top of page
Image by Tran Phu

CoalRaider

Malware Dissection Playbook

CoralRaider is a Vietnam-linked cybercriminal group active since 2023, known for widespread phishing and info-stealing malware campaigns. Unlike espionage-focused APTs, CoralRaider monetizes its access by stealing credentials, financial data, and accounts. They rely on commodity malware (NetSupport RAT, Lumma Stealer, RedLine variants) and low-cost infrastructure, but have shown persistence and a regional footprint across Southeast Asia.

Analysis

  1. Phishing emails / malicious attachments → downloader scripts

  2. Deployment of commodity stealers (RedLine, Lumma, Raccoon)

  3. Secondary RATs (NetSupport, AsyncRAT) for control

  4. Exfiltration via Telegram bots or cheap VPS hosting

Execution Chain

Persistence

  • Registry Run keys

    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run

  • Scheduled Tasks for RATs

  • Abuses startup folders with renamed executables

Evasion

  • Commodity crypters and packers

  • Use of LOLBins (powershell.exe, rundll32.exe)

  • Telegram-based C2 to mask traffic

  • Frequent rebuilds/rebrands of stealers

Networking

  • Telegram bots (api.telegram.org)

  • Discord webhooks

  • Bulletproof hosting in SE Asia/Eastern Europe

  • Disposable domains for phishing kits

IOC's and Artifacts 

This collection highlights key artifacts and IOCs we consider most relevant for analysts developing detection rules or conducting research. For YARA rules, please refer to the community repository.

 

Note: We do not publish or accept file hashes unless they are used to illustrate a specific malware technique or reference research (either our own analysis or external sources). Our focus is on dynamic detection logic and deeper research, rather than relying solely on static indicators.

File Artifacts

  • NetSupportManager.exe (abused RAT)

  • RedLine / Lumma payloads (*.exe in AppData/Temp)

  • Downloader VBS/JS in phishing kits

​

Registry Persistence

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\* → pointing to stealers

  • Scheduled Task names mimicking Windows Update

​

Patterns:

Double extensions for lures:

  • Invoice_2024.pdf.exe

  • Salary_Slip_2024.docx.exe

 

Stealer payloads in %APPDATA% or %TEMP%:

  • clientupdate.exe

  • chrome-update.exe

  • systempatch.exe

 

Domains:

  • hxxp://api.telegram.org

  • hxxp://discordapp.com/api/webhooks/

  • hxxp://coralpanel.com 

  • hxxp://cloudsyncservice.xyz

  • hxxp://update-defender.info 

  • hxxp://vpnlogin.top 

  • hxxp://filesend-data.com

​

IP's​

  • hxxp://45.146.164.90

  • hxxp://185.219.81.42

  • hxxp://194.26.135.99 

  • hxxp://82.118.21.44

​

​

Refrences:

  • CloudSEK – CoralRaider: Vietnam-Linked Cybercrime Group Targeting Global Victims (2024)

  • SentinelOne – Vietnamese Info-Stealer Campaigns and CoralRaider Infrastructure (2024)

  • The Hacker News – Vietnam-Linked Hackers Using Telegram Bots for Exfiltration (2024)

  • ANY.RUN – Malware analysis sandbox reports for CoralRaider samples (RedLine, Lumma stealer payloads).

  • MalwareBazaar – Tagged samples associated with CoralRaider (NetSupport RAT droppers, stealers).

  • VirusTotal – Domain/IP pivots

  • SOCRadar – APT & Cybercrime actor profile database (entries for Vietnam-linked CoralRaider).

  • Securelist (Kaspersky) – Notes on SEA-based cybercrime groups leveraging commodity malware.

  • MITRE ATT&CK – Relevant techniques: T1566 (Phishing), T1053 (Scheduled Task), T1105 (Ingress Tool Transfer), T1071.001 (Web-based C2).

bottom of page