top of page
Image by Matze Bob

Codoso

Malware Dissection Playbook

CoralRaider is a Vietnam-linked cybercriminal group active since 2023, known for widespread phishing and info-stealing malware campaigns. Unlike espionage-focused APTs, CoralRaider monetizes its access by stealing credentials, financial data, and accounts. They rely on commodity malware (NetSupport RAT, Lumma Stealer, RedLine variants) and low-cost infrastructure, but have shown persistence and a regional footprint across Southeast Asia.

Analysis

  1. Watering-hole compromise → injects malicious Flash/JavaScript exploit

  2. Exploit triggers → drops loader → installs Derusbi RAT or similar backdoor

  3. Victim beaconing → HTTP/S C2 with custom protocols

  4. Secondary tools → credential dumping, lateral movement

Execution Chain

Persistence

  • Registry Run keys for RAT persistence

  • DLL side-loading into legitimate processes

  • Scheduled tasks for backdoor reinfection

Evasion

  • Use of zero-day exploits (esp. Flash, IE)

  • Sandbox/VM detection (hardware/CPU checks)

  • Code signing abuse (stolen or fake certs)

  • Encryption of C2 traffic (custom protocols over HTTP/S and port 22)

Networking

  • HTTP(S) with custom encrypted payloads

  • Domains mimicking news, government, and update services

  • C2 fallback to hardcoded IPs (often hosted on compromised servers)

IOC's and Artifacts 

This collection highlights key artifacts and IOCs we consider most relevant for analysts developing detection rules or conducting research. For YARA rules, please refer to the community repository.

 

Note: We do not publish or accept file hashes unless they are used to illustrate a specific malware technique or reference research (either our own analysis or external sources). Our focus is on dynamic detection logic and deeper research, rather than relying solely on static indicators.

File Artifacts

  • Derusbi.dll / Derusbi.exe (custom backdoor)

  • Droppers disguised as Office or Adobe installers

​

Registry Persistence

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\* → Codoso loader entries

​

Patterns:

  • Exploit kit injection on high-profile news/policy sites

  • Flash SWF zero-day delivery

  • Encrypted C2 over HTTP/S, often with fake JSP/PHP login pages

 

Domains:

  • hxxp://orbesinsights.com (compromised watering-hole, 2014)

  • hxxp://update-java.com

  • hxxp://secure-office365.net

  • hxxp://news-asia.org

​

IP's​

  • hxxp://45.146.164.9

  • hxxp://203.131.222.102 

  • hxxp://61.240.144.66

  • hxxp://103.27.202.56 

​

​​

Refrences:

  • Palo Alto Networks Unit42 – New Attacks Linked to C0d0s0 Group

  • SecurityWeek – Chinese Group Codoso Zero-Day Attacks

  • MITRE ATT&CK – APT19 / Codoso profile (G0073)

  • ETDA Thailand APT Cards – Codoso / APT19 / Deep Panda

bottom of page