CoralRaider, a likely Vietnamese threat actor identified by Cisco's Talos, uses multiple information stealers to target global users.

Since 2023, CoralRaider expanded its operations to a broad range of countries including Ecuador, Egypt, Germany, Japan, and the US.

The attack vector is phishing emails with malicious links leading to ZIP files that initiate a sophisticated multi-stage infection.

The malware used includes CryptBot, LummaC2, and Rhadamanthys, aiming to steal browser data, cryptocurrency wallet info, and other sensitive data.

CoralRaider leverages a CDN cache to host malicious files, aiding in evasion of detection and complicating network defense efforts.

A wide range of users and business sectors are at risk due to the methods and scope of CoralRaider's phishing and malware distribution.