{ "id": "f1b0abbe-148b-47be-9128-127ad300fb57", "created_at": "2026-04-06T00:15:27.024968Z", "updated_at": "2026-04-10T03:28:46.391904Z", "deleted_at": null, "sha1_hash": "0ce0cc336a3652d3f89851da4c5140da881837df", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53424, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 22:29:51 UTC\n Other threat group: CoralRaider\nNames CoralRaider (Talos)\nCountry Vietnam\nMotivation Financial gain\nFirst seen 2023\nDescription\n(Talos) Cisco Talos discovered a new threat actor we’re calling “CoralRaider” that\nwe believe is of Vietnamese origin and financially motivated. CoralRaider has been\noperating since at least 2023, targeting victims in several Asian and Southeast Asian\ncountries.\nThis group focuses on stealing victims’ credentials, financial data, and social media\naccounts, including business and advertisement accounts.\nThey use RotBot, a customized variant of QuasarRAT, and XClient stealer as\npayloads in the campaign we analyzed.\nThe actor uses the dead drop technique, abusing a legitimate service to host the C2\nconfiguration file and uncommon living-off-the-land binaries (LoLBins), including\nWindows Forfiles.exe and FoDHelper.exe\nObserved\nCountries: Bangladesh, China, Ecuador, Egypt, Germany, India, Indonesia, Japan,\nNigeria, Norway, Pakistan, Philippines, Poland, South Korea, Syria, Turkey, UK,\nUSA, Vietnam.\nTools used\nAsyncRAT, LummaC2, NetSupport Manager, Rhadamanthys, RotBot, XClient,\nLiving off the Land.\nOperations performed Feb 2024\nSuspected CoralRaider continues to expand victimology using three\ninformation stealers\nInformation Last change to this card: 18 June 2024\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=55e65c1c-f9bc-4060-8281-13dcf7a4cd17\nPage 1 of 2\n\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=55e65c1c-f9bc-4060-8281-13dcf7a4cd17\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=55e65c1c-f9bc-4060-8281-13dcf7a4cd17\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=55e65c1c-f9bc-4060-8281-13dcf7a4cd17" ], "report_names": [ "showcard.cgi?u=55e65c1c-f9bc-4060-8281-13dcf7a4cd17" ], "threat_actors": [ { "id": "6b8c5ea0-a654-4b5c-b817-9e67b115059e", "created_at": "2024-04-19T02:00:03.625955Z", "updated_at": "2026-04-10T02:00:03.616114Z", "deleted_at": null, "main_name": "CoralRaider", "aliases": [], "source_name": "MISPGALAXY:CoralRaider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6a894c24-6f51-4863-9efb-7f1b3133c848", "created_at": "2024-06-20T02:02:10.260154Z", "updated_at": "2026-04-10T02:00:05.001393Z", "deleted_at": null, "main_name": "CoralRaider", "aliases": [], "source_name": "ETDA:CoralRaider", "tools": [ "AsyncRAT", "LOLBAS", "LOLBins", "Living off the Land", "Lumma Stealer", "LummaC2", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "Rhadamanthys", "Rhadamanthys Stealer", "RotBot", "XClient" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434527, "ts_updated_at": 1775791726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0ce0cc336a3652d3f89851da4c5140da881837df.pdf", "text": "https://archive.orkl.eu/0ce0cc336a3652d3f89851da4c5140da881837df.txt", "img": "https://archive.orkl.eu/0ce0cc336a3652d3f89851da4c5140da881837df.jpg" } }