Telegram Based Raven Stealer Malware Steals Login Credentials, Payment Data and Autofill Information

Within seconds of execution, the stub enumerates installed Chromium-based browsers, decrypts saved passwords and cookies, and scoops cryptocurrency wallets and autofill data into a tidy folder hierarchy. Attack chains observed in the wild rely on convincing social-engineering lures that funnel targets to GitHub releases or direct Telegram messages containing the builder’s output. Compounding the threat, exfiltration leverages Telegram’s /sendDocument endpoint, allowing operators to receive ZIP archives over an encrypted channel that most corporate firewalls permit by default. By intertwining stealth packing, syscall-level injection, and Telegram C2, Raven Stealer underscores how little expertise is now required to mount high-yield credential-theft campaigns. The commodity infostealer landscape has a new entrant in Raven Stealer, a compact Delphi/C++ binary that hijacks Telegram’s bot API to spirit away victims’ browser secrets. It then spawns chrome.exe in a suspended state with --headless --disable-gpu --no-sandbox, allocates memory via NtAllocateVirtualMemory, and maps the DLL into the new process—bypassing user-land hooks and hiding behind the browser’s legitimate signature. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. After unpacking itself (entropy >7 confirms UPX), the dropper decrypts an embedded DLL stored under resource ID 101 and harvests the Telegram bot_token and chat_id from resources 102 and 103. Cyfirma analysts noted the stealer’s disciplined directory structure—%Local%\\RavenStealer\\Chrome, Edge, and Crypto Wallets—which simplifies post-infection triage for threat actors. The ramifications are severe: a single infection yields domain credentials, payment card details, and persistent session cookies that bypass MFA. Once executed, the payload runs headlessly, never presenting a console window, and immediately prepares the ground for covert exfiltration. This dashboard shows Raven’s resulting archive, whose filename embeds the victim’s username for effortless cataloguing.

This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 29 Jul 2025 10:30:17 +0000