Raccoon Stealer
Raccoon Stealer is a commodity infostealer and malware-as-a-service offering used in the cybercriminal ecosystem to steal credentials and other victim data. The provided content states that it steals login credentials, browser history, cookies, session tokens, and other information from infected systems. It gathers information about the infected system owner and user, fingerprints hosts including by querying HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid, and collects the locale name of the infected device via GetUserDefaultLocaleName to check for the string "ru"; in analyzed samples, no action was taken when that string was present. Raccoon Stealer also collects files and directories from victim systems based on configuration data downloaded from command-and-control servers.
For command and control and exfiltration, the content explicitly states that Raccoon Stealer uses HTTP, particularly HTTP POST requests, and existing HTTP-based C2 channels for exfiltration. One mentioned C2 indicator is 91.201.115.148. The malware is repeatedly described as part of the broader infostealer economy alongside families such as RedLine, Vidar, Lumma, and StealC, and as enabling downstream intrusion activity through theft of browser-saved passwords, cookies, and session tokens.
The content associates Raccoon Stealer with multiple threat contexts. It notes that Scattered Spider has used Raccoon Stealer, and that GOLD HARVEST is known to employ commodity infostealers such as Vidar and Raccoon to collect browser-saved passwords, cookies, and session tokens. It is also referenced in malware bundles alongside AZORult, Predator the Thief, Smoke Loader, RedLine Stealer, Amadey, and Ficker Stealer, and in one observed malvertising-related infection chain a batch script downloaded Raccoon Stealer together with the Gozi/Ursnif backdoor. Additional reporting in the content links infrastructure clusters to BumbleBee, Raccoon Stealer, RecordBreaker, and SolarMarker.
The infection vectors mentioned in the content are indirect but consistent with commodity infostealer delivery: malware bundles, malware-as-a-service operations, and malvertising or SEO-poisoning-related delivery chains. The content also highlights its relevance to cloud and identity compromise by noting that infostealers such as Raccoon Stealer can extract cookies, credentials, and session tokens from browsers, including in the context of attacks against Snowflake-related access. Overall, the high-confidence characterization from the provided material is that Raccoon Stealer is a widely used credential and data theft malware family focused on browser and host data collection, HTTP-based C2/exfiltration, and support for broader criminal intrusion and extortion workflows.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
GOLD HARVEST is known to employ commodity infostealers such as Vidar and Raccoon, which collect browser-saved passwords, cookies, and session tokens.
GOLD HARVEST is known to employ commodity infostealers such as Vidar and Raccoon, which collect browser-saved passwords, cookies, and session tokens.
"Threat actors then use information-stealing malware, such as Raccoon Stealer and Redline, to acquire credentials and session tokens from the victim’s browser."
"Threat actors then use information-stealing malware, such as Raccoon Stealer and Redline, to acquire credentials and session tokens from the victim’s browser."
"Threat actors then use information-stealing malware, such as Raccoon Stealer and Redline, to acquire credentials and session tokens from the victim’s browser."
Techniques & procedures
31 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
2 techniques
Reconnaissance
Resource Development
2 techniques
Resource Development
Initial Access
2 techniques
Initial Access
There is increasing interplay between social engineering and stolen credentials... These credentials can enable initial access directly or support more convincing social engineering attempts by allowing attackers to reference internal systems or mimic legitimate employee behavior.
Scattered Spider’s powerful initial access tactics ... include phone calls, SMS phishing, email phishing, MFA fatigue attacks, and SIM swapping. The domains used for email and SMS phishing abuse the Okta and Zoho ServiceDesk brands combined with the target’s name to make them appear legitimate.
Execution
2 techniques
Execution
Persistence
1 technique
Persistence
There is increasing interplay between social engineering and stolen credentials... These credentials can enable initial access directly or support more convincing social engineering attempts by allowing attackers to reference internal systems or mimic legitimate employee behavior.
Privilege Escalation
1 technique
Privilege Escalation
There is increasing interplay between social engineering and stolen credentials... These credentials can enable initial access directly or support more convincing social engineering attempts by allowing attackers to reference internal systems or mimic legitimate employee behavior.
Stealth
7 techniques
Stealth
The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
There is increasing interplay between social engineering and stolen credentials... These credentials can enable initial access directly or support more convincing social engineering attempts by allowing attackers to reference internal systems or mimic legitimate employee behavior.
The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.
DarkGate queries system locale information during execution. Later versions of DarkGate query GetSystemDefaultLCID for locale information to determine if the malware is executing in Russian-speaking countries.
The downloaded file was a VHD container which, when mounted, revealed Installer.bat, a batch file containing simple commands intended to raise execution privileges; add scanning exclusions for Windows Defender; and download and execute a remote batch script and an executable.
Credential Access
4 techniques
Credential Access
When successfully deployed and executed, information-stealing malware can harvest credentials (usernames, passwords, and session cookies) from infected environments and export them as logs to the attackers’ server.
These logs can hold credentials and tokens present on the compromised device, including corporate VPN, email, cloud, and SSO accounts... attackers authenticate with legitimate credentials, even bypassing MFA if they have a session cookie.
Discovery
7 techniques
Discovery
The content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
T1087.004: Account Discovery: Cloud To establish a foundational understanding of the target environment, a threat actor might first locate the identities operating within it... AzureHound parameters that facilitate the MITRE technique Account Discovery: Cloud Account include the following: list users list devices list device-owners list service-principals list service-principal-owners
Collection
3 techniques
Collection
Confucius has used a file stealer to steal documents and images... Patchwork developed a file stealer to search C:\ and collect files with certain extensions... Winter Vivern delivered a PowerShell script capable of recursively scanning victim machines looking for various file types before exfiltrating identified files via HTTP.
Agrius used a custom tool, sql.net4.exe, to query SQL databases and then identify and extract personally identifiable information... AppleSeed has automatically collected data from USB drives, keystrokes, and screen images before exfiltration... Ember Bear engages in mass collection from compromised systems during intrusions.
Command and Control
2 techniques
Command and Control
Exfiltration
1 technique
Exfiltration
IOCs tracked for this family
20 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
88 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named as an infostealer family involved in credential theft and resale within the cybercriminal ecosystem.
Named as an infostealer family involved in credential theft and monetization within the cybercrime ecosystem.
Стабильный инфостилер с широкой базой операторов, предназначенный для кражи паролей, куки и других данных аутентификации.
Инфостилер для кражи учётных данных; в материале указан среди семейств, использованных для получения credentials в кампании против Snowflake.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.