---
title: "Newbie CoralRaider Targets Asian Brands To Extract Social Media Data | Phish Protection"
description: "Newbie CoralRaider Targets Asian Brands To Extract Social Media Data: There"
image: "https://phishprotection.com/og/blog/newbie-coralraider-targets-asian-brands-to-extract-social-media-data.png"
canonical: "https://phishprotection.com/blog/newbie-coralraider-targets-asian-brands-to-extract-social-media-data/"
---

Quick Answer

There’s a new kid named CoralRaider in the block of Vietnamese cyber criminals. These cyber attackers have targeted Asian organizations and brands with the aim of gaining access to social media account details and sensitive user data. The specialty of CoralRaider lies in seamless \[data extraction\](https://en.wikipedia.org/wiki/Data\_extraction) through legitimate services and \*\*social engineering tactics\*\*.

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fnewbie-coralraider-targets-asian-brands-to-extract-social-media-data%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Newbie%20CoralRaider%20Targets%20Asian%20Brands%20To%20Extract%20Social%20Media%20Data&url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fnewbie-coralraider-targets-asian-brands-to-extract-social-media-data%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fphishprotection.com%2Fblog%2Fnewbie-coralraider-targets-asian-brands-to-extract-social-media-data%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fnewbie-coralraider-targets-asian-brands-to-extract-social-media-data%2F&title=Newbie%20CoralRaider%20Targets%20Asian%20Brands%20To%20Extract%20Social%20Media%20Data "Share on Reddit") [ ](mailto:?subject=Newbie%20CoralRaider%20Targets%20Asian%20Brands%20To%20Extract%20Social%20Media%20Data&body=Check out this article: https%3A%2F%2Fphishprotection.com%2Fblog%2Fnewbie-coralraider-targets-asian-brands-to-extract-social-media-data%2F "Share via Email") 

![Phish Protection blog post image](https://media.mailhop.org/phishprotection/images/2024/05/latest-phishing-attack-targets.jpg) 

There’s a new kid named CoralRaider in the block of Vietnamese cyber criminals. These cyber attackers have targeted Asian organizations and brands with the aim of gaining access to social media account details and sensitive user data. The specialty of CoralRaider lies in seamless [data extraction](https://en.wikipedia.org/wiki/Data%5Fextraction) through legitimate services and **social engineering tactics**. 

### Vietnam and Its Close Ties With Cybercrimes!

2023 has been a bad year for the Vietnamese people in terms of [cybersecurity](/content/cybersecurity-in-a-nutshell). In the first half of 2023 itself,[6000+](https://eastasiaforum.org/2024/03/20/vietnams-struggle-with-cyber-security/)cyber attacks had been **registered within the Asian country**. Before 2023 ended, the total number of [cyber-attacks](https://www.cnbc.com/2024/04/08/state-backed-cyberattacks-ai-deepfakes-top-uk-election-cyber-risks.html) reached a whopping 13,900 incidents . 

As per the Vietnam National Cyber Security Technology Company, the country witnessed a spike of about[9.5%](https://eastasiaforum.org/2024/03/20/vietnams-struggle-with-cyber-security/#:~:text=In%20the%20first%20half%20of,in%202023%20compared%20to%202022.)in cyber attacks in the year 2023\. A total of 554 websites were attacked by [threat actors](/phishing-awareness/threat-actors-breach-reddit-and-access-internal-documents-code-and-business-systems), out of which **around 212 were compromised** at Vietnamese government offices. The Vietnamese government has been highly concerned about the sudden surge in cyber crimes across the country and has declared them a direct **threat to national security**.

### More On CoralRaider

_CoralRaider made its first official entry in 2023_. Considerably a newcomer, the [cybercrime group](https://www.bankinfosecurity.com/cybercrime-group-uses-likely-ai-script-to-load-infostealer-a-24825) has also been under the radar because of **its rookie mistakes**. For instance, once they ended up infecting their own systems, thereby exposing their schemes and pursuits . 

CoralRaider’s ultimate goal in this latest cyber attack is **monetary gain**. They are trying hard to gain access to social media and advertising accounts so that they can enjoy illegitimate financial benefits. Cyber experts also doubt **follow-on attacks** in the form of [malware delivery](https://inquest.net/blog/top-malware-delivery-tactics-watch-out-2023/). 

\_Unlike some other cyber criminals in Vietnam, CoralRaider does not seem to have a nationalist agenda. As of now, it is purely focused on profit motives. \_

### Step-By-Step Analysis Of CoralRaider Infection Chain

The easiest way to identify a CoralRaid campaign is a **Windows shortcut (.LNK) file**. They generally use a[PDF extension](https://www.darkreading.com/vulnerabilities-threats/vietnamese-cybercrime-group-coralraider-nets-financial-data). 

When a naive user clicks on the supposedly harmless Windows shortcut, it **connects the user to a malicious server** controlled by CoralRaider and further downloads a file.

This downloaded file is in the form of an [HTML application (HTA)](https://en.wikipedia.org/wiki/HTML%5FApplication) and **looks like a harmless webpage**. However, a script is hidden on this web page. Cyber attackers use Visual Basic to write these hidden scripts.

Soon, the Visual Basic script gets activated. It instructs the computer to perform certain tasks. All of these happen in a **behind-the-scene manner** to which the user stays oblivious. 

Next, the Visual Basic script starts another set of instructions by leveraging a language called PowerShell . Through these instructions, they check whether or not the computer is under the surveillance of security experts. Apart from this, they also try to **dissect the security system** (if any) and bypass it so as to gain access to the controls of the system. Also, they ensure that the user does not get any notification regarding these [malicious activities](https://www.infosecurity-magazine.com/news/malicious-campaign-microsoft-azure/).

Finally, they execute a program named **RotBot**. It is specially designed to extract data sneakily from the computer without the user’s awareness. _RotBot not only specializes in evading security measures but also has the expertise to collect specific data as per the instructions._

RotBot sneakily downloads a program called XClient, which effectively **collects sensitive private data,** such as passwords, usernames, email ID etc., from the device. The Program is also capable of stealing other important details such as [credit card account data](https://timesofindia.indiatimes.com/gadgets-news/a-cyberattack-may-have-exposed-data-of-these-credit-card-users/articleshow/108246809.cms), financial information and browser history. Also, the malicious program **secretly screenshots the victim’s desktop** and uploads it as well.

\_In short, this will feel like a private detective who sneaks into your home through your backdoor and leaves behind **multiple spy cams** at your place to gather all your personal data \_.

![Latest phishing attack targets](https://media.mailhop.org/phishprotection/images/2024/05/latest-phishing-attack-targets.jpg) 

### Noob Behavior By CoralRaider

_CoralRaider generally uses Telegram to exfiltrate victim data and as a command-and-control channel._ But somehow they managed to infect one of their own systems as the **screenshots of their device screen** is available in Telegram itself. 

The screenshots divulged lots of details such as CoralRaider hackers **chatting in Vietnamese language**. Basically, CoralRaider extracts data from user’s systems and sell them out in secret markets through different chat groups in the [Telegram app](https://www.bleepingcomputer.com/news/security/strongpity-hackers-target-android-users-via-trojanized-telegram-app/). 

### Cyber Scenario in Vietnam

Earlier, Vietnam was not on the radar of [cybercriminals](/phishing/cybercriminals-are-duping-millions-of-accounts-in-the-latest-facebook-phishing-campaign). However, in recent times, Vietnam has embraced **rapid cyber advancements**. With this, the country has become vulnerable to more and more cyber attacks. Also, **poor economic conditions** and lack of job opportunities further force the natives to partake in illegitimate activities. Cybercrime, as compared to skill-based jobs, brings in a **great deal of mone**y in a short span of time . That’s where more and more people get lured into the dark world of cybercrimes.

At present, concerned authorities are taking suitable measures to **prevent further damage** by CoralRaiders. However, it’s imperative to prioritize both [phishing protection](/) software and comprehensive [phishing awareness training](/products/phishing-awareness-training) to fortify against future cyber threats.

## Topics

[ Phishing ](/tags/phishing/) 

![Brad Slavin](https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead across DuoCircle's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Protect your inbox from phishing attacks

Real-time email security with 60-day free trial. No credit card required.

[Start Free Trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) [View Pricing](/pricing/) 

## Related Articles

[  Foundational 5m  0ktapus, Okta Breach Helps Attackers Launch Sophisticated Supply Chain Attacks  Sep 5, 2022 ](/blog/0ktapus-okta-breach-helps-attackers-launch-sophisticated-supply-chain-attacks/)[  Foundational 4m  13 Spear Phishing Attacks Examples To Justify Investment For Phishing Prevention Solutions In Your Organization  Aug 1, 2019 ](/blog/13-spear-phishing-attacks-examples-to-justify-investment-for-phishing-prevention-solutions-in-your-organization/)[  Foundational 4m  All 14 centers of Kettering Health were affected by a massive ransomware attack, Major outage in the Ohio medical center  May 23, 2025 ](/blog/14-centers-of-kettering-health-were-affected-by-massive-ransomware-attack-in-ohio-medical-center/)[  Foundational 4m  2021 Phishing Trends You Need To Be Wary Of  Aug 2, 2021 ](/blog/2021-phishing-trends-to-be-wary-of/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"Phish Protection","url":"https://phishprotection.com","description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Newbie CoralRaider Targets Asian Brands To Extract Social Media Data","description":"Newbie CoralRaider Targets Asian Brands To Extract Social Media Data: There's a new kid named CoralRaider in the block of Vietnamese cyber criminals. These.","url":"https://phishprotection.com/blog/newbie-coralraider-targets-asian-brands-to-extract-social-media-data/","datePublished":"2024-04-12T13:27:11.000Z","dateModified":"2026-04-17T15:43:10.000Z","dateCreated":"2024-04-12T13:27:11.000Z","author":{"@type":"Person","@id":"https://phishprotection.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://phishprotection.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://phishprotection.com/blog/newbie-coralraider-targets-asian-brands-to-extract-social-media-data/"},"articleSection":"foundational","keywords":"Phishing","wordCount":868,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/phishprotection/images/2024/05/latest-phishing-attack-targets.jpg","caption":"Phish Protection blog post image","width":1200,"height":630},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://phishprotection.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://phishprotection.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://phishprotection.com/foundational/"},{"@type":"ListItem","position":4,"name":"Newbie CoralRaider Targets Asian Brands To Extract Social Media Data","item":"https://phishprotection.com/blog/newbie-coralraider-targets-asian-brands-to-extract-social-media-data/"}]}
```