Suspected CoralRaider continues to expand victimology using three information stealers

By Joey Chen, Chetan Raghuprasad and Alex Karkins. 

• Cisco Talos discovered a new ongoing campaign since at least February 2024, operated by a threat actor distributing three famous infostealer malware, including Cryptbot, LummaC2 and Rhadamanthys.
• Talos also discovered a new PowerShell command-line argument embedded in the LNK file to bypass anti-virus products and download the final payload into the victims’ host.
• This campaign uses the Content Delivery Network (CDN) cache domain as a download server, hosting the malicious HTA file …

actor alex argument bypass campaign chen cisco cisco talos command cryptbot embedded february february 2024 file information information stealers infostealer line lnk lnk file lummac2 malware powershell rhadamanthys stealers talos threat threat actor virus