A sophisticated malware campaign, active since February 2024, is distributing CryptBot, LummaC2, and Rhadamanthys stealers.

The malicious software is being spread by CoralRaider, a threat actor targeting a wide range of business sectors internationally.

The malware is cleverly disguised as movie files and is hosted on CDN cache domains, complicating detection efforts.

Victims are being tricked into downloading the malware through drive-by downloads initiated by phishing emails.

The attack uses a PowerShell loader script that evades User Access Controls via the FodHelper bypass technique.

Once installed, the malware harvests extensive personal data, including system info, browser data, credentials, cryptocurrency wallets, and financial details.

The latest version of CryptBot features advanced anti-analysis measures and can now access password managers and authenticator apps, enhancing its data theft capabilities.