat Research has identified a change in focus among the developers of an information\r\nstealer known as Raccoon Stealer. In this post, we’ll take a closer look at the pivot towards protecting this\r\ninformation stealer through the use of “crypters” and offer recommendations for how security teams can address\r\nthis ongoing threat.\r\nDefining Raccoon Stealer\r\nAn information stealer (also known as an infostealer) typically acts as a Trojan designed to gather information\r\nfrom a system. The most common stealers collect data such as usernames and passwords, which it then sends to\r\nanother system via email, over a network or other means of export. Keyloggers are another popular information\r\nstealer that focuses on logging a user’s keystrokes to uncover sensitive information and additional access.\r\nRaccoon Stealer is an information stealer type of malware first advertised on various underground forums in April\r\n2019 by an actor going by the handle \"raccoonstealer.\" Like most stealers, it can steal stored auto-fill data,\r\ncookies, credentials, credit card data and history from Chromium-based browsers such as Google Chrome and\r\nMicrosoft Edge. Targeted theft of several cryptocurrency wallets is also supported. Updates often add support for\r\nnew cryptocurrencies, though it can also be configured to locate any wallet.dat file as well.\r\nOriginal advertisement for Raccoon Stealer (in Russian) in 2019\r\nSource: ZeroFox Threat Research\r\nhttps://www.zerofox.com/blog/raccoon-stealer-pivots-towards-self-protection/\r\nPage 1 of 4\n\nIts focus is on being small, efficient and simple enough for anyone to use. To accomplish this, Raccoon Stealer\r\nwas created as a service offering, complete with a cloud control panel allowing would-be subscribers to configure\r\neverything in \"just a few clicks.\" At just $75 per week or $200 per month, Raccoon Stealer is relatively cheap for\r\nthreat actors as well.\r\nRaccoon Stealer Updates Focus on Protecting Payloads\r\nMultiple updates have happened since the start of the quarter, most notable among them being the addition of new\r\n\"crypters.\" A crypter's purpose is to obfuscate a given binary by using tactics such as inserting junk code, breaking\r\nup the flow of code without changing the original functionality or encrypting sections of code so static signatures\r\ncannot detect them. Other updates include support for stealing several new cryptocurrency wallets and adding\r\nDiscord to the list of targeted applications.\r\nA Raccoon Stealer update adds support for a new crypter, “NinjaCrypt”\r\nSource: ZeroFox Threat Research\r\nOn August 4, 2021, the actor raccoonstealer announced that they were looking to cooperate with other crypter\r\ndevelopers and had completed an \"automatic system for issuing an encrypted build.'' This was seemingly in\r\nresponse to subscriber feedback.\r\nActor raccoonstealer announces they are seeking out new crypter projects\r\nSource: ZeroFox Threat Research\r\nThe actor racoonstealer has also been observed reminding others that \"usage without crypt is prohibited.\"\r\nhttps://www.zerofox.com/blog/raccoon-stealer-pivots-towards-self-protection/\r\nPage 2 of 4\n\nActor raccoonstealer reminds a subscriber that crypters must be used against deployed binaries\r\nSource: ZeroFox Threat Research\r\nThe recently introduced \"Raccoon Clipper\" was also updated at the end of July 2021, adding support for the\r\nMonero and ZCash cryptocurrencies. Racoon Clipper is an add-on developed separately from the main stealer and\r\nworks as the name may suggest: monitoring the Windows clipboard. Once it detects a supported cryptocurrency\r\naddress, it will replace it with one configured by the subscriber in hopes that unsuspecting victims will continue\r\nthe transaction, unaware that the target address has been changed.\r\nUpdate notes for Raccoon Clipper, a paid add-on to Raccoon Stealer\r\nSource: ZeroFox Threat Research\r\nThe group behind Raccoon Stealer has established itself as a capable group in the two years since they debuted,\r\nproviding new features regularly and earning a primarily positive reputation within the community. They've also\r\nshown a willingness to add features based on the demands of their subscribers, as demonstrated by the recently\r\ncreated API for automatically generating encrypted builds. With the development of a new API for automatically\r\nproviding obfuscated or \"crypted\" builds, new targeted applications and support for more cryptocurrency wallets,\r\nthis quarter has been an active one for Raccoon Stealer.\r\nInformation Stealer Resources and Recommendations\r\nAs malware attacks continue to increase and the tactics evolve, security teams must act quickly. Here are a few\r\nrecommendations from the ZeroFox Threat Research team:\r\nWhen breaches occur, always change known compromised passwords, as well as passwords on critical\r\naccounts.\r\nIf the initial attack vector is known, ensure that the vulnerabilities leveraged are corrected immediately.\r\nPerform a penetration test to determine weaknesses in the network configuration and correct the findings as\r\nsoon as possible.\r\nhttps://www.zerofox.com/blog/raccoon-stealer-pivots-towards-self-protection/\r\nPage 3 of 4\n\nEnable 2-factor authentication for all your organizational accounts to help mitigate phishing and credential\r\nstuffing attacks.\r\nReview network logs for potential signs of compromise and data egress.\r\nEnforce administrative or application control restrictions to prevent the unauthorized installation of\r\nsoftware or media.\r\nThe ZeroFox team continues to produce informative resources and engaging events to help security teams and\r\norganizations as a whole navigate unknown territory. To learn more about the top threat trends as well as\r\npredictions on the tactics and techniques expected to increase, download the latest ZeroFox Quarterly Threat\r\nLandscape Report.\r\nSource: https://www.zerofox.com/blog/raccoon-stealer-pivots-towards-self-protection/\r\nhttps://www.zerofox.com/blog/raccoon-stealer-pivots-towards-self-protection/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.zerofox.com/blog/raccoon-stealer-pivots-towards-self-protection/" ], "report_names": [ "raccoon-stealer-pivots-towards-self-protection" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434873, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/91f71c28da2f4e7b9f8af337077cbce0a8fe05db.pdf", "text": "https://archive.orkl.eu/91f71c28da2f4e7b9f8af337077cbce0a8fe05db.txt", "img": "https://archive.orkl.eu/91f71c28da2f4e7b9f8af337077cbce0a8fe05db.jpg" } }