An improved version of the Raccoon Stealer has been observed hiding in pirated software. The attackers appear to have added new tools to harvest cryptocurrency.

New tactics for stealers 

According to research conducted by Sophos Labs, Raccoon Stealer has received significant updates. 
  • The platform—whose most customers are rookie or wannabe hackers—now offers ready-to-use services for stealing passwords or authentication cookies stored inside web browsers.
  • Doing away from traditional email-based infections, it now leverages Google SEO skills to promote their fake site for cracked software.
  • Software pirating tools, such as programs to crack licensed software for illicit use or keygen programs, are being used as lures that promise to develop registration keys for various software.

Additional insights

An investigation of Raccoon’s infrastructure showed 60 subdomains under the domain xsph[.]ru, with 21 of them active. They were registered with the Russian hosting provider SprintHost[.]ru.
  • The Raccoon campaign successfully deployed other malware, stole cookies and credentials, and sold them illegally to steal cryptocurrency worth around $13,200.
  • After infection, additional malware delivered to victims include cryptominers, clippers, malicious browser extensions, YouTube click-fraud bots, and Djvu/Stop ransomware.
  • The selection of dropped malware indicates that these are part of the droppers-as-a-service used by some of its affiliates, and may not be associated directly with the Racoon Stealer operators.


Packaging cracked software for malicious purposes is not new. Besides, the recent update of Raccoon Stealer shows that the cyber threat landscape is now becoming commercialized. The availability of malicious tools and services has become easier than ever before, which has resulted in a drastic increase in cybercrime across the globe.

Cyware Publisher