Recently, Bitdefender researchers reported that the RIG exploit kit was replacing Raccoon Stealer with Dridex trojan as part of a campaign that has been active since January. The switch in the modus operandi had come in the wake of Raccoon Stealer temporarily closing its operation in February. 

However, a new report has surfaced that suggests that the Raccoon Stealer is showing signs of life and is likely to make a strong comeback in the information stealer market.


  • Sold previously under the Malware-as-a-Service (MaaS) model on underground forums since early 2019, Raccoon Stealer’s operations suddenly came to a halt on March 25, 2022.
  • The operations were suspended due to the loss of a developer in the Russia-Ukraine war.
  • At that time, the malware’s profile stated on several forums that it is temporarily unavailable and is in the process of upgrading.

What’s the latest update?

  • On June 10, analysts from SEKOIA.IO discovered new activities on servers hosting the malware.
  • While searching for the stealer’s administration panels on the Shodan search engine, they found several active servers with a web page named Raccoon Stealer 2.0.
  • It is believed that the new version was available on Telegram for sale since May 17.
  • Upon further analysis, researchers uncovered a new malware family, named RecordBreaker, which shared similarities with RacconStealer v2. The malware was being distributed in the wild.

Capabilities of Raccoon Stealer v2

  • Raccoon Stealer v2 is written in C/C++ using WinApi. The malware downloads legitimate third-party DLLs from its C2 servers.
  • The new version borrows many of its capabilities from the original version. These include collecting browser data and system information, capturing screenshots, grabbing files from disks and memory sticks, and harvesting cryptocurrency wallet data, among others.

Summing up

The re-emergence of notorious malware, such as Raccoon Stealer, is not a new phenomenon in the threat landscape. Despite suffering disruptions, several malware families such as Conti and REvil have previously made a strong comeback and continue to wreak havoc across the globe. Therefore, organizations should be aware of techniques and tactics used by the information stealer to prevent attacks.
Cyware Publisher