S1148: Raccoon Stealer
Raccoon Stealer is an information stealer malware family active since at least 2019 as a malware-as-a-service offering sold in underground forums. Raccoon Stealer has experienced two periods of activity across two variants, from 2019 to March 2022, then resurfacing in a revised version in June 2022.[1][2]
Analyst context for executives and security teams
Raccoon Stealer is a Windows information-stealing malware family described by ATT&CK as a malware-as-a-service offering seen in two activity periods beginning in 2019 and resurfacing in a revised version in June 2022. For leaders, the practical issue is not just malware cleanup: an information stealer can turn an endpoint incident into an identity, fraud, data exposure, and incident-response prioritization problem.
Executive priority
Treat this as a validation point for endpoint and identity resilience on Windows systems. Security leaders should ask whether the organization can quickly identify infected hosts, determine what sensitive information may have been exposed, rotate affected credentials, preserve evidence, and show auditors that malware prevention, monitoring, and response processes are operating. Because ATT&CK provides no specific detection or relationship context here, priority should be based on local exposure: Windows estate size, credential storage practices, endpoint telemetry coverage, and incident response readiness.
Technical view
SOC and IR teams should validate coverage for Windows malware execution and post-compromise investigation rather than relying on a technique-specific ATT&CK detection note, because none is supplied. Confirm whether endpoint telemetry can reconstruct process execution, file activity, persistence indicators if present locally, and outbound network behavior. Since the object is categorized as information-stealing malware, response procedures should include scoping for potentially exposed credentials or sensitive local data, but exact collection targets and behaviors must be confirmed from local evidence or trusted malware intelligence.
Likely telemetry
- Windows endpoint detection and response events for process execution and suspicious file activity
- Malware prevention or antivirus alerts tied to Windows hosts
- Network connection, proxy, DNS, or firewall logs showing unusual outbound activity from affected endpoints
- Host forensic artifacts needed to determine execution time, affected user, files touched, and scope
- Identity and access logs used after containment to look for suspicious use of potentially exposed credentials
Detection direction
- Validate that Windows endpoint logging is retained long enough to support malware scoping and timeline reconstruction.
- Tune detections around suspicious executable launch patterns, unexpected user-space malware activity, and endpoint security alerts, while accounting for false positives from legitimate software installers or administrative tools.
- Correlate endpoint alerts with outbound network telemetry; do not assume network-only visibility will identify information-stealing malware.
- Because ATT&CK supplies no detection text, test coverage using approved internal simulations or historical malware alert data rather than claiming coverage from ATT&CK mapping alone.
- Include identity follow-up in triage: an information-stealer alert should trigger checks for unusual authentication activity associated with the affected user or host.
Mitigation priorities
- Prioritize Windows endpoint protection, timely patching, and application control or software restriction where operationally feasible.
- Reduce the value of stolen information through MFA, least privilege, credential hygiene, and limits on local storage of sensitive secrets.
- Ensure incident response playbooks include host isolation, evidence preservation, credential reset decisions, and user impact assessment.
- Use email, web, and download controls as preventive layers where they are already part of the environment, without treating any single control as sufficient.
- Maintain executive-ready evidence of coverage: protected Windows asset inventory, alert handling records, containment timelines, and credential remediation actions.
Analyst notes and limits
The supplied ATT&CK object identifies Raccoon Stealer as Windows malware and an information stealer offered as malware-as-a-service, with activity periods described in the official description. No ATT&CK tactics, aliases, external references, detection guidance, or relationships were supplied in the provided object context, so this take focuses on defensive decision value and validation areas rather than specific procedures or indicators.
This summary does not assert current activity, specific intrusion techniques, command-and-control behavior, data targets, attribution, or guaranteed detection coverage because those details were not supplied in the official fields or relationships provided. Local telemetry, malware intelligence, and incident evidence are required to determine actual exposure and response scope.
Raccoon Stealer
Raccoon Stealer is an information stealer malware family active since at least 2019 as a malware-as-a-service offering sold in underground forums. Raccoon Stealer has experienced two periods of activity across two variants, from 2019 to March 2022, then resurfacing in a revised version in June 2022.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1033 | System Owner/User Discovery | Raccoon Stealer gathers information on the infected system owner and user.CitationS2W Racoon 2022CitationSekoia Raccoon1 2022CitationSekoia Raccoon2 2022 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Raccoon Stealer uses HTTP, and particularly HTTP POST requests, for command and control actions.CitationS2W Racoon 2022CitationSekoia Raccoon1 2022CitationSekoia Raccoon2 2022 |
| Enterprise | T1005 | Data from Local System | Raccoon Stealer collects data from victim machines based on configuration information received from command and control nodes.CitationS2W Racoon 2022CitationSekoia Raccoon2 2022 |
| Enterprise | T1124 | System Time Discovery | Raccoon Stealer gathers victim machine timezone information.CitationS2W Racoon 2022CitationSekoia Raccoon2 2022 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Raccoon Stealer uses RC4 encryption for strings and command and control addresses to evade static detection.CitationS2W Racoon 2022CitationSekoia Raccoon1 2022CitationSekoia Raccoon2 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | Raccoon Stealer downloads various library files enabling interaction with various data stores and structures to facilitate follow-on information theft.CitationS2W Racoon 2022CitationSekoia Raccoon2 2022 |
| Enterprise | T1020 | Automated Exfiltration | Raccoon Stealer will automatically collect and exfiltrate data identified in received configuration files from command and control nodes.CitationS2W Racoon 2022CitationSekoia Raccoon1 2022CitationSekoia Raccoon2 2022 |
| Enterprise | T1213 | Data from Information Repositories | Raccoon Stealer gathers information from repositories associated with cryptocurrency wallets and the Telegram messaging service.CitationSekoia Raccoon2 2022 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | Raccoon Stealer collects passwords, cookies, and autocomplete information from various popular web browsers.CitationSekoia Raccoon2 2022 |
| Enterprise | T1560 | Archive Collected Data | Raccoon Stealer archives collected system information in a text f ile, `System info.txt`, prior to exfiltration.CitationSekoia Raccoon2 2022 |
| Enterprise | T1027.007 | Dynamic API Resolution Sub-technique | Raccoon Stealer dynamically links key WinApi functions during execution.CitationSekoia Raccoon1 2022CitationSekoia Raccoon2 2022 |
| Enterprise | T1195 | Supply Chain Compromise | Raccoon Stealer has been distributed through cracked software downloads.CitationS2W Racoon 2022 |
| Enterprise | T1614 | System Location Discovery | Raccoon Stealer collects the `Locale Name` of the infected device via `GetUserDefaultLocaleName` to determine whether the string `ru` is included, but in analyzed samples no action is taken if present.CitationS2W Racoon 2022 |
| Enterprise | T1119 | Automated Collection | Raccoon Stealer collects files and directories from victim systems based on configuration data downloaded from command and control servers.CitationS2W Racoon 2022CitationSekoia Raccoon1 2022CitationSekoia Raccoon2 2022 |
| Enterprise | T1113 | Screen Capture | Raccoon Stealer can capture screenshots from victim systems.CitationS2W Racoon 2022CitationSekoia Raccoon2 2022 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Raccoon Stealer uses existing HTTP-based command and control channels for exfiltration.CitationS2W Racoon 2022CitationSekoia Raccoon1 2022CitationSekoia Raccoon2 2022 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Raccoon Stealer can remove files related to use and installation.CitationSekoia Raccoon1 2022 |
| Enterprise | T1012 | Query Registry | Raccoon Stealer queries the Windows Registry to fingerprint the infected host via the `HKLM:\SOFTWARE\Microsoft\Cryptography\MachineGuid` key.CitationSekoia Raccoon1 2022CitationSekoia Raccoon2 2022 |
| Enterprise | T1518 | Software Discovery | Raccoon Stealer is capable of identifying running software on victim machines.CitationSekoia Raccoon1 2022CitationSekoia Raccoon2 2022 |
| Enterprise | T1087.001 | Local Account Sub-technique | Raccoon Stealer checks the privileges of running processes to determine if the running user is equivalent to `NT Authority\System`.CitationSekoia Raccoon2 2022 |
| Enterprise | T1539 | Steal Web Session Cookie | Raccoon Stealer attempts to steal cookies and related information in browser history.CitationSekoia Raccoon2 2022 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Raccoon Stealer uses RC4-encrypted, base64-encoded strings to obfuscate functionality and command and control servers.CitationS2W Racoon 2022CitationSekoia Raccoon1 2022 |
| Enterprise | T1082 | System Information Discovery | Raccoon Stealer gathers information on infected systems such as operating system, processor information, RAM, and display information.CitationS2W Racoon 2022CitationSekoia Raccoon2 2022 |
| Enterprise | T1083 | File and Directory Discovery | Raccoon Stealer identifies target files and directories for collection based on a configuration file.CitationS2W Racoon 2022CitationSekoia Raccoon2 2022 |
Groups, software, and campaigns
G1015: Scattered Spider
Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. [1] [2] The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. [2] Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. [3] [4] [5] Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. [6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 3213619188d3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
S2W Racoon 2022
S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024.
Open source URL -
[2]
Sekoia Raccoon1 2022
Quentin Bourgue, Pierre le Bourhis, & Sekoia TDR. (2022, June 28). Raccoon Stealer v2 - Part 1: The return of the dead. Retrieved August 1, 2024.
Open source URL -
[3]
mitre-attack S1148Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.