ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > CoralRaider

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Other threat group: CoralRaider

NamesCoralRaider (Talos)
CountryVietnam Vietnam
MotivationFinancial gain
First seen2023
Description(Talos) Cisco Talos discovered a new threat actor we’re calling “CoralRaider” that we believe is of Vietnamese origin and financially motivated. CoralRaider has been operating since at least 2023, targeting victims in several Asian and Southeast Asian countries.

This group focuses on stealing victims’ credentials, financial data, and social media accounts, including business and advertisement accounts.

They use RotBot, a customized variant of QuasarRAT, and XClient stealer as payloads in the campaign we analyzed.

The actor uses the dead drop technique, abusing a legitimate service to host the C2 configuration file and uncommon living-off-the-land binaries (LoLBins), including Windows Forfiles.exe and FoDHelper.exe
ObservedCountries: Bangladesh, China, Ecuador, Egypt, Germany, India, Indonesia, Japan, Nigeria, Norway, Pakistan, Philippines, Poland, South Korea, Syria, Turkey, UK, USA, Vietnam.
Tools usedAsyncRAT, LummaC2, NetSupport Manager, Rhadamanthys, RotBot, XClient, Living off the Land.
Operations performedFeb 2024Suspected CoralRaider continues to expand victimology using three information stealers
<https://blog.talosintelligence.com/suspected-coralraider-continues-to-expand-victimology-using-three-information-stealers/>
Information<https://blog.talosintelligence.com/coralraider-targets-socialmedia-accounts/>

Last change to this card: 18 June 2024

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]