Raccoon Stealer Abuses Telegram Infrastructure to Store C&C Addresses
By 2020, Racoon Stealer has become one of the most affordable data theft software.
Last Updated: 2026-04-10
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
In 2025 and 2026, Raccoon Stealer remains a prevalent threat, leveraging social engineering and sophisticated distribution methods to infiltrate users' systems. Despite initially surfacing in 2019, Raccoon Stealer has continued to evolve, enabling hackers to steal a wide range of sensitive data. It is also easily accessible to cybercriminals through a malware as a service (MaaS) model, increasing the risk it poses to users and organizations alike.
This analysis examines the evolution of Raccoon Stealer, how it operates, its use of Telegram infrastructure to store command and control (C2) addresses, and the distribution strategies that have kept it relevant in the malware landscape through 2026.
The Origin and Development of Raccoon Stealer
Raccoon Stealer first appeared on underground hacking forums in 2019 as a data theft malware as a service (MaaS) tool. Quickly adopted due to its relatively low cost and ease of use, Raccoon Stealer's creators have consistently updated the malware, enhancing its capabilities to adapt to new security measures.
Its subscription model enabled widespread use, providing aspiring hackers with ready to use malicious software and support. This broad accessibility led to a rise in phishing attacks, downloads containing malware, and social engineering tactics aimed at distributing Raccoon Stealer globally.
How Raccoon Stealer Abuses Telegram for Command and Control
One of the most technically notable aspects of Raccoon Stealer is its use of Telegram's public infrastructure to store and retrieve its command and control (C2) server addresses. Rather than hardcoding a C2 IP address into the malware, which would make it trivial for defenders to block after discovery, Raccoon Stealer operators publish the current C2 address in an encrypted format within a Telegram channel or bot.
When an infected device runs the malware, it queries the Telegram resource to retrieve the active C2 address, then connects to that server to transmit stolen data and receive instructions. This approach gives operators several advantages: Telegram's infrastructure is widely trusted and difficult to block, the C2 address can be updated quickly if defenders identify and blacklist it, and the communication blends in with legitimate Telegram traffic. This technique has been widely adopted by other infostealer families in 2025 and 2026.
What Does Raccoon Stealer Steal?
One of the primary reasons Raccoon Stealer is so attractive to cybercriminals is its ability to harvest an array of sensitive data. Here is what Raccoon Stealer targets:
1. Login Credentials
Raccoon Stealer captures usernames and passwords saved in browsers, targeting those stored in cookies and autofill forms. This stolen data is often used for credential stuffing attacks, enabling unauthorized access to accounts. Read more about credential stuffing and how it works.
2. Crypto Wallet Data
Given the rise of cryptocurrency, Raccoon Stealer was designed to locate and extract crypto wallet files. This has made it a popular choice among attackers looking to steal valuable assets stored in digital wallets. In 2025 and 2026, cryptocurrency theft via infostealers has become a primary revenue source for organized cybercriminal groups.
3. Email Client Logins
By extracting credentials from email clients, Raccoon Stealer can provide cybercriminals access to sensitive communications, increasing the risk of further phishing attacks or impersonation.
4. Browser Plugin Data and Extensions
Raccoon Stealer does not just focus on browser data. It also targets data stored in browser plugins and extensions. This includes autofill data, allowing it to gather even more information about users' habits and accounts.
5. Command and Control (C2) Capabilities
Raccoon Stealer is configured to communicate with command and control (C2) servers, retrieving the active server address dynamically from Telegram. This connection enables remote attackers to execute commands, modify files, and perform actions directly on infected devices without hardcoding any server addresses.
This combination of data theft capabilities makes Raccoon Stealer a comprehensive tool for identity theft and unauthorized access to accounts and assets.
How Raccoon Stealer is Distributed
Raccoon Stealer has a variety of distribution methods, all designed to maximize reach and ensure its installation on as many devices as possible. Key distribution channels include:
1. Buer Loader and GCleaner
Cybercriminals have used loaders like Buer Loader and GCleaner to distribute Raccoon Stealer. Loaders are malware types that facilitate the delivery of other malicious software. These loaders often exploit vulnerabilities in target systems to bypass security protocols.
2. Fake Software and Gaming Cheats
Raccoon Stealer is frequently bundled with fake patches, cracks, and cheats for popular video games like Fortnite, Valorant, and NBA2K22. This tactic takes advantage of users looking to circumvent software restrictions or gain an edge in gaming, making them easy targets for malware disguised as legitimate downloads.
3. Malware Packers and Obfuscators
Malware packers like Themida help distribute Raccoon Stealer by compressing or encrypting the malware's code. This process obfuscates the malware's presence, making it harder for antivirus programs to detect. Cybercriminals use packers to prolong the lifespan of the malware and improve its effectiveness in avoiding security defenses.
4. Bogus Applications and Social Engineering
Another common distribution tactic involves embedding Raccoon Stealer within fake or fraudulent applications. Social engineering plays a key role here, as attackers trick users into downloading these fake applications, believing them to be genuine tools or utilities.
The Impact of Raccoon Stealer on Security in 2026
Raccoon Stealer's wide availability and powerful capabilities make it a top concern for security teams. Employee security awareness training is essential to prevent social engineering attacks, and tools like phishing simulators are invaluable in preparing staff to recognize and avoid these types of threats.
Implementing layered security protocols, such as multifactor authentication (MFA), continuous monitoring, and endpoint protection can also limit the damage if Raccoon Stealer infiltrates a system. Organizations should also ensure that phishing emails carrying Raccoon Stealer payloads are identified and blocked before they reach employees, using Keepnet's Email Threat Simulator to verify that email gateways actually block these threats.
By staying informed about evolving malware trends like Raccoon Stealer, organizations can take proactive steps to minimize the likelihood of successful attacks and better protect their data.
Key Takeaways
Raccoon Stealer is a MaaS malware first released in 2019 and continues to be used actively in 2025 and 2026.
The malware targets login credentials, crypto wallets, email client data, and browser extensions, among other information.
Raccoon Stealer abuses Telegram infrastructure to store and dynamically retrieve C2 server addresses, making it resilient against takedowns.
Raccoon Stealer's distribution methods include loaders, fake gaming cheats, and malware packers to avoid detection.
Preventing attacks requires comprehensive employee training, robust security measures, and layered defense strategies.
Editor's Note: This article was updated on April 10, 2026.
SHARE ON