HOMETHREATSAgent Racoon
MALWARE FAMILY

Agent Racoon

Internal ID: win.agent_racoon
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

Agent Racoon is a .NET-based backdoor malware that leverages DNS for covert C2 communication, employing randomized subdomains and Punycode encoding to evade detection. It features encrypted communication using a unique key per sample, supports remote command execution, and facilitates file transfers. Despite lacking an inherent persistence mechanism, it relies on external methods like scheduled tasks for execution. The malware, active since at least 2020, has targeted organizations in the U.S., Middle East, and Africa, including non-profits and government sectors. It disguises itself as legitimate binaries such as Google Update and MS OneDrive Updater, using obfuscation techniques like Base64 encoding and timestamp modifications to avoid detection​.

Threat Analysis

Agent Racoon is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.

External References

Quick Facts

TypeMalware Family
Aliases1

Also Known As

win.agent_racoon

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.