Raccoon Stealer has been upgraded by its developer in order to steal cryptocurrency alongside financial information. 

On Tuesday, Sophos released new research into the stealer-as-a-service, a bolt-on for threat actors to use as an additional tool for data theft and revenue. 

In a new campaign tracked by the team, the malware was spread not through spam emails — the usual initial attack vector linked to Raccoon Stealer — but, instead, droppers disguised as installers for cracked and pirated software. 

Samples obtained by Sophos revealed that the stealer is being bundled with malware including malicious browser extensions, cryptocurrency miners, the Djvu/Stop consumer ransomware strain, and click-fraud bots targeting YouTube sessions. 

Raccoon Stealer is able to monitor for and collect account credentials, cookies, website “autofill” text, and financial information that may be stored on an infected machine.

However, the upgraded stealer also has a “clipper” for cryptocurrency-based theft. Wallets, and their credentials, in particular, are targeted by the QuilClipper tool, as well as Steam-based transaction data.

“QuilClipper steals cryptocurrency and Steam transactions by continuously monitoring the system clipboard of Windows devices it infects, watching for cryptocurrency wallet addresses and Steam trade offers by running clipboard contents through a matrix of regular expressions to identify them,” the researchers noted. 

The stealer operates through a Tor-based command-and-control (C2) server to handle data exfiltration and victim management. Each Raccoon executable is tied with a signature specific to each client. 

“If a sample of their malware shows up on VirusTotal or other malware sites, they can trace it back to the customer who may have leaked it,” Sophos says. 

Raccoon is offered as a stealer-for-hire, with the developers behind the malware offering their creation to other cybercriminals for a fee. In return, the malware is frequently updated. 

Usually found in Russian underground forums, Raccoon has also been spotted for the last few years in English language forums, too — for as little as $75 for a weekly subscription. According to the researchers, over a six-month period, the malware was used to steal at least $13,000 in cryptocurrency from its victims, and when bundled with miners, a further $2,900 was stolen. 

The developer earned roughly $1200 in subscription fees, together with a cut of their user’s proceeds. 

“It’s these kinds of economics that make this type of cybercrime so attractive — and pernicious,” Sophos says. “Multiplied over tens or hundreds of individual Raccoon actors, it generates a livelihood for Raccoon’s developers and a host of other supporting malicious service providers that allows them to continue to improve and expand their criminal offerings.”

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0