Raccoon Stealer abuses Telegram to spread infection on victims’ devices

Raccoon Stealer Malware Telegram Infection Chain InfoStealer Social Media

The operators of Raccoon Stealer are discovered abusing Telegram to store and update C2 addresses and distribute the infostealer to compromised devices. The stealer has included the function that updates its C2 addresses on the chat app.

Based on reports, the latest version of Raccoon Stealer communicates with its command-and-control (C2) server by utilising Telegram. The new strain of the infostealer can store and update its C2 addresses that are kept on Telegram’s infrastructure.

The infostealer has also distributed clipboard crypto stealers, the WhiteBlackCrypt ransomware, and malicious downloaders.

According to researchers, there are four essential values for C2 communication coded in every sample. The four fundamental values are the TELEGRAM_KEY, BotID, URLs of Telegram gates with a channel name, and MAIN_KEY.

The malware should decrypt the MAIN_KEY used to decrypt BotID and Telegram gates URLs to hack the Telegram for command-and-control.


The Raccoon Stealer then utilises the Telegram gate to acquire the actual C2 by using a series of queries to exploit the Telegram infrastructure to store and update legitimate C2 addresses.


Several new attacks are found to distribute the infostealer, wherein its operators use the GCleaner and Buer Loader to spread the infection. Moreover, the threat actors utilise phoney game cheats, updates for pirated software, mods for Valorant, NBA2k, and Fortnite.

Threat actors are also trying to bypass AV solutions by packing the credential stealer using Themida packers. Researchers indicated that the identified samples were packed over five times using a single packer.

The Raccoon Stealer then checks the default user location prepared by its operators on the compromised device and avoids countries in the Middle East, Russia, and some parts of Europe.

The abuse of chat applications is still rising, including the Raccoon Stealer, to operate elusively. Experts claim that the designers of this malware will continue to include new functions to their stealers to make it more efficient. Organisations should always use reliable anti-malware solutions to mitigate any chances of infection from such threats.

About the author

Leave a Reply