DNS Early Detection – Breaking the CoralRaider Kill Chain

Infoblox details the CoralRaider campaign (active since Feb 2024) that delivers info‑stealer malware families — including Rhadamanthys, Lumma C2, and Cryptbot — using CDN-hosted payloads and DNS-based command-and-control; the report enumerates malicious domains observed, documents that Infoblox flagged 94.12% of those domains as SUSPICIOUS (on average ~76.8 days before OSINT), and recommends using Infoblox suspicious-domain feeds to automatically block the infrastructure and disrupt the kill chain.