In mid-2025, cybersecurity researchers identified a new malware strain named Raven Stealer, designed to extract sensitive information from users of Chromium-based browsers, particularly Google Chrome. This lightweight, modular malware operates stealthily, enabling it to harvest data without alerting victims.
Delivery and Infection Vector
Raven Stealer is primarily distributed through cracked software bundles and underground forums. Attackers employ social engineering tactics, repackaging legitimate installers to deceive users into executing the malicious payload.
Operational Mechanism
Upon execution, Raven Stealer scans local storage paths associated with browsers like Chrome, Edge, and Brave to locate encryption keys and credential vaults. It utilizes native Windows API calls to decrypt and extract saved passwords, cookies, autofill entries, and payment data. By executing payload modules directly from its encrypted resource section using the ChaCha20 algorithm, the malware avoids writing components to disk, thereby evading signature-based detection and disk-monitoring defenses.
Data Exfiltration Process
After harvesting credentials, Raven Stealer compiles the stolen data into plain text files within the user’s AppData directory under a folder named RavenStealer. The files—cookies.txt, passwords.txt, and payments.txt—are then prepared for exfiltration. The malware transmits this data via Telegram’s Bot API, embedding a user-supplied Bot Token and Chat ID into its payload. This method provides attackers with a familiar command-and-control channel while bypassing many corporate network filters. To maintain resilience against token expiration, the malware prompts the builder UI to accept new credentials upon each payload generation.
Infection Mechanism Deep Dive
Raven Stealer employs reflective process hollowing to inject its main DLL payload into a suspended Chrome process. The malware locates the Chrome binary path and launches a new instance in a suspended state. It then allocates memory in the new process, writes the encrypted payload into this memory, and uses ChaCha20 decryption in memory to reconstruct the DLL before execution. By adjusting the thread context to point to the remote buffer and resuming the thread, the malware masks its activity under the guise of a legitimate Chrome process, reducing detection likelihood.
Implications and Recommendations
The emergence of Raven Stealer underscores the evolving sophistication of malware targeting browser-stored credentials. Users are advised to exercise caution when downloading software, especially from unofficial sources. Regularly updating browsers and employing robust security measures can mitigate the risk of such infections.
