S1148 Raccoon Stealer
Raccoon Stealer is an information stealer malware family active since at least 2019 as a malware-as-a-service offering sold in underground forums. Raccoon Stealer has experienced two periods of activity across two variants, from 2019 to March 2022, then resurfacing in a revised version in June 2022.21
| Item | Value |
|---|---|
| ID | S1148 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 01 August 2024 |
| Last Modified | 14 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.001 | Local Account | Raccoon Stealer checks the privileges of running processes to determine if the running user is equivalent to NT Authority\System.3 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Raccoon Stealer uses HTTP, and particularly HTTP POST requests, for command and control actions.213 |
| enterprise | T1560 | Archive Collected Data | Raccoon Stealer archives collected system information in a text f ile, System info.txt, prior to exfiltration.3 |
| enterprise | T1119 | Automated Collection | Raccoon Stealer collects files and directories from victim systems based on configuration data downloaded from command and control servers.213 |
| enterprise | T1020 | Automated Exfiltration | Raccoon Stealer will automatically collect and exfiltrate data identified in received configuration files from command and control nodes.213 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | Raccoon Stealer collects passwords, cookies, and autocomplete information from various popular web browsers.3 |
| enterprise | T1213 | Data from Information Repositories | Raccoon Stealer gathers information from repositories associated with cryptocurrency wallets and the Telegram messaging service.3 |
| enterprise | T1005 | Data from Local System | Raccoon Stealer collects data from victim machines based on configuration information received from command and control nodes.23 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Raccoon Stealer uses RC4-encrypted, base64-encoded strings to obfuscate functionality and command and control servers.21 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Raccoon Stealer uses existing HTTP-based command and control channels for exfiltration.213 |
| enterprise | T1083 | File and Directory Discovery | Raccoon Stealer identifies target files and directories for collection based on a configuration file.23 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Raccoon Stealer can remove files related to use and installation.1 |
| enterprise | T1105 | Ingress Tool Transfer | Raccoon Stealer downloads various library files enabling interaction with various data stores and structures to facilitate follow-on information theft.23 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.007 | Dynamic API Resolution | Raccoon Stealer dynamically links key WinApi functions during execution.13 |
| enterprise | T1027.013 | Encrypted/Encoded File | Raccoon Stealer uses RC4 encryption for strings and command and control addresses to evade static detection.213 |
| enterprise | T1012 | Query Registry | Raccoon Stealer queries the Windows Registry to fingerprint the infected host via the HKLM:\SOFTWARE\Microsoft\Cryptography\MachineGuid key.13 |
| enterprise | T1113 | Screen Capture | Raccoon Stealer can capture screenshots from victim systems.23 |
| enterprise | T1518 | Software Discovery | Raccoon Stealer is capable of identifying running software on victim machines.13 |
| enterprise | T1539 | Steal Web Session Cookie | Raccoon Stealer attempts to steal cookies and related information in browser history.3 |
| enterprise | T1195 | Supply Chain Compromise | Raccoon Stealer has been distributed through cracked software downloads.2 |
| enterprise | T1082 | System Information Discovery | Raccoon Stealer gathers information on infected systems such as operating system, processor information, RAM, and display information.23 |
| enterprise | T1614 | System Location Discovery | Raccoon Stealer collects the Locale Name of the infected device via GetUserDefaultLocaleName to determine whether the string ru is included, but in analyzed samples no action is taken if present.2 |
| enterprise | T1033 | System Owner/User Discovery | Raccoon Stealer gathers information on the infected system owner and user.213 |
| enterprise | T1124 | System Time Discovery | Raccoon Stealer gathers victim machine timezone information.23 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1015 | Scattered Spider | 4 |
References
-
Quentin Bourgue, Pierre le Bourhis, & Sekoia TDR. (2022, June 28). Raccoon Stealer v2 - Part 1: The return of the dead. Retrieved August 1, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩
-
S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Check Point Team. (2025, July 7). Exposing Scattered Spider: New Indicators Highlight Growing Threat to Enterprises and Aviation. Retrieved October 13, 2025. ↩