RAVEN STEALER UNMASKED Telegram-Based Data Exfiltration

EXECUTIVE SUMMARY
Raven Stealer is a modern, lightweight, information-stealing malware developed primarily in Delphi and C++, designed to extract sensitive data from victim machines with minimal user interaction and high operational stealth. Promoted under the guise of “educational use,” Raven Stealer demonstrates functionality consistent with malicious intent, including credential theft, browser data harvesting, and real-time data exfiltration via Telegram bot integration.

The stealer specifically targets Chromium-based browsers (such as Chrome and Edge), extracting passwords, cookies, saving payment details, and autofill information. Its use of a modular architecture and a built-in resource editor allows attackers to embed configuration details (like Telegram bot tokens and chat IDs) directly into the compiled payload. This structure streamlines the deployment process, enabling even low-skill threat actors to launch credential-harvesting campaigns.

Unlike Python-based stealers, Raven’s compiled binaries are packed using UPX, reducing their size and improving evasion against static detection mechanisms. The malware executes in a fully hidden state, leaving no visible traces or UI elements during runtime, which significantly lowers the chance of user detection.

Raven Stealer is actively distributed through GitHub repositories and promoted via the Telegram channel. This channel functions as both a development log and distribution platform, regularly sharing builder updates, guides, and promotional content for the stealer. The use of Telegram for C2-like behavior, paired with a clean user interface and dynamic module support, positions Raven Stealer as a commercially attractive tool within the commodity malware ecosystem.

To read the complete article see:
https://www.cyfirma.com/research/raven-stealer-unmasked-telegram-based-data-exfiltration/