Raven Stealer Targets Google Chrome Users, Exfiltrates Sensitive Data

A new iteration of the lightweight information stealer known as Raven Stealer is rapidly gaining traction in underground malware markets, delivering sophisticated credential harvesting capabilities against Chromium-based browsers.

Written primarily in Delphi with core modules in C++, the malware emphasizes operational stealth and minimal user interaction, making it an attractive tool for both novice and experienced threat actors.

Raven Stealer’s executable (~7 MB) embeds critical payload components within the .rsrc section, using Delphi’s resource editor to include an encrypted DLL and configuration blobs. The embedded DLL is protected via ChaCha20 encryption (entropy 8.0), thwarting static analysis.

At runtime, the main executable decrypts the DLL in memory and employs reflective process hollowing into a suspended Chrome instance. By masquerading as a legitimate browser process, the malware evades heuristic detection and gains full access to browser internals.

Once injected, Raven Stealer retrieves the AES key stored in the Local State file at C:Users<User>AppDataLocalMicrosoftEdgeUser DataLocal State (applicable to Chrome as well).

This key decrypts browser artifacts, including saved passwords, cookies, payment data, and autofill entries. Extracted data is dumped into plaintext files passwords.txt, cookies.txt, and payment.txt, and organized under %Local%RavenStealerChromeDefault, facilitating streamlined data aggregation.

Modular Design Enables In-Memory Execution and Evasion

By avoiding disk writes, Raven Stealer minimizes forensic artifacts. The builder dynamically generates each payload with a unique, 12-character filename (e.g., 65a16KM1.69n.exe), hindering signature-based detection.

During build time, operators supply Telegram Bot Token and Chat ID through a Delphi-based UI; these credentials are embedded unencrypted in resource IDs 102 and 103 via the BeginUpdateResource API.

This modular approach allows attackers to tailor communication parameters and payload features, such as UPX compression or additional plugins, without altering the core builder.

Telegram Bot Integration Streamlines Real-Time Exfiltration

Upon successful data harvest, the malware compresses stolen artifacts and a desktop screenshot into a ZIP archive (e.g., admin_RavenStealer.zip) and issues an HTTPS POST to the Telegram sendDocument API endpoint.

This integration provides near-instantaneous delivery of sensitive data directly to threat actor channels. Misconfigured or expired tokens can result in HTTP 404 errors, but valid credentials ensure seamless exfiltration that bypasses many network-based security filters.

Distribution of Raven Stealer typically occurs via cracked software bundles, phishing emails, and promotions on underground forums or a dedicated Telegram channel. Its minimal footprint and evasion tactics make behavioral-based detection and network monitoring critical.

Security teams should watch for anomalous reflective hollowing of browser processes, inspect outbound traffic to api.telegram.org, and flag unexpected document uploads.

Enforcing application whitelisting, patching browser vulnerabilities promptly, and educating users to avoid pirated software remain essential defenses.

As Raven Stealer cements its place in the commodity malware ecosystem, its combination of stealth, modularity, and real-time exfiltration underscores the need for layered threat detection strategies, proactive hunting, and rigorous endpoint protection to safeguard sensitive credentials and browser data.

Indicators of Compromise

Files Indicator – SHA256	Context
2b24885942253784e0f6617b26f5e6a05b8ad45f092d2856473439fa6e095ce4	Raven Stealer
65ca89993f2ee21b95362e151a7cfc50b87183bf0e9c5b753c5e5e17b46f8c24	65a16KM1.69n.exe

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Raven Stealer Targets Google Chrome Users, Exfiltrates Sensitive Data appeared first on Cyber Security News.