Cybercriminals behind Raccoon Stealer have been found using a chat app to store and update C2 addresses to spread within infected machines. Recently, the stealer has added the ability to update its own actual C2 addresses on Telegram’s infrastructure.

What’s been found?

The report disclosed that the recent version of Raccoon Stealer communicates with its C2 within Telegram. 
  • The new variant has the capability to store and update its C2 addresses that are stored on Telegram’s infrastructure.
  • So far, the stealer has spread clipboard crypto stealers, downloaders, and WhiteBlackCrypt ransomware.

How does it work?

There are four crucial values for C2 communication, which are hardcoded in every sample. 
  • The values are MAIN_KEY, URLs of Telegram gates with a channel name, BotID, and TELEGRAM_KEY. 
  • To hijack Telegram for C2, the malware decrypts MAIN_KEY that decrypts Telegram gates URLs and BotID.
  • The stealer uses the Telegram gate to get to the actual C2 by using a string of queries that ultimately allow it to use the Telegram infrastructure for updating and storing real C2 addresses.

Spreading and evading techniques

In addition to C2 communication, researchers from Avast Threat Labs also observed more creative ways attackers are using to spread Raccoon Stealer. 
  • They are now using Buer Loader and GCleaner to spread Raccoon Stealer. In addition, they are using fake game cheats, patches for cracked software, hacks and mods for Fortnite, Valorant, and NBA2K22 or other software.
  • The cybercriminals are attempting to evade detection by packing the credential stealer, using Themida or malware packers, with some samples packed more than five times using the same packer.

Avoiding Russia?

Once being executed, Racoon Stealer checks the default user location set on the infected device and avoids Russia, Belarus, Ukraine, Kyrgyzstan, Uzbekistan, Kazakhstan, Tajikistan, and Armenia.


The exploitation of Telegram by cybercriminals is not new. Raccoon Stealer abuses it to operate in stealth mode. Experts think that the developers of this malware will continue to add new features to it to make it efficient. As a precaution, organizations should always use reliable anti-malware solutions.
Cyware Publisher