The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

CoralRaider's Stealer Spree

May 3, 2024 1:53:10 PM / by The Hivemind

CORALRAIDERRelated Families: CryptBot, LummaC2, Rhadamanthys
Verticals Targeted: Technology, Defense

Executive Summary

The threat actor group CoralRaider was recently observed on a stealer spree distributing three infostealers, CryptBot, LummaC2, and Rhadamanthys.  

Key Takeaways

  • The threat actor group CoralRaider was recently observed in a stealer spree, targeting entities in multiple countries.
  • In the campaign, the threat actors distributed three infostealers, CryptBot, LummaC2, and Rhadamanthys. 
  • They appeared to be using new variants of CryptBot and LummaC2, while using an older version of Rhadamanthys.

The Campaign

The threat actor group CoralRaider was recently observed distributing three infostealers, CryptBot, LummaC2, and Rhadamanthys. This stealer spree has been active since at least 2024. Cisco Talos reported on this activity.

CoralRaider’s stealer spree targeted entities in the US, Nigeria, Pakistan, Ecuador, Germany, Egypt, UK, Poland, the Philippines, Norway, Japan, Syria, and Turkey. Affected entities included computer call service organizations and civil defense service organizations, among others.

Cisco Talos described the infection chain:

  • The infection chain begins when a victim opens a malicious shortcut file found in a ZIP, that is downloaded as a drive-by download. 
  • An HTA file executes an embedded JavaScript, which in turn decodes and runs a PowerShell decrypter script. 
  • This decrypter script then decrypts the embedded PowerShell Loader script and runs it in the system’s memory. 
  • The loader executes multiple functions in order to evade detection and bypass UAC. It then downloads and runs one of three infostealer payloads. 
  • Cisco Talos noted the threat actors used a content delivery network (CDN) cache as a download server.

In the campaign, the threat actors leveraged three well-known infostealers: CryptBot, LummaC2, and Rhadamanthys. Information about each of the infostealer families is provided below:



CryptBot is an infostealer that has been active in the wild since at least 2019. It targets Windows systems. It is capable of stealing browser credentials, cryptocurrency wallets, browser cookies, and credit card information. It can also take screenshots of the victim’s system. The variant of CryptBot used in this campaign was first observed in January 2024 and includes new techniques to thwart malware analysis. 



LummaC2 is an infostealer that has been in the wild since at least late 2022. LummaC2 is written in C and is sold on the underground. We reported on LummaC2 in December 2023, noting its unique  trigonometry-based anti-sandboxing technique. Cisco Talos researchers stated the LummaC2 variant used by CoralRaider appeared to be a new variant.



Rhadamanthys, an infostealer, is malware as a service (MaaS) available on the dark web. Rhadamanthys, which is written in C++,  was first seen in the wild in 2022. Rhadamanthys steals credentials, cryptocurrency wallets, and other sensitive information such as device information and documents, and sends it to the C2. Rhadamanthys has been under active development, with a new variant (6.0) released in February. However, Cisco Talos noted the CoralRaider campaign used the older Rhadamanthys version 5.0.

Who is CoralRaider?

CoralRaider is a threat actor group thought to be of Vietnamese origin. They appear to be financially motivated and have been active since at least 2023. Earlier this year, CoralRaider was observed using XClient stealer and RotBot, a QuasarRAT variant, to target entities in Asia. 


PolySwarm has multiple samples associated with this activity. 









You can use the following CLI command to search for all CoralRaider samples in our portal:

$ polyswarm link list -f CoralRaider


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at | Check out our blog | Subscribe to our reports.


Topics: Threat Bulletin, Stealer, Infostealer, LummaC2, Rhadamanthys, CryptBot, CoralRaider

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts