CyberHappenings logo

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Raven Stealer Exfiltrates Chromium Data via Telegram

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Raven Stealer, a new lightweight infostealer, targets Chromium-based browsers and other applications to steal credentials and sensitive data. It uses Telegram for exfiltration, evading conventional security filters. The malware is distributed via underground forums and cracked software, posing a threat to both personal and enterprise environments. It operates with minimal user interaction and maintains a high level of operational concealment. Raven Stealer harvests cookies, autofill entries, browsing history, and other data from Chromium-based browsers like Google Chrome and Microsoft Edge. It also steals credentials from other applications and performs real-time data exfiltration via integration with a Telegram bot. The malware is promoted via a dedicated Telegram channel, integrating the chat app for command-and-control operations.

Timeline

  1. 17.09.2025 15:06 1 articles · 12d ago

    Raven Stealer Exfiltrates Chromium Data via Telegram

    Raven Stealer, a new lightweight infostealer, targets Chromium-based browsers and other applications to steal credentials and sensitive data. It uses Telegram for exfiltration, evading conventional security filters. The malware is distributed via underground forums and cracked software, posing a threat to both personal and enterprise environments. It operates with minimal user interaction and maintains a high level of operational concealment. Raven Stealer harvests cookies, autofill entries, browsing history, and other data from Chromium-based browsers like Google Chrome and Microsoft Edge. It also steals credentials from other applications and performs real-time data exfiltration via integration with a Telegram bot. The malware is promoted via a dedicated Telegram channel, integrating the chat app for command-and-control operations.

    Show sources

Information Snippets

  • Raven Stealer is written primarily in Delphi and C++.

    First reported: 17.09.2025 15:06
    1 source, 1 article
    Show sources
  • The malware harvests cookies, autofill entries, browsing history, and other data from Chromium-based browsers.

    First reported: 17.09.2025 15:06
    1 source, 1 article
    Show sources
  • Raven Stealer steals credentials from various applications and performs real-time data exfiltration via Telegram.

    First reported: 17.09.2025 15:06
    1 source, 1 article
    Show sources
  • The malware is distributed via underground forums and cracked software.

    First reported: 17.09.2025 15:06
    1 source, 1 article
    Show sources
  • Raven Stealer uses Telegram for exfiltration, bypassing many conventional security filters.

    First reported: 17.09.2025 15:06
    1 source, 1 article
    Show sources
  • The malware is promoted via a dedicated Telegram channel for command-and-control operations.

    First reported: 17.09.2025 15:06
    1 source, 1 article
    Show sources
  • Raven Stealer consolidates stolen credentials and system information into a well-defined folder hierarchy.

    First reported: 17.09.2025 15:06
    1 source, 1 article
    Show sources
  • The malware uses AES encryption key stored in the Edge browser’s Local State file to decrypt sensitive browser data.

    First reported: 17.09.2025 15:06
    1 source, 1 article
    Show sources
  • Raven Stealer reboots into Safe Mode with Networking and uses UltraAV antivirus to delete malicious files.

    First reported: 17.09.2025 15:06
    1 source, 1 article
    Show sources

Similar Happenings

XCSSET macOS Malware Targets Xcode Developers with Enhanced Features

A new variant of the XCSSET macOS malware has been detected, targeting Xcode developers with enhanced features. This variant includes improved browser targeting, clipboard hijacking, and persistence mechanisms. The malware spreads by infecting Xcode projects, stealing cryptocurrency, and browser data from infected devices. The malware uses run-only compiled AppleScripts for stealthy execution and employs sophisticated encryption and obfuscation techniques. It incorporates new modules for data exfiltration, persistence, and clipboard monitoring. The malware has been observed in limited attacks, with Microsoft sharing findings with Apple and GitHub to mitigate the threat. Developers are advised to keep macOS and apps up to date and inspect Xcode projects before building them.

Brickstorm Malware Used in Long-Term Espionage Against U.S. Organizations

The UNC5221 activity cluster, attributed to suspected Chinese hackers, has been using the BRICKSTORM malware in long-term espionage operations against U.S. organizations in the technology, legal, SaaS, and BPO sectors. The malware, a Go-based backdoor, has been active for over a year, with an average dwell time of 393 days. It has been used to steal data from various sectors, including SaaS providers and BPOs. The attackers exploit vulnerabilities in edge devices and use anti-forensics techniques to avoid detection. The malware serves multiple functions, including web server, file manipulation, dropper, SOCKS relay, and shell command execution. It targets appliances without EDR support, such as VMware vCenter/ESXi, and uses legitimate traffic to mask its C2 communications. The attackers aim to exfiltrate emails and maintain stealth through various tactics, including removing the malware post-operation to hinder forensic investigations. The attackers use a malicious Java Servlet Filter (BRICKSTEAL) on vCenter to capture credentials, and clone Windows Server VMs to extract secrets. The stolen credentials are used for lateral movement and persistence, including enabling SSH on ESXi and modifying startup scripts. The malware exfiltrates emails via Microsoft Entra ID Enterprise Apps, utilizing its SOCKS proxy to tunnel into internal systems and code repositories. UNC5221 focuses on developers, administrators, and individuals tied to China's economic and security interests. Mandiant has released a free scanner script to help defenders detect BRICKSTORM. The BRICKSTORM backdoor is under active development, with a variant featuring a delay timer for C2 communication. The attackers have exploited Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) for initial access. The attackers have used a custom dropper to install a malicious Java Servlet filter (BRICKSTEAL) in memory, avoiding detection. The attackers have modified init.d, rc.local, or systemd files to ensure persistence on appliances. The attackers have targeted Windows environments in Europe since at least November 2022. The attackers have been linked to other related Chinese threat actors besides UNC5221. The campaign has been monitored by Mandiant since March 2025. The attackers have targeted downstream customers of compromised SaaS providers. The attackers are believed to be analyzing stolen source code to identify zero-day vulnerabilities in enterprise technologies. The attackers use a delay timer to lie dormant on infected systems until a hard-coded date. The malware employs Garble, an open-source tool, for code obfuscation to hide function names, structures, and logic. Brickstorm has been found on VMware vCenter and ESXi hosts, often deployed prior to pivoting to these systems. The attackers use legitimate cloud services like Cloudflare Workers or Heroku for C2 communications. The attackers use dynamic domains like sslip.io or nip.io that point directly to the C2 server’s IP. The attackers favor appliance and management-plane compromise, per-victim obfuscated Go binaries, delayed-start implants, and Web/DoH C2 to preserve stealth. The attackers harvest and use valid high-privilege credentials to appear as routine administrator tasks. The attackers deploy in-memory servlet filters, remove installer artifacts, and embed delayed-start logic to limit forensic traces. The attackers abuse virtualization management capabilities, such as cloning VMs to extract credential stores offline. The attackers deploy an in-memory Java Servlet filter on vCenter to intercept and decode web authentication to harvest high-privilege credentials. The attackers use a SOCKS proxy on compromised appliances to tunnel into internal networks for interactive access and file retrieval.

Malicious npm package 'fezbox' uses QR codes to deliver cookie-stealing malware

A malicious npm package named 'fezbox' was discovered using QR codes to fetch and execute cookie-stealing malware. The package, disguised as a utility library, was downloaded at least 327 times before being removed from the npm registry. The malware targets user credentials and employs steganographic techniques to evade detection. The package was found to fetch a JPG image containing a QR code, which then executes a second-stage payload. The QR code is designed to be unusually dense and difficult to read with standard phone cameras, making it harder to detect. The package was published by a Chinese-speaking attacker using the alias 'janedu' and included multiple layers of obfuscation to evade detection. The malware specifically targets cookies to steal usernames and passwords, sending the stolen information via an HTTPS POST request to a command-and-control server. The package was removed and flagged as malware posing a supply-chain risk. The attacker's activity status on the npm registry remains unclear. The package's ReadMe mentioned a QR Code Module, making its existence seem legitimate. The package used reversed strings as an anti-analysis technique. The payload could read a web cookie and extract the username and password if both were present.

ShadowLeak: Undetectable Email Theft via AI Agents

A new attack vector, dubbed ShadowLeak, allows hackers to invisibly steal emails from users who integrate AI agents like ChatGPT with their email inboxes. The attack exploits the lack of visibility into AI processing on cloud infrastructure, making it undetectable to the user. The vulnerability was discovered by Radware and reported to OpenAI, which addressed it in August 2025. The attack involves embedding malicious code in emails, which the AI agent processes and acts upon without user awareness. The attack leverages an indirect prompt injection hidden in email HTML, using techniques like tiny fonts, white-on-white text, and layout tricks to remain undetected by the user. The attack can be extended to any connector that ChatGPT supports, including Box, Dropbox, GitHub, Google Drive, HubSpot, Microsoft Outlook, Notion, or SharePoint. The ShadowLeak attack targets users who connect AI agents to their email inboxes, such as those using ChatGPT with Gmail. The attack is non-detectable and leaves no trace on the user's network. The exploit involves embedding malicious code in emails, which the AI agent processes and acts upon, exfiltrating sensitive data to an attacker-controlled server. OpenAI acknowledged and fixed the issue in August 2025, but the exact details of the fix remain unclear. The exfiltration in ShadowLeak occurs directly within OpenAI's cloud environment, bypassing traditional security controls.

GPUGate Malware Campaign Targets IT Firms in Western Europe

A sophisticated malware campaign, codenamed GPUGate, targets IT and software development companies in Western Europe, with recent expansions to macOS users. The campaign leverages Google Ads, SEO poisoning, and fake GitHub commits to deliver malware, including the Atomic macOS Stealer (AMOS). The attack began in December 2024 and uses a 128 MB Microsoft Software Installer (MSI) to evade detection. The malware employs GPU-gated decryption and various techniques to avoid analysis and detection. The end goal is information theft and delivery of secondary payloads. The threat actors have native Russian language proficiency and use a cross-platform approach. The campaign has expanded to target macOS users through fake GitHub repositories. These repositories impersonate popular tools and use SEO poisoning to distribute the Atomic Stealer malware. The threat actors use multiple GitHub usernames to evade takedowns and deploy malware via Terminal commands. Similar tactics have been observed in previous campaigns using malicious Google Ads and public GitHub repositories. The AMOS malware now includes a backdoor component for persistent, stealthy access to compromised systems. The campaign impersonates over 100 software solutions, including 1Password, Dropbox, Confluence, Robinhood, Fidelity, Notion, Gemini, Audacity, Adobe After Effects, Thunderbird, and SentinelOne. The fake GitHub pages were created on September 16, 2025, and were immediately submitted for takedown. The campaign has been active since at least April 2023, with previous similar campaigns observed in July 2025.