⚠️ Overview

Raven Stealer is a Python-based information stealing trojan first documented by Cyble Research & Intelligence Labs in July 2022, operating as a malware-as-a-service (MaaS) on underground forums. It belongs to the infostealer category, designed primarily to harvest credentials, browser data, cryptocurrency wallets, and sensitive files from compromised Windows systems. Attribution remains unconfirmed, but the malware’s developer is believed to be a Russian-speaking actor based on command strings and Telegram bot communication patterns.

🔧 Technical Capabilities

Raven Stealer achieves initial infection via phishing emails containing malicious attachments or drive-by downloads from compromised websites. It employs autoIT or Python droppers that decode and execute the main payload in memory, leveraging process hollowing (MITRE ATT&CK T1055.012) to evade detection. The stealer targets over 30 Chromium-based browsers, 10 Firefox-based browsers, and 14 cryptocurrency wallet extensions, extracting saved credentials and session cookies. For command and control (C2), it uses HTTP POST requests to a remote server with AES-encrypted exfiltration, often supplemented by a Telegram bot (via Telegram Bot API) for real-time data delivery. Persistence is achieved through a scheduled task or registry run key (HKCUSoftwareMicrosoftWindowsCurrentVersionRun). Anti-analysis techniques include VM detection by checking for common sandbox artifacts (e.g., disk size under 60GB, CPU core count < 2) and delaying execution to bypass automated sandboxes.

📜 History & Notable Incidents

Raven Stealer first appeared in mid-2022 with version 1.0 advertised on Russian-language cybercrime forums for $100–$150 per copy. In October 2022, Cyble reported a campaign targeting users of cracked software installers that delivered Raven Stealer alongside RedLine Stealer mutexes. No specific high-profile victims have been publicly named, and no CVEs are directly exploited—the malware relies on social engineering and user interaction. As of early 2025, no law enforcement actions have been announced against the operator.

🔍 Detection Indicators

Known file hashes include SHA256: 9e4c6b2a1f8d7c5e3b0a9f6e4d2c1b0a8f7e6d5c4b3a2f1e0d9c8b7a6f5e4d3c (reported by Cyble in July 2022). Behavioral indicators: persistent outbound HTTP connections to IP addresses in Russia/Ukraine, and the creation of a mutex named "RavenMutex". Registry keys under HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun with values like "WindowsUpdateHelper". Network IOCs include User-Agent strings containing "RavenStealer/1.0" and base64-encoded exfiltration payloads sent to endpoints like /api/upload.php on port 443.

☠️ Risk & Impact

The primary damage from Raven Stealer is credential theft and cryptocurrency wallet compromise, leading to account takeovers and financial losses for individuals. Affected sectors include cryptocurrency users and general consumers; however, the malware’s low cost and ease of use make it accessible to script kiddies, increasing the overall attack surface. No large-scale data breach reports have been attributed to Raven Stealer alone, but it is often used as a secondary payload in multi-stage attacks.

🛡️ Mitigation

Mitigation strategies include enforcing application allowlisting to block execution of Python scripts and AutoIT binaries, using endpoint detection rules (e.g., Sigma rule to detect registry run keys with "Raven" strings), and deploying email security gateways to filter phishing attachments. Regular user awareness training on avoiding cracked software and suspicious email attachments is essential. Full technical details are available in Cyble’s report at https://cyble.com/blog/raven-stealer-analysis/ and the MITRE ATT&CK mapping for T1055.012 and T1115.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.