Raven Stealer

Raven is an information-stealing malware written in Delphi and C++. Its primary purpose is to harvest sensitive data from infected systems. Designed to operate quietly, Raven minimizes the need for manual control from its operators and works stealthily to avoid detection. Any system found infected with Raven should be disinfected without delay.

Covert Communications via Telegram

One of Raven’s defining traits is its use of Telegram as a hidden communication channel. Stolen information is automatically forwarded to an attacker-controlled Telegram account. At the same time, the malware can receive new instructions through this channel, enabling attackers to adapt their tactics.

The malware extracts embedded Telegram configuration data using Windows system functions. Once loaded into memory, this data establishes the communication link with its operators, ensuring Raven maintains contact while it remains active.

Data Raven Seeks to Steal

Raven focuses on harvesting sensitive digital assets, particularly from browsers and personal applications. It leverages in-memory execution to interact with Chromium-based browsers (such as Chrome or Edge), bypassing disk storage to reduce traces. To further conceal its presence, Raven disables browser security features and runs processes without visible windows.

The malware can extract:

• Browser credentials, cookies, and payment information
• Cryptocurrency wallets (private keys, addresses, and balances)
• VPN clients, gaming platforms, and messaging apps
• Desktop screenshots

After collecting this information, Raven compresses the files into a ZIP archive stored in the system’s temporary directory. This package is then sent directly to the attacker’s Telegram bot.

Distribution Tactics

Raven is distributed through GitHub repositories and openly promoted in Telegram channels. This active promotion signals that its developers are attempting to make the malware widely accessible to cybercriminals. Comparable information stealers include DarkCloud, Leet, and RMC.

Common Infection Vectors

Cybercriminals rely on multiple channels to spread Raven and similar malware families. Users may unknowingly invite infection by engaging with unsafe downloads or malicious online content.

The most common distribution methods include:

• Deceptive emails with infected attachments or malicious links
• Pirated software, cracks, and key generators
• Exploits of unpatched software vulnerabilities
• Malicious ads, compromised websites, and P2P networks
• Infected USB drives and third-party downloaders

Attackers frequently disguise malware in file formats such as executables, Office or PDF documents, scripts, and compressed archives (ZIP, RAR).

If you suspect your system is already compromised, a full system scan with tools such as Combo Cleaner Antivirus for Windows is strongly recommended.

Final Thoughts

Raven is a sophisticated stealer capable of compromising a wide variety of sensitive data, from browser credentials to cryptocurrency wallets. Left unchecked, it may result in financial theft, account hijacking, and significant privacy violations. Proactive defenses, combined with careful digital behavior, remain the strongest safeguard against such stealthy threats.