{ "id": "5074b436-2c97-4125-bcec-ea666751e9f9", "created_at": "2026-04-06T00:07:22.796687Z", "updated_at": "2026-04-10T03:28:46.405164Z", "deleted_at": null, "sha1_hash": "9edceade033b74d51fe0b0e662da1d8611089096", "title": "Suspected CoralRaider continues to expand victimology using three information stealers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3085773, "plain_text": "Suspected CoralRaider continues to expand victimology using three\r\ninformation stealers\r\nBy Cisco Talos\r\nPublished: 2024-04-23 · Archived: 2026-04-05 18:04:51 UTC\r\nBy Joey Chen, Chetan Raghuprasad and Alex Karkins. \r\nCisco Talos discovered a new ongoing campaign since at least February 2024, operated by a threat actor distributing\r\nthree famous infostealer malware, including Cryptbot, LummaC2 and Rhadamanthys.\r\nTalos also discovered a new PowerShell command-line argument embedded in the LNK file to bypass anti-virus\r\nproducts and download the final payload into the victims’ host.\r\nThis campaign uses the Content Delivery Network (CDN) cache domain as a download server, hosting the malicious\r\nHTA file and payload. \r\nTalos assesses with moderate confidence that the threat actor CoralRaider operates the campaign. We observed\r\nseveral overlaps in tactics, techniques, and procedures (TTPs) of CoralRaider’s Rotbot campaign, including the initial\r\nattack vector of the Windows Shortcut file, intermediate PowerShell decryptor and payload download scripts, the\r\nFoDHelper technique used to bypass User Access Controls (UAC) of the victim machine.  \r\nVictimology and actor infrastructure\r\nThe campaign affects victims across multiple countries, including the U.S., Nigeria, Pakistan, Ecuador, Germany, Egypt, the\r\nU.K., Poland, the Philippines, Norway, Japan, Syria and Turkey, based on our telemetry data and OSINT information. Our\r\ntelemetry also disclosed that some affected users were from Japan’s computer service call center organizations and civil\r\ndefense service organizations in Syria. The affected users were downloading files masquerading as movie files through the\r\nbrowser, indicating the possibility of a widespread attack on users across various business verticals and geographies.\r\nWe observe that this threat actor is using a Content Delivery Network (CDN) cache to store the malicious files on their\r\nnetwork edge host in this campaign, avoiding request delay. The actor is using the CDN cache as a download server to\r\ndeceive network defenders. \r\nhttps://blog.talosintelligence.com/suspected-coralraider-continues-to-expand-victimology-using-three-information-stealers/\r\nPage 1 of 14\n\nCDN edge URLs  Information Stealer\r\nhxxps[://]techsheck[.]b-cdn[.]net/Zen90 Cryptbot\r\nhxxps[://]zexodown-2[.]b-cdn[.]net/Peta12 Cryptbot\r\nhxxps[://]denv-2[.]b-cdn[.]net/FebL5 Cryptbot, Rhadamanthys\r\nhxxps[://]download-main5[.]b-cdn[.]net/BSR_v7IDcc Rhadamanthys\r\nhxxps[://]dashdisk-2[.]b-cdn[.]net/XFeb18 Cryptbot\r\nhxxps[://]metrodown-3[.]b-cdn[.]net/MebL1 Cryptbot\r\nhxxps[://]metrodown-2[.]b-cdn[.]net/MebL1 Cryptbot, LummaC2\r\nhxxps[://]metrodown-2[.]b-cdn[.]net/SAq2 LummaC2\r\nTalos discovered that the actor is using multiple C2 domains in the campaign. The DNS requests for the domains during our\r\nanalysis period are shown in the graph, indicating the campaign is ongoing. \r\nTactics, techniques and procedures overlap with other campaigns \r\nTalos assesses with moderate confidence that threat actor CoralRaider is likely operating this campaign based on several\r\noverlaps in the TTPs used and the targeted victims’ geography of this campaign with that of the CoralRaider’s Rotbot\r\ncampaign. We spotted that the PowerShell scripts used in the attack chain of this campaign to decrypt the PowerShell scripts\r\nof further stages and the downloader PowerShell script are similar to those employed in the Rotbot’s campaign.\r\nhttps://blog.talosintelligence.com/suspected-coralraider-continues-to-expand-victimology-using-three-information-stealers/\r\nPage 2 of 14\n\nPowerShell decryptor script of Rotbot campaign (left) and new unknown campaign (right).\r\nString decrypt and download routine of Rotbot campaign (Left) and new unknown campaign (right).\r\nThe Powershell script did not appear in any public repository or article, indicating the threat actor likely developed these\r\nPowerShell scripts. Pivoting on the PowerShell argument embedded in the LNK file showed us that such arguments are not\r\npopular and likely specific to the actor and the campaign.  \r\n.(gp -pa 'HKLM:\\SOF*\\Clas*\\Applications\\msh*e').('PSChildName')\r\nMulti-stage infection chain to deliver the payload \r\nhttps://blog.talosintelligence.com/suspected-coralraider-continues-to-expand-victimology-using-three-information-stealers/\r\nPage 3 of 14\n\nThe infection chain starts when a victim opens the malicious shortcut file from a ZIP file downloaded using the drive-by\r\ndownload technique, according to our telemetry. The threat actor is likely delivering malicious links to victims through\r\nphishing emails.\r\nThe Windows shortcut file has an embedded PowerShell command running a malicious HTA file on attacker-controlled\r\nCDN domains. HTA file executes an embedded Javascript, which decodes and runs a PowerShell decrypter script.\r\nPowerShell decrypter script decrypts the embedded PowerShell Loader script and runs it in the victim’s memory. The\r\nPowerShell Loader executes multiple functions to evade the detections and bypass UAC, and finally, it downloads and runs\r\none of the payloads, Cryptbot, LummaC2 or Rhadamanthys information stealer.\r\nWindows Shortcut file to execute the malicious HTA file\r\nWindows shortcut file runs a PowerShell command to download and run an HTML application file on the victim’s machine.\r\nThe threat actor has used “gp,” a PowerShell command alias for Get-ItemProperty, to read the registry contents of the\r\napplication classes registry key and gets the executable name “mshta.exe.” Using mshta.exe, the PowerShell instance\r\nexecutes the remotely hosted malicious HTA file on the victim’s machine. \r\nhttps://blog.talosintelligence.com/suspected-coralraider-continues-to-expand-victimology-using-three-information-stealers/\r\nPage 4 of 14\n\nObfuscated HTA runs embedded PowerShell decrypter \r\nThe malicious HTML application file is heavily obfuscated and has a Javascript that decodes and executes a function using\r\nthe String fromCharCode method. The decoded function then executes an embedded PowerShell decryptor script. \r\nThe decryptor PowerShell script has a block of AES-encrypted string. Using the AES decryptor function, it generates an\r\nAES key of 256 bytes from a base64 encoded string “RVRVd2h4RUJHUWNiTEZpbkN5SXhzUWRHeFN4V053THQ=”\r\nand the IV “AAAAAAAAAAAAAAAA.” With the key and IV, it decrypts and executes the next stage of the PowerShell\r\nLoader script. \r\nPowerShell loader downloads and runs the payload\r\nThe PowerShell loader script is modular and has multiple functions to perform a sequence of activities on the victim’s\r\nmachine. Initially, it executes a function that drops a batch script in the victim machine’s temporary folder and writes its\r\ncontents, which includes the PowerShell command to add the folder “ProgramData” of the victim machine to the Windows\r\nDefender exclusion list. \r\nThe dropped bath script is executed through a living-off-the-land binary (LoLBin) “FoDHelper.exe” and a Programmatic\r\nIdentifiers (ProgIDs) registry key to bypass the User Access Controls (UAC) in the victim’s machine. Fodhelper is a\r\nWindows feature, an on-demand helper binary that runs by default with high integrity. Usually, when the FodHelper is run, it\r\nchecks for the presence of the registry keys listed below. If the registry keys have commands assigned, the FodHelper will\r\nexecute them in an elevated context without prompting the user. \r\nHKCU:\\Software\\Classes\\ms-settings\\shell\\open\\command\r\nHKCU:\\Software\\Classes\\ms-settings\\shell\\open\\command\\DelegateExecute\r\nHKCU:\\Software\\Classes\\ms-settings\\shell\\open\\command\\(default)\r\nWindows Defender, by default, detects if there are attempts to write to the registry keys HKCU:\\Software\\Classes\\ms-settings\\shell\\open\\command and to evade this detection, the threat actor uses the programmatic identifier (ProgID). In\r\nWindows machines, a programmatic identifier (ProgID ) is a registry entry that can be associated with a Class ID (CLSID ),\r\nwhich is a globally unique serial number that identifies a COM (Component Object Model) class object. The Windows Shell\r\nuses a default ProgID registry key called CurVer , which is used to set the default version of a COM application. \r\nIn this campaign, the threat actor abuses the “CurVer” registry key feature by creating a custom ProgID\r\n“ServiceHostXGRT” registry key in the software classes registry and assigns the Windows shell to execute a command to\r\nrun the batch script. \r\nhttps://blog.talosintelligence.com/suspected-coralraider-continues-to-expand-victimology-using-three-information-stealers/\r\nPage 5 of 14\n\nRegistry Key \"HKCU\\Software\\Classes\\ServiceHostXGRT\\Shell\\Open\\command\"\r\nValue %temp%\\r.bat \r\nThe script configures the ProgID ServiceHostXGRT in the CurVer registry subkey of HKCU\\Software\\Classes\\ms-settings\\CurVer , which will get translated to HKCU:\\Software\\Classes\\ms-settings\\shell\\open\\command . After\r\nmodifying the registry settings, the PowerShell script runs FoDHelper.exe, executing the command assigned to the registry\r\nkey HKCU:\\Software\\Classes\\ms-settings\\shell\\open\\command and executing the dropped batch script. Finally, it deletes\r\nthe configured registry keys to evade detection. \r\nThe batch script adds the folder “C:\\ProgramData” to the Windows Defender exclusion list. The PowerShell loader script\r\ndownloads the payload and saves it in the “C:\\ProgramData” folder as “X1xDd.exe.”\r\nAfter downloading the payload to the victim’s machine, the PowerShell loader executes another function that overwrites the\r\npreviously dropped batch file with the new instructions to run the downloaded payload information stealer through the\r\nWindows start command. It again uses the same FoDHelper technique to run the batch script’s second version, which we\r\nexplained earlier in this section.  \r\nhttps://blog.talosintelligence.com/suspected-coralraider-continues-to-expand-victimology-using-three-information-stealers/\r\nPage 6 of 14\n\nActor’s choice of three payloads in the same campaign \r\nTalos discovered that the threat actor delivered three famous information stealer malware as payloads in this campaign,\r\nincluding CryptBot, LummaC2 and Rhadamanthys. These information stealers target victims’ information, such as system\r\nand browser data, credentials, cryptocurrency wallets and financial information. \r\nCryptBot\r\nCryptBot is a typical infostealer targeting Windows systems discovered in the wild in 2019 by GDATA. It is designed to\r\nsteal sensitive information from infected computers, such as credentials from browsers, cryptocurrency wallets, browser\r\ncookies and credit cards, and creates screenshots of the infected system. \r\nTalos has discovered a new CryptBot variant distributed in the wild since January 2024. The goal of the new CryptBot is the\r\nsame, with some new innovative functionalities. The new CryptBot is packed with different techniques to obstruct malware\r\nanalysis. A few new CryptBot variants are packed with VMProtect V2.0.3-2.13; others also have VMProtect, but with\r\nunknown versions. The new CryptBot attempts to steal sensitive information from infected machines and modifies the\r\nconfiguration changes of the stolen applications. The list of targeted browsers, applications and cryptocurrency wallets by\r\nthe new variant of CryptBot is shown below.\r\nWe observed the new CryptBot variant also includes password manager application databases and authenticator application\r\ninformation in its stealing list to steal the cryptocurrency wallets that have two-factor authentication enabled. \r\nhttps://blog.talosintelligence.com/suspected-coralraider-continues-to-expand-victimology-using-three-information-stealers/\r\nPage 7 of 14\n\nCryptBot is aware that the target applications in the victim’s environment will have different versions, and their database\r\nfiles will have different file extensions. It scans the victim’s machine for database files’ extensions of the targeted\r\napplications for harvesting credentials. \r\nLummaC2 \r\nTalos discovered that the actor is delivering a new variant of LummaC2 malware as an alternative payload in this campaign.\r\nLummaC2 is a notorious information stealer that attempts to harvest information from victims’ machines. Based on the\r\nreport posted by outpost24 and other external security reports, LummaC2 has already been confirmed to be sold on the\r\nunderground market for years. \r\nThe threat actor has modified LummaC2’s information stealer capability and obfuscated the malware with a custom\r\nalgorithm. The obfuscation algorithm is saved in another section inside the malware shown below.\r\nThe new version of LummaC2 also presents the same signature of the alert message displayed to the user during its\r\nexecution. \r\nhttps://blog.talosintelligence.com/suspected-coralraider-continues-to-expand-victimology-using-three-information-stealers/\r\nPage 8 of 14\n\nThe C2 domains are encrypted with a symmetric algorithm, and we found that the actor has nine C2 servers that the malware\r\nwill attempt to connect to one by one. Analyzing various samples of the new LummaC2 variant, we spotted that each will\r\nuse a different key to encrypt the C2.   \r\nTalos has compiled the list of nine C2 domains the new LummaC2 variant attempts to connect in this campaign. \r\nEncrypted strings Decrypted Strings\r\nDjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphB+VXagKwrRr7BjLA71GNEZ8E8/0K2otQ== peasanthovecapspll[.]sho\r\nDjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphBpVXqwOAHAo75nPQT3Hc4I6EZ+x+u0rVjB gemcreedarticulateod[.]s\r\nDjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphB9VXShLxDMqLFmPATgC8Ma+U14zKy0oBnC/kf0 secretionsuitcasenioise[.\r\nDjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphBtXHa6JwfKqbxwOh79B8wb+UF0jbavqkc= claimconcessionrebe[.]sh\r\nDjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphBiWXaxIwjMs6Z0Ox/1BsUM8UZ/2qyz60TZ+Vg= liabilityarrangemenyit[.]\r\nhttps://blog.talosintelligence.com/suspected-coralraider-continues-to-expand-victimology-using-three-information-stealers/\r\nPage 9 of 14\n\nDjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphBjX3O2ORDAtKx0MAjiDcwE9U9mxq7ptl/e5g== modestessayevenmilwek\r\nDjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphB6Qn6yJAPJoqxwKB77BsAM8kB51K/ptl/e5g== triangleseasonbenchwj[.\r\nDjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphBtRXunPxbAtLRwPQ78DssH/U1yyqSrqRnC/kf0 culturesketchfinanciall[.\r\nDjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphB9X3GyIhHLs7Z7Lh74AcYM+Ep/xuu0rVjB sofahuntingslidedine[.]sh\r\nLummaC2’s first step in its exfiltration phase is its connection to the C2 server. The malware will exit the process if it does\r\nnot receive the “OK” message as a response from any of the nine C2 servers. The second step will be exfiltrating\r\ninformation from infected machines. The basic stealing functionality is the same as the previous version, with the addition of\r\nvictims’ discord credentials to exfiltrate. \r\nRhadamanthys\r\nThe last payload we found in this campaign is Rhadamanthys malware, a famous infostealer appearing in the underground\r\nforum advertisement in September 2022. The Rhadamanthys malware has been evolving till now, and its authors have\r\nreleased a new version, V0.6.0, on Feb. 15, 2024. However, the Rhadamanthys variant we found in this campaign is still\r\nv0.5.0.\r\nhttps://blog.talosintelligence.com/suspected-coralraider-continues-to-expand-victimology-using-three-information-stealers/\r\nPage 10 of 14\n\nThe threat actor uses a Python executable file as a loader to execute the Rhadamanthys malware into memory. After\r\ndecompiling the Python executable file, Python scripts load the Rhadamanthys malware in two stages. The first stage is a\r\nsimple Python script that replaces the binary code from 0 to 9 and decodes the second stage. \r\nIn the second stage, the Python script uses the Windows API to allocate a memory block and inject Rhadamanthys malware\r\ninto the process. We spotted that the threat actor is developing the Python script with the intention of including the\r\nfunctionality of executing a shellcode. \r\nhttps://blog.talosintelligence.com/suspected-coralraider-continues-to-expand-victimology-using-three-information-stealers/\r\nPage 11 of 14\n\nAnalyzing the final executable file showed us that the malware unpacks the loader module with the custom format having\r\nthe magic header “XS” and performs the process injection. The custom loader module in XS format is similar to that of a\r\nRhadamanthys sample analyzed by the researcher at Check Point. The malware selects one of the listed processes as the\r\ntarget process for process injection from a hardcoded list in the binary:\r\n\"%Systemroot%\\\\system32\\\\dialer.exe\"\r\n\"%Systemroot%\\\\system32\\\\openwith.exe\"\r\nCoverage\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in\r\nthis post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nhttps://blog.talosintelligence.com/suspected-coralraider-continues-to-expand-victimology-using-three-information-stealers/\r\nPage 12 of 14\n\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their\r\ncampaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense\r\nVirtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure\r\nproducts.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs,\r\nwhether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests\r\nsuspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for\r\npurchase on Snort.org. Snort SID for this threat is 63218 - 63225 and 300867 - 300870.\r\nClamAV detections are also available for this threat:\r\nLnk.Downloader.CoralRaider-10027128-0\r\nTxt.Tool.CoralRaider-10027140-0\r\nHtml.Downloader.CoralRaider-10027220-0\r\nWin.Infostealer.Lumma-10027222-0\r\nWin.Infostealer.Rhadamanthys-10027293-0\r\nWin.Infostealer.Rhadamanthys-10027294-0\r\nWin.Infostealer.Cryptbot-10027295-0\r\nWin.Infostealer.Cryptbot-10027296-0\r\nWin.Infostealer.Cryptbot-10027297-0\r\nWin.Infostealer.Cryptbot-10027298-0\r\nWin.Infostealer.Cryptbot-10027299-0\r\nWin.Infostealer.Cryptbot-10027300-0\r\nWin.Infostealer.Cryptbot-10027301-0\r\nWin.Infostealer.Cryptbot-10027302-0\r\nWin.Infostealer.Cryptbot-10027303-0\r\nWin.Infostealer.Cryptbot-10027305-0\r\nIndicators of Compromise\r\nIndicators of Compromise associated with this threat can be found here.\r\nhttps://blog.talosintelligence.com/suspected-coralraider-continues-to-expand-victimology-using-three-information-stealers/\r\nPage 13 of 14\n\nSource: https://blog.talosintelligence.com/suspected-coralraider-continues-to-expand-victimology-using-three-information-stealers/\r\nhttps://blog.talosintelligence.com/suspected-coralraider-continues-to-expand-victimology-using-three-information-stealers/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blog.talosintelligence.com/suspected-coralraider-continues-to-expand-victimology-using-three-information-stealers/" ], "report_names": [ "suspected-coralraider-continues-to-expand-victimology-using-three-information-stealers" ], "threat_actors": [ { "id": "6b8c5ea0-a654-4b5c-b817-9e67b115059e", "created_at": "2024-04-19T02:00:03.625955Z", "updated_at": "2026-04-10T02:00:03.616114Z", "deleted_at": null, "main_name": "CoralRaider", "aliases": [], "source_name": "MISPGALAXY:CoralRaider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6a894c24-6f51-4863-9efb-7f1b3133c848", "created_at": "2024-06-20T02:02:10.260154Z", "updated_at": "2026-04-10T02:00:05.001393Z", "deleted_at": null, "main_name": "CoralRaider", "aliases": [], "source_name": "ETDA:CoralRaider", "tools": [ "AsyncRAT", "LOLBAS", "LOLBins", "Living off the Land", "Lumma Stealer", "LummaC2", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "Rhadamanthys", "Rhadamanthys Stealer", "RotBot", "XClient" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434042, "ts_updated_at": 1775791726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9edceade033b74d51fe0b0e662da1d8611089096.pdf", "text": "https://archive.orkl.eu/9edceade033b74d51fe0b0e662da1d8611089096.txt", "img": "https://archive.orkl.eu/9edceade033b74d51fe0b0e662da1d8611089096.jpg" } }