| SYMBOL | COMMON_NAME | aka. SYNONYMS |
CoralRaider is a financially motivated threat actor of Vietnamese origin, targeting victims in Asian and Southeast Asian countries since at least 2023. They use the RotBot loader family and XClient stealer to steal victim information, with hardcoded Vietnamese words in their payloads. CoralRaider operates from Hanoi, Vietnam, and uses a Telegram bot as a C2 channel for their malicious campaigns. Their activities include system reconnaissance, data exfiltration, and targeting victims in multiple countries in the region.
| 2025-08-31
⋅
Darkrym
⋅
PXA Stealers Evolution to PureRAT: Part 3 - Weaponised Python Stage (Stage 5) PXA Stealer |
| 2025-08-04
⋅
Sentinel LABS
⋅
Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem PXA Stealer |
| 2025-08-04
⋅
Beazley Security Labs
⋅
Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem PXA Stealer |
| 2025-06-13
⋅
Twitter (@luc4m)
⋅
Tweet on PXA Stealer targeting Italy PXA Stealer |
| 2024-11-14
⋅
Cisco Talos
⋅
New PXA Stealer targets government and education sectors for sensitive information PXA Stealer |
| 2024-04-04
⋅
Cisco Talos
⋅
CoralRaider targets victims’ data and social media accounts CoralRaider |