China, India, South Korea, Indonesia, Vietnam, Bangladesh, and Pakistan have been subjected to attacks by suspected Vietnamese threat operation CoralRaider, which involved the delivery of the QuasarRAT variant dubbed RotBot and the XClient information-stealing malware, since May, reports The Hacker News.
Intrusions commence with the distribution of a Windows LNK file, which when opened triggers an HTML app file with a Visual Basic script that facilitates the execution of additional PowerShell scripts to conceal malicious activity and execute the RotBot malware, according to a report from Cisco Talos. Attackers then leverage RotBot to fetch XClient, which proceeds to facilitate the exfiltration of financial information and credentials from various web browsers, data from Telegram and Discord, and information from Facebook, Instagram, YouTube, and TikTok accounts, said researchers, who noted that such data is then exfiltrated through Telegram before being peddled in different dark web markets.
Such findings amid a Facebook malvertising campaign reported by Bitdefender to leverage generative artificial intelligence tools as lures to deploy the IceRAT, Rilide, Vidar, and Nova Stealer infostealers.