Introducing Raccoon Stealer

March 22, 2022

Avast has published research on Raccoon Stealer, a password stealer designed to steal login credentials for email and messaging clients, as well as files from cryptocurrency wallets, and to install downloader malware capable of installing more malware or install WhiteBackCrypt ransomware.

The thief uses the Telegram infrastructure to store and update command and control (C&C) addresses, from which it receives commands.


Raccoon Stealer is spread via downloaders called Buer Loader, but it is also distributed together with fake game cheats, patches for cracked software (including hacks and mods for Fortnite, Valorant and NBA2K22) or other software.

Raccoon Stealer is capable of stealing:

  1. Cookies, saved logins and browser form data
  2. Login credentials for email clients and messaging programs
  3. Cryptocurrency Wallet Files
  4. Data from browser plugins and extensions
  5. Arbitrary files based on C&C commands

“Cybercriminals typically buy installs, paying to have the malware of their choice loaded onto devices over other malware already installed on these devices. They can then provide the same service to others, which is what we think could happen with Raccoon Stealer," said Vladimir Martyanov. He adds that: “What is interesting about Raccoon Stealer is its use of the Telegram infrastructure to store and update C&C addresses. We assume that cybercriminals use Telegram not only because it's convenient, but because the channels are unlikely to be disabled."

Authored by

Jorge Daniel Tejeda