Malicious Software, Raven Stealer, Targeting Google Chrome Users for Data Theft
In the digital world, a new threat has emerged, known as Raven Stealer. First observed in 2020, this malware has been causing concern among cybersecurity experts since its inception.
Raven Stealer is a potent information-stealing malware primarily targeting users of Chromium-based browsers such as Google Chrome. Upon execution, it locates the Chrome binary path and launches a new instance in a suspended state. To avoid writing any components to disk, the malware executes payload modules directly from its resource section, encrypted using ChaCha20.
Once injected, Raven Stealer enumerates browser profiles and decrypts stored credentials using the AES key found in Chrome's Local State file. It leverages native Windows API calls to decrypt and extract saved passwords, cookies, autofill entries, and payment data. The decrypted, stolen data is written to disk by the malware.
The malware distinguishes itself through a modular architecture and stealthy design. After writing the decrypted payload into the allocated memory, it adjusts thread context to point to the remote buffer and resumes the thread. This approach masks malicious activity under the guise of a legitimate Chrome process, reducing detection likelihood.
Raven Stealer's infection mechanism utilizes reflective process hollowing to inject its main DLL payload into a suspended Chrome process. It uses social engineering tactics and repackaged installers to convince users to execute its malicious payload.
Data transmission is carried out via Telegram's Bot API. The compiled archive is sent to the attacker's Telegram channel via the endpoint. The malware maintains resilience against token expiration by prompting the builder UI to accept new credentials upon each payload generation.
Point Wild analysts identified that the resource-embedding technique streamlines deployment and complicates forensic analysis. Raven Stealer is delivered predominantly via cracked software bundles and underground forums.
First observed in mid-2025, Raven Stealer continues to be a significant threat to users of Chromium-based browsers. It's crucial for users to be vigilant and practice safe browsing habits to protect themselves from such news.
Read also:
- Strategies for Adhering to KYC/AML Regulations in India, a Leading Fintech Center (2024)
- Insecure coding practices permeate numerous businesses, potentially leading to significant future difficulties in ensuring system safety.
- Alleged Cryptocurrency Scam in Politics
- Withdrawing Funds from a Betting Account: A Step-by-Step Guide!
