Raccoon Stealer: Inside the Infostealer That Became a Cybercrime Empire

In March 2022, the FBI arrested Mark Sokolovsky, a 26-year-old Ukrainian national, for his role in operating Raccoon Stealer. Federal prosecutors alleged he was a key administrator of a malware operation that had infected computers in virtually every country on Earth. The charges carried a maximum sentence of 20 years.

The arrest should have been the end. The malware's Telegram channels went dark. The infrastructure went offline. Law enforcement declared victory.

Six months later, Raccoon Stealer v2 launched. Same capabilities. New codebase. Business as usual.

This is the story of one of the most resilient and profitable infostealers in cybercrime history, and what it teaches us about the economics of the underground credential trade.

Origins: The Birth of a Criminal Enterprise

Raccoon Stealer first appeared in early 2019, advertised on Russian-language cybercrime forums as a lightweight, easy-to-use credential stealer. Unlike the more complex malware frameworks of the era, Raccoon marketed itself on simplicity and customer service.

The pitch was straightforward: for $75 per week or $200 per month, anyone could access a fully-featured infostealer with a polished web panel, automatic updates, and responsive Telegram support. No technical skills required.

What set Raccoon apart wasn't technical sophistication. It was professionalization. The operators treated malware sales like a legitimate SaaS business, complete with:

• Tiered Pricing: Weekly, monthly, and bulk licensing options to match different budgets.
• 24/7 Support: Dedicated Telegram channels where operators answered technical questions within hours.
• Regular Updates: Frequent releases adding new targeted applications and evading emerging antivirus signatures.
• Uptime Guarantees: If the C2 infrastructure went down, customers received credit for lost time.

This business model attracted thousands of affiliates, from script kiddies running small-scale phishing campaigns to organized crime groups conducting industrial-scale credential harvesting.

Technical Architecture: How Raccoon Works

Raccoon Stealer is written in C++ (unlike RedLine's C#), compiled for Windows systems. The choice of C++ provides performance advantages and makes reverse engineering slightly more difficult. The malware is compact, typically under 1MB when packed.

Data Collection Targets

Like most modern infostealers, Raccoon harvests a comprehensive dataset from infected machines:

Browser Credential Extraction

Raccoon targets credentials stored in Chromium-based browsers (Chrome, Edge, Brave, Opera) and Firefox. The extraction process varies by browser family:

Chromium browsers store credentials in an SQLite database encrypted with Windows Data Protection API (DPAPI). Raccoon calls CryptUnprotectData() to decrypt the stored passwords, which succeeds because the malware runs in the user's security context.

Firefox uses its own NSS (Network Security Services) library with a different encryption scheme. Raccoon loads the relevant Firefox DLLs and invokes PK11SDR_Decrypt() to access stored credentials.

// Chromium credential database paths targeted by Raccoon
%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data
%LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Login Data
%LOCALAPPDATA%\BraveSoftware\Brave-Browser\User Data\Default\Login Data
%APPDATA%\Opera Software\Opera Stable\Login Data

// Firefox credential paths
%APPDATA%\Mozilla\Firefox\Profiles\*.default\logins.json
%APPDATA%\Mozilla\Firefox\Profiles\*.default\key4.db

Cryptocurrency Wallet Targeting

Raccoon includes extensive cryptocurrency wallet targeting. The malware searches for wallet data from over 60 different cryptocurrency applications:

• Desktop Wallets: Electrum, Exodus, Atomic, Jaxx Liberty, Coinomi, Guarda, Wasabi, and others.
• Browser Extensions: MetaMask, Phantom, Coinbase Wallet, Trust Wallet, Ronin Wallet.
• Exchange Applications: Binance desktop app cached credentials.

Cryptocurrency theft provides the most immediate ROI for attackers. Unlike bank credentials (which require additional steps to monetize), a stolen wallet seed phrase enables instant, irreversible fund transfer.

Command and Control Infrastructure

Raccoon's C2 architecture evolved significantly across versions:

Version 1 used a centralized model with operator-controlled servers. When law enforcement seized these servers in 2022, the entire operation collapsed temporarily.

Version 2 implemented a more resilient design. Configuration data (C2 addresses, encryption keys) is embedded in the malware binary but can be updated remotely. The malware supports multiple fallback C2 endpoints, making infrastructure takedowns less effective.

Both versions transmit stolen data via HTTP POST requests, with logs compressed and encrypted before exfiltration. This makes network-level detection challenging without TLS inspection capabilities.

Distribution Methods: How Victims Get Infected

Raccoon operators don't control distribution. They provide the malware; affiliates handle delivery. This creates a diverse threat landscape where Raccoon spreads through multiple vectors simultaneously.

Malicious Software Downloads

The most common distribution method involves trojanized software. Criminals create convincing clone websites for popular applications and purchase Google/Bing ads to appear at the top of search results.

CISA has documented numerous campaigns using this technique. Popular lures include:

• Cracked commercial software (Adobe products, Microsoft Office)
• Gaming tools and cheats
• Cryptocurrency trading bots
• VPN applications
• Video editing software
• Driver update utilities

The downloaded installer typically functions normally, installing the legitimate (pirated) software while silently deploying Raccoon in the background. Victims attribute any subsequent account compromises to other causes.

Phishing and Social Engineering

Email-based campaigns remain effective, particularly in business contexts:

• Invoice and Payment Lures: Fake invoices from "suppliers" with malicious attachments.
• HR and Employment Scams: "Your benefits enrollment" or "Updated tax documents" themes.
• Delivery Notifications: Fake shipping updates from major carriers.

Raccoon payloads are often delivered via password-protected archives (to evade email scanners) or Microsoft Office documents with malicious macros.

Loader Malware and Pay-Per-Install

A significant portion of Raccoon infections come through "loaders." These are separate malware programs whose sole purpose is to download and execute additional payloads.

Criminal syndicates operating botnets sell "installs" to infostealer operators. A botnet administrator with 10,000 infected machines might charge $0.50-2.00 per installation, providing Raccoon affiliates with instant access to thousands of victims.

Common loaders that have distributed Raccoon include:

• SmokeLoader: A veteran loader active since 2011.
• PrivateLoader: A pay-per-install service popular in 2022-2023.
• Amadey: A modular loader frequently bundled with infostealers.

The Takedown: Operation Raccoon Hunt

In March 2022, an international law enforcement operation disrupted Raccoon Stealer's infrastructure. The U.S. Department of Justice announced charges against Mark Sokolovsky, a Ukrainian national apprehended in the Netherlands.

The FBI, working with Dutch, Italian, and other European law enforcement agencies, seized Raccoon's backend infrastructure and compiled a database of stolen credentials. The FBI established a website where potential victims could check if their data appeared in the seized logs.

Sokolovsky faces charges of:

• Conspiracy to commit computer fraud
• Wire fraud
• Conspiracy to commit money laundering
• Aggravated identity theft

A curious detail emerged during the investigation: the original Raccoon developers had announced a "temporary shutdown" in March 2022, citing the death of a core developer in the Russia-Ukraine conflict. Whether this was genuine or cover for anticipated law enforcement action remains unclear.

The Resurrection: Raccoon Stealer v2

Despite the takedown, Raccoon Stealer returned. In June 2022, new operators (claiming to be part of the original team) launched Raccoon Stealer v2, rebuilt from scratch.

The new version featured:

• Complete Code Rewrite: New codebase to evade existing detection signatures.
• Improved Evasion: Enhanced anti-analysis techniques and sandbox detection.
• Expanded Targeting: Support for additional browsers, crypto wallets, and applications.
• Better Infrastructure: More resilient C2 architecture less vulnerable to takedowns.

The v2 operators maintained the same pricing model and customer service approach that made the original successful. Security researchers at Sekoia and Check Point Research have published detailed technical analyses of the v2 variant.

This pattern demonstrates a frustrating reality for law enforcement: arresting operators rarely kills the malware. The business model, source code, and customer base survive. Someone always steps up to continue operations.

Raccoon vs. RedLine: Market Competition

Raccoon and RedLine operate in the same market, competing for the same customers. Understanding their differences illuminates how the infostealer economy works:

Both malware families have experienced law enforcement disruption. Both have survived. The underground economy they serve continues to demand their products, ensuring that supply follows.

The Stolen Credential Economy

Raccoon logs don't sit unused. They flow into a sophisticated underground economy:

Log Marketplaces

Stolen credentials are sold on dedicated marketplaces. Before its Europol-coordinated takedown, Genesis Market specialized in selling "bots" (complete browser fingerprints including cookies) that allowed attackers to clone victim sessions.

Russian Market and 2easy continue operating, aggregating millions of stealer logs. Buyers can search by:

• Target domain (e.g., "bankofamerica.com" credentials)
• Country of origin
• Account type indicators
• Log freshness (newer = higher value)

Session Hijacking Attacks

Stolen cookies enable account takeover without passwords. Attackers import the victim's session cookies into their browser, bypassing both passwords and multi-factor authentication.

This technique, sometimes called "pass-the-cookie," is particularly effective against:

• Email accounts (enabling business email compromise)
• Cloud services (AWS, Azure, GCP consoles)
• Social media (for spam/scam distribution)
• Cryptocurrency exchanges (for fund theft)

Initial Access for Ransomware

Corporate VPN and remote access credentials are highly prized. These are sold to "initial access brokers" who resell them to ransomware gangs. The FBI's IC3 has documented numerous ransomware incidents traced back to infostealer-harvested credentials.

A single set of VPN credentials for a mid-size company might sell for $500-5,000. Credentials for larger enterprises or those in sensitive industries (healthcare, finance, government contractors) command premium prices.

Detection and Defense

Behavioral Indicators

Security teams should monitor for activity patterns consistent with infostealer operation:

• Browser Database Access: Non-browser processes reading Login Data or Cookies SQLite files.
• Cryptocurrency Wallet Directory Access: Unusual access to Electrum, Exodus, or MetaMask data directories.
• Rapid File Enumeration: Processes scanning multiple application data directories in quick succession.
• Unusual HTTP POST Activity: Large outbound data transfers to unfamiliar domains.
• Registry Persistence: New Run key entries from untrusted executables.

Protection Recommendations

Following guidance from CISA's Shields Up and the NIST Cybersecurity Framework:

1. Use a Dedicated Password Manager: Don't store passwords in browsers. A password manager with a strong master password provides better protection.
2. Hardware Security Keys: FIDO2/WebAuthn authentication is resistant to credential theft. Even with stolen passwords and cookies, attackers cannot authenticate.
3. Endpoint Detection and Response (EDR): Modern EDR solutions can detect infostealer behavior patterns even for novel variants.
4. Application Allowlisting: Prevent execution of unsigned or untrusted executables.
5. Avoid Pirated Software: Cracked software is the most common Raccoon distribution vector. The "savings" aren't worth the risk.
6. Regular Credential Rotation: Assume credentials may be compromised. Regular rotation limits the window of exploitation.
7. Session Timeout Policies: Shorter session lifetimes reduce the value of stolen cookies.

Enterprise-Specific Controls

Organizations should implement additional measures:

• Conditional Access: Require device compliance and known-good locations for sensitive resource access.
• Browser Isolation: Isolate web browsing from credential stores and sensitive applications.
• Sysmon and PowerShell Logging: Enable detailed logging for forensic investigation capability.
• Dark Web Monitoring: Monitor credential marketplaces for employee credentials appearing in stealer logs.

Intelligence Value for Investigations

For investigators and intelligence analysts, Raccoon logs represent both a threat and an opportunity.

The threat: Criminals use harvested credentials to assume false identities, access victim infrastructure, and launder proceeds through compromised accounts.

The opportunity: Stealer logs create structured intelligence. When law enforcement seizes criminal infrastructure (as with the 2022 Raccoon takedown), the stolen data becomes an investigative asset.

A single Raccoon log can reveal:

• Every account the victim controls (across email, social media, banking, crypto)
• Password patterns and reuse habits
• Hardware fingerprints linking devices to identities
• IP addresses and geographic activity patterns
• Cryptocurrency wallet addresses

The CovertLabs intelligence platform ingests and correlates stealer log data at scale. When investigating a target, we can surface connections revealed through infostealer compromises, including accounts and aliases the target may have forgotten existed.

In the criminal ecosystem, everyone leaves a trail. The operator selling stolen credentials today may appear as a victim in tomorrow's seized database. We track both directions.

Looking Forward: The Infostealer Threat in 2025

Raccoon Stealer's resilience offers lessons about the broader threat landscape:

1. Takedowns Are Temporary: Arresting operators and seizing infrastructure slows, but doesn't stop, criminal operations. The business model survives.
2. MaaS Lowers Barriers: When sophisticated malware is available for monthly rental, technical skill is no longer required for credential theft.
3. Credentials Are Currency: Stolen logins fuel an entire criminal economy, from account takeover to ransomware.
4. Defense Requires Depth: No single control stops infostealers. Effective defense requires layered controls across prevention, detection, and response.

Raccoon Stealer won't be the last infostealer. The economic incentives ensure that new malware families will emerge, each learning from its predecessors. The defenders must learn faster.