VERY IMPORTANT

Cisco Talos discovered a financially motivated threat actor, believed to be of Vietnamese origin, operating since at least 2023. This group, dubbed 'CoralRaider,' targets victims across multiple Asian and Southeast Asian nations, aiming to steal credentials, financial data, and social media accounts, including business and advertisement profiles. The campaign employs RotBot, a customized QuasarRAT variant, and XClient stealer as payloads. The actors utilize the dead drop technique, leveraging legitimate services to host C2 configuration files and Living-off-the-Land binaries, such as Windows Forfiles.exe and FoDHelper.exe.