Short answer

Raccoon Stealer (v2) has re-emerged after a law enforcement takedown of its original version. Known for its low cost and simplicity, Raccoon is popular among less technically skilled attackers. It operates as MaaS and is widely available on dark web forums.

History and re-emergence

The original Raccoon Stealer was disrupted in 2022 when its lead developer was arrested. However, version 2 was rebuilt from scratch and re-launched, incorporating improvements in data collection and evasion. Raccoon v2 quickly regained market share due to its low price point and easy operation.

What Raccoon steals

Raccoon v2 targets browser credentials, cookies, cryptocurrency wallets, and system information. While less sophisticated than Lumma or RedLine, its low barrier to entry means it generates a high volume of infections across a broad range of targets.

Why Raccoon matters

Raccoon's low cost means it is deployed by a large number of operators, generating significant volumes of logs. Its broad, indiscriminate targeting means that any organization, regardless of size or sector, can appear in Raccoon-generated logs on criminal marketplaces.

How Passguard detects Raccoon

Passguard monitors the criminal marketplaces and Telegram channels where Raccoon logs are traded. When infected devices containing access to your organization's systems are listed for sale, Passguard alerts your security team with the details needed to act: device information, malware type, compromised sessions, and infection timeline.