The above information was reported by The Hacker News , citing a statement from the Cisco Talos security research group, part of Cisco Corporation (USA).
"We have detected a malware designed to collect financial data in India, China, South Korea, Bangladesh, Pakistan, Indonesia and Vietnam since May 2023," the Cisco Talos security team revealed.
The attack campaign by the hacker group called CoralRaider "focused on victims' credentials, financial data, and social media accounts, including business and advertising accounts."
Cisco Talos describes the attackers using RotBot, a customized variant of Quasar RAT and XClient, to carry out the attacks. They also used a variety of tools, including remote access trojans and other malware such as AsyncRAT, NetSupport RAT, Rhadamanthys. In addition, the attackers also used a variety of specialized data-stealing software such as Ducktail, NodeStealer, and VietCredCare.
The stolen information was collected via Telegram, which hackers then traded on the underground market for illegal profits.
"Based on messages in Telegram chat channels, language preferences, and bot naming, the debugger string (PDB) has hard-coded Vietnamese keywords in the file. It is possible that the hackers exploiting CoralRaider are from Vietnam" - Cisco Talos commented.
Hackers originating from Vietnam are suspected of stealing financial data in Asia. Illustration photo: The Hacker News
The attack usually starts by taking control of a Facebook account. Hackers then change the name and interface to impersonate famous AI chatbots from Google, OpenAI or Midjourney.
Hackers even run ads to reach victims, luring users to fake websites. One fake Midjourney account had 1.2 million followers before it was taken down in mid-2023.
Once the data is stolen, RotBot is configured to contact the Telegram bot and run the XClient malware in memory. Security and authentication information on web browsers such as Brave, Coc Coc, Google Chrome, Microsoft Edge, Mozilla Firefox and Opera are collected.
XClient is also designed to extract data from victims' Facebook, Instagram, TikTok, and YouTube accounts. The malware also collects details about payment methods and permissions related to their Facebook advertising and business accounts.
"The malicious advertising campaigns had a huge reach through Meta's advertising system. From there, the hackers actively approached victims across Europe such as Germany, Poland, Italy, France, Belgium, Spain, the Netherlands, Romania, Sweden and elsewhere, in addition to Asian countries," the source emphasized.
Source: https://nld.com.vn/tin-tac-viet-bi-nghi-chu-muu-gay-chuyen-o-chau-a-196240407103409743.htm
![[Photo] Binh Thuan organizes many special festivals on the occasion of April 30 and May 1](https://vphoto.vietnam.vn/thumb/1200x675/vietnam/resource/IMAGE/2025/5/1/5180af1d979642468ef6a3a9755d8d51)
![[Photo] Ha Giang: Many key projects under construction during the holiday season](https://vphoto.vietnam.vn/thumb/1200x675/vietnam/resource/IMAGE/2025/5/1/8b8d87a9bd9b4d279bf5c1f71c030dec)
![[Photo] "Lovely" moments on the 30/4 holiday](https://vphoto.vietnam.vn/thumb/1200x675/vietnam/resource/IMAGE/2025/5/1/26d5d698f36b498287397db9e2f9d16c)
Comment (0)