This month, a new type of malware has begun circulating, drawing the attention of the cybersecurity community due to its danger and stealth: Raven Stealer. This malicious software is not only capable of stealing users' confidential information, but it also spreads in a very discreet manner, leveraging popular tools like Telegram to distribute itself without raising suspicion.
What’s concerning is that Raven Stealer isn’t lurking in the dark corners of the web: its code has even been detected on public platforms like GitHub since mid-July, indicating an active and well-organized campaign. All signs point to a cybercriminal group known as ZeroTrace Team being behind its development, which further raises the threat level.
Raven Stealer Malware: Authorship, Code Structure, and Attack Methods
During the analysis of Raven Stealer’s code, security researchers discovered a file named RavenStealer.cpp, which proved key in identifying the group behind the malware. Surprisingly, the file even included a name and a Hotmail address, suggesting that the attackers not only wanted to operate in the shadows but also gain some visibility within the cybercriminal scene.
This group is not exactly new. Their Telegram channel was created on April 30 and has been quite active since, promoting tools under the ZeroTrace name, including cryptography utilities and various open-source scripts designed for data theft.
In the specific case of Raven Stealer, the malware is clearly targeted at Windows systems and primarily aims at users of Chromium-based browsers such as Google Chrome, Microsoft Edge, or Brave.
What’s particularly worrying is that the way it’s built shows an advanced technical level: it’s programmed in Delphi and C++, making it much stealthier and more efficient than other similar threats written in more common languages like Python. Thanks to this, it can run without raising alarms and exfiltrate data in real time via Telegram.
Read more: New Koske Malware on Linux Hides in Panda Images
How Raven Stealer Avoids Detection in Windows and Browsers
One of the reasons Raven Stealer is so difficult to detect is its ability to operate in the background without raising suspicion. The malware can completely hide the PowerShell window while executing commands that disable the taskbar and block common shortcuts like Alt+Tab, making it harder for users to notice anything unusual happening on their device.
From there, the attack becomes even more sophisticated. Raven Stealer bypasses built-in security measures in Chromium-based browsers like Google Chrome, Edge, and Brave, directly accessing highly sensitive data: saved passwords, cookies, payment information, and even active sessions. It accomplishes all this without modifying files on the disk, allowing it to evade detection by many traditional antivirus programs.
Furthermore, the malware’s reach is broader than initially thought. It is capable of extracting information from cryptocurrency wallets, gaming platforms, VPN clients, and messaging services, collecting everything into a hidden folder within the user's AppData directory—a location commonly used by legitimate applications, which makes it even harder to detect.
To avoid detection, Raven Stealer takes its stealth one step further: it compresses all the stolen information into a ZIP file, which it stores in the system's temporary folders. From there, it sends the data to the attacker using the Telegram API directly, allowing it to exfiltrate information without the need for external servers that could raise suspicion.
According to experts who have analyzed its behavior, this malware has a modular design, making it easy to update or modify to target new victims. Additionally, it is packed with UPX, an open-source executable compression tool that reduces file size and complicates analysis by antivirus software.
And Raven Stealer is not alone. The same group of attackers has also developed another threat called Octalyn Stealer, which shares a very similar technical structure and is also distributed via Telegram. This suggests that it is not an isolated attack, but rather part of a broader operation.
All signs indicate that the group known as ZeroTrace remains active and poses a persistent threat. Given their level of sophistication, it is likely that they are developing or distributing other data-stealing tools that have yet to be detected.
Conclusion: How to Protect Yourself from Raven Stealer and Similar Threats
The case of Raven Stealer clearly shows that cyberattacks are constantly evolving and that attackers are using increasingly sophisticated and hard-to-detect methods. The use of Telegram as an exfiltration channel, its modular design, and its ability to steal data without leaving visible traces on the system make it a real threat to any Windows user.
While we can't completely eliminate the existence of such threats, we can significantly reduce the risk of infection by following some key digital security best practices:
Key Recommendations to Stay Protected:
-
Avoid downloading files from untrusted sources, especially from Telegram channels, unknown forums, or suspicious links.
-
Install a reliable antivirus or antimalware solution and keep it up to date. Make sure it includes real-time protection.
-
Keep your operating system and applications updated, including browsers, extensions, and messaging clients.
-
Enable two-factor authentication (2FA) on all your important accounts. This adds an extra layer of protection even if your credentials are stolen.
-
Regularly check your temporary folders and AppData directory, where many malware like Raven Stealer tend to hide.
-
Be wary of “free tools” or “cracks” shared via Telegram or GitHub, even if they appear legitimate.
-
Back up your important data. In case of infection, this can help you recover your files without having to give in to attackers.
TecnetOne Tip: With the right information, caution, and tools, it’s possible to stay one step ahead of cybercriminals. Cybersecurity doesn't rely solely on software—it starts with our everyday decisions in front of the screen.