Overview
Raccoon Stealer is a C/C++-based infostealer that first appeared on underground forums in April 2019, quickly gaining a reputation for its ease of use and reliable operator panel. The original version (v1) was temporarily shut down in March 2022 after its lead developer, Ukrainian national Mark Sokolovsky, was arrested in the Netherlands at the request of the FBI. However, the operation resumed in June 2022 with a fully rewritten version known as Raccoon Stealer v2, also called “RecordBreaker.” The v2 variant was rebuilt from scratch in C/C++ (replacing the original C++ codebase that relied on numerous third-party libraries) and introduced a faster, more modular architecture. Despite law enforcement action, Raccoon remains one of the most actively traded infostealers on cybercrime markets.
Capabilities
Raccoon Stealer v2 harvests saved credentials, cookies, autofill data, and credit card information from all major Chromium and Gecko-based browsers. It targets cryptocurrency wallet browser extensions and desktop wallet applications, and can steal data from email clients and FTP applications. The stealer captures screenshots, collects system hardware and software information, and can be configured with a custom file grabber to exfiltrate documents matching specific patterns or extensions. Unlike v1, which downloaded numerous DLL dependencies at runtime, v2 uses a leaner approach with fewer external dependencies. Stolen data is organized into a structured log format and exfiltrated to the C2 server. The operator panel provides campaign management, log browsing with search functionality, and payload configuration options.
Distribution Methods
Raccoon Stealer is distributed by a wide network of affiliates using varied delivery methods. Common vectors include SEO poisoning with fake software crack and keygen sites, phishing emails with malicious Office documents or archive attachments, malvertising campaigns impersonating popular software, and pay-per-install distribution networks like PrivateLoader. Raccoon has also been delivered through exploit kits, trojanized installers bundled with legitimate software, and fake game mod and cheat tool downloads on YouTube and Discord. During the v1 era, Raccoon was notably distributed through the Fallout and RIG exploit kits, while v2 campaigns have leaned more heavily on social engineering and loader-based delivery.
Notable Campaigns
The FBI’s 2022 case against Raccoon Stealer was a landmark event, resulting in the seizure of infrastructure and a detailed affidavit revealing that the malware had been used to steal over 50 million credentials from victims worldwide. The FBI launched a dedicated website (raccoon.ic3.gov) allowing individuals to check if their data appeared in seized Raccoon logs. Despite this disruption, Raccoon v2 launched within months and was rapidly adopted. Throughout 2023, Raccoon v2 was observed being distributed alongside other stealers in multi-payload campaigns, where a single initial access vector would deploy both Raccoon and a secondary stealer like Vidar or RedLine to maximize data collection. In 2024, Sokolovsky was extradited to the United States and pleaded guilty to federal charges.
Detection & Mitigation
Raccoon v2’s C2 communication uses HTTP with distinctive URL path patterns and user-agent strings that can be fingerprinted for network detection. Behavioral detection should focus on processes performing sequential reads of browser credential databases across multiple browser profiles, which is characteristic of stealer activity. The malware’s file grabber module creates temporary directories with predictable naming patterns. YARA rules targeting Raccoon v2’s configuration decryption routine and string encoding scheme are available from multiple threat intelligence vendors. Mitigation strategies include deploying credential management solutions that avoid browser-based password storage, enforcing multi-factor authentication across all corporate accounts, monitoring for stolen credentials on dark web marketplaces, restricting execution of unsigned binaries, and maintaining updated endpoint protection with behavioral detection capabilities.