The Gaming Boardroom

Where the gambling industry comes to think

Raven Stealer Scavenges Chromium Data Via Telegram

Steve Tyler Free Content

Raven Stealer Scavenges Chromium Data Via Telegram

Summary

A lightweight infostealer called Raven, written mainly in Delphi and C++, is being distributed on underground forums and via cracked software. It targets Chromium-based browsers (Chrome, Edge, Brave) and other applications to harvest credentials, cookies, autofill entries and browsing history. Raven uses in-memory techniques and a Telegram-based command-and-control/exfiltration mechanism: it decrypts browser data (using the AES key from Edge’s Local State), writes plain-text artefacts to disk, compresses them and sends the archive to an attacker-controlled Telegram bot. After exfiltration it reboots into Safe Mode with Networking and attempts to remove traces using a tool referenced as UltraAV.

Key Points

  • Raven is a lightweight, commodity infostealer promoted on underground forums and Telegram channels.
  • Primary targets are Chromium browser artefacts: saved passwords, session cookies, autofill and local storage.
  • Exfiltration is performed via a Telegram bot/api, enabling attackers to bypass many conventional security filters.
  • The stealer accesses the browser AES key (Edge Local State) to decrypt sensitive data before saving it in plain text and zipping the payload.
  • Raven supports dynamic modules, a streamlined UI for operators, and in-memory execution to improve stealth.
  • After sending data the malware reboots the system into Safe Mode and runs an AV-like cleaner to remove its traces.
  • Mitigations include behavioural-based detection, monitoring Telegram traffic, user education, patching, updated real-time AV, and blocking cracked/pirated software in corporate environments.

Why should I read this?

Short version: this little beast turns your browser into an open door and then posts the loot on Telegram. If you or your users ever run cracked apps, reuse passwords or rely solely on signature AV, you should care — and act.

Author style

Punchy: the piece flags a clear and present risk packaged for low-skilled criminals. If you manage endpoints or security ops, treat this as an urgent heads-up — it’s a tidy example of advanced techniques being pushed into commodity tooling.

Source

Source: https://www.darkreading.com/vulnerabilities-threats/raven-stealer-scavenges-chrome-data-telegram