Raccoon Stealer
Raccoon Stealer is a malware-as-a-service information stealer for Windows that is widely referenced as a common commodity infostealer. The provided content describes it stealing passwords, cookies, autocomplete data, and browser history from popular web browsers, and being used to obtain login credentials and other data from compromised systems. It fingerprints infected hosts by querying the Windows Registry key HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid and collects the device locale via GetUserDefaultLocaleName to check for the string "ru," although analyzed samples reportedly took no action when that locale was present. The malware uses existing HTTP-based command-and-control channels for exfiltration. Reported distribution vectors in the content include phishing, botnets sending phishing emails, Discord CDN abuse, and SEO-poisoned or cracked-software websites operating as a dropper-as-a-service network. Sophos reporting cited in the content links a 2021 Raccoon Stealer campaign to websites advertising cracked software that also delivered other malware families. The malware is repeatedly associated with credential-theft operations and broader intrusion activity: Push Security listed Raccoon Stealer among the infostealers used in the Snowflake-related campaign to obtain credential pairs; Group-IB described Raccoon as the most-used malware in large-scale password theft attacks by Russian-speaking cybercriminal groups in 2022; and Scattered Spider has been reported using Raccoon Stealer, including via phishing, to steal credentials, cookies, and browser data. The content also notes Microsoft Defender Antivirus detection naming such as Trojan:Win32/Raccoon.AD!MTB.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Scattered Spider retrieves browser histories via infostealer malware such as Raccoon Stealer.
"Threat actors then use information-stealing malware, such as Raccoon Stealer and Redline, to acquire credentials and session tokens from the victim’s browser."
"Threat actors then use information-stealing malware, such as Raccoon Stealer and Redline, to acquire credentials and session tokens from the victim’s browser."
"Threat actors then use information-stealing malware, such as Raccoon Stealer and Redline, to acquire credentials and session tokens from the victim’s browser."
Techniques & procedures
29 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 techniqueVolt Typhoon has obtained the victim's system current location.
Resource Development
2 techniquesSelon Group-IB, les cybercriminels s’appuient également sur ... la prise de contrôle de médias sociaux pour disséminer les logiciels malveillants.
All of these networks use search engine optimization to put a “bait” webpage on the first page of results for search engine queries seeking “crack” versions of a variety of software products.
Initial Access
3 techniquesDes premiers opérateurs sont chargés de diriger du trafic web vers des sites usurpant l’identité d’entreprises connues, pour convaincre les victimes de télécharger des fichiers malveillants.
Raccoon Stealer has been distributed through cracked software downloads.
Scattered Spider’s powerful initial access tactics ... include phone calls, SMS phishing, email phishing, MFA fatigue attacks, and SIM swapping. The domains used for email and SMS phishing abuse the Okta and Zoho ServiceDesk brands combined with the target’s name to make them appear legitimate.
Execution
4 techniquesIt downloads 7 legitimate third-party DLLs from the C2 server, using GET requests, in the following order: sqlite3.dll freebl3.dll mozglue.dll msvcp40.dll nss3.dll softokn3.dll vcruntime140.dll
The download was a .zip archive file named after the alleged “cracked” product sought by the target.
Les cybercriminels intègrent par exemple des liens permettant de télécharger des malwares dans des critiques de jeux populaires ou dans des loteries sur les médias sociaux.
Completing the download resulted in the delivery of a malware payload.
Stealth
7 techniquesThe content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'
Des sites usurpant le nom d’entreprises connues ... pour convaincre les victimes de télécharger des fichiers malveillants.
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
Credential Access
4 techniquesGrandoreiro can steal cookie data and credentials from Google Chrome... Kimsuky has used browser extensions including Google Chrome to steal passwords and cookies from browsers.
Une fois les victimes infectées, les cybercriminels peuvent avoir accès aux mots de passe ... Group-IB recommande ... de ne pas enregistrer ses mots de passe dans son navigateur.
The content repeatedly describes threat actors and malware stealing usernames, passwords, cookies, session tokens, and other saved credentials from web browsers such as Chrome, Firefox, Internet Explorer, Edge, Opera, Safari, and Yandex.
their only post being about troubleshooting a credential checker that they were using to validate credentials they stole.
Discovery
6 techniquesThe content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking admin status, and enumerating user sessions.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
APT38 has collected browser bookmark information to learn more about compromised hosts, obtain personal information about users, and acquire details about internal network resources.
Collection
1 techniqueThe content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.
Command and Control
2 techniquesThe content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
Meanwhile, the real second-stage installer is calling home to retrieve yet another payload.
Exfiltration
1 techniqueADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
IOCs tracked for this family
12 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
73 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Инфостилер для кражи учётных данных; в материале указан среди семейств, использованных для получения credentials в кампании против Snowflake.
Raccoon is referenced as a commercial stealer used as a capability benchmark for Needle.
Referenced as part of the stealer lineage from which Vidar evolved and which is cited in relation to StealC's lineage.
Information-stealing malware used to harvest browser-stored credentials, session cookies, autofill data, and local files; stolen data is packaged into logs and sold on underground markets/Telegram, enabling follow-on account compromise and initial access.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.