Point Wild’s Lat61 Threat Intelligence Team, led by Onkar R. Sonawane, has uncovered a new piece of malware dubbed Raven Stealer. Appearing simple at first glance, the threat is being distributed on underground forums and bundled with pirated software, allowing it to reach victims who download illicit or unvetted applications.

Built in Delphi and C++, Raven Stealer is engineered to be small and fast. Rather than dropping large files to disk, it relies on in-memory techniques to remain hidden while its payload executes. This design helps it evade many traditional antivirus scanners and makes detection considerably harder for defenders.

The payload focuses on harvesting data from mainstream web browsers such as Chrome and Edge — stealing saved passwords, cookies, payment details and other stored information. Stolen data and screenshots are packaged into an archive and sent to the attacker using a Telegram bot; in tests the Telegram transmission failed because of a bot token issue, but the capability to exfiltrate in real time remains a significant risk.

To protect against threats like Raven Stealer, keep antivirus and endpoint protection up to date, enable real-time scanning, and avoid downloading pirated or untrusted software. As Dr. Zulfikar Ramzan, CTO of Point Wild, notes: “Raven Stealer shows how commodity malware is evolving — stealing credentials, cookies, and payment data while hiding its tracks through in-memory execution and Telegram exfiltration,” a clear reminder that advanced techniques are increasingly packaged for use by low-skilled actors.