In July 2025, cybersecurity experts warned of Raven Stealer, a new malware class that steals personal information. Different from previous, complex campaigns, Raven Stealer is simple but dangerous, publicly available on GitHub and controlled via Telegram. With its easy-to-use interface and high-performance automation, the software is raising concerns about a wave of malware-as-a-services (MaaS) for even amateur hackers’.

1753783039653.png

Raven Stealer was developed by the hacker group ZeroTrace Team, known in the underground community for many data – stealing tools such as Octalyn Stealer. The group operates a separate Telegram channel, which provides instructions and promotes malicious code publicly.

Raven is an infostealer, a software hack. It is primarily aimed at Windows users, collecting data from Chrome, Edge, Brave, cryptocurrency wallets, saved passwords, cookies, payment information and even screenshots.

1753783096847.png

In particular, Raven does not need a private control server (C2). All the stolen data will be compressed and sent directly to Telegram using the attacker’s bot.

Users can become infected when downloading free tools or software from GitHub or unorthodox sharing sites. Raven’s builds can also be easily customized via the GUI, making distribution simpler.

How does Raven work?

  • Fully hidden: When running, Raven does not show the interface, is not visible in the taskbar, and is difficult to detect through normal operations.
  • Malware injection into the browser: Raven opens a headless Chrome version, then injects the malicious code directly into memory using the “process hollowing” technique.
  • Gather and archive data: The data is collected in a hidden folder in AppData, then compressed ZIP and sent via Telegram.
  • Avoiding detection: Files are encrypted with ChaCha20, digitally signed with fake certificates, and compressed with UPX to bypass basic antivirus software.

Raven is a testament to the “toxic code for all” trend. With a single Telegram account and a few clicks, anyone can run a massive data – stealing campaign without any technical expertise.

More dangerous, Raven runs entirely in RAM, making many traditional security software difficult to detect. With the ability to steal digital wallets, bank passwords and login information, Raven poses a direct threat to individuals, small businesses and large organizations alike.

Raven Stealer is a clear reminder of the risks of downloading software from unreliable sources. To protect myself:

  • Only download software from an official website or trusted app store.
  • Don’t click the link from GitHub/Telegram if you can’t verify the source.
  • Always use up – to – date antivirus software, which has behavioral detection capabilities.
  • Change passwords periodically and enable 2-factor authentication for important accounts.
  • Monitor for unusual network activity, such as connections to Telegram or automatic file compression/transfer behavior.

Raven’s arrival showed that malicious code was becoming more accessible and dangerous, especially as they relied on popular platforms such as Telegram or GitHub. Users need to be alert and careful in each click so as not to become the next victim.

According to Cyber Press