Arechclient2

Lures that kick off execution chains leading to Arechclient2 heavily leverage initial access techniques like malvertising, search engine optimization (SEO) poisoning, and typosquatting.

Lures that kick off execution chains leading to Arechclient2 heavily leverage initial access techniques like malvertising, search engine optimization (SEO) poisoning, and typosquatting.

Commercial evasion framework SHELLTER acquired by threat groups... In mid-June, our research identified multiple financially motivated infostealer campaigns that have been using SHELLTER to package payloads beginning late April 2025.

Lures that kick off execution chains leading to Arechclient2 heavily leverage initial access techniques like malvertising, search engine optimization (SEO) poisoning, and typosquatting.

ClearFake is an activity cluster that uses JavaScript injected into compromised websites to deliver malware via drive-by download techniques

Starting around May, we observed campaigns targeting content creators with lures centered around sponsorship opportunities. These appear to be phishing emails sent to individuals with a YouTube channel impersonating brands such as Udemy, Skillshare, Pinnacle Studio, and Duolingo.

Most campaigns use messages with Google Drive URLs leading to an internet shortcut (.URL) file, or a .URL file attached directly to the message.

The infection chain begins with a phishing page that imitates a Cloudflare anti-DDoS Captcha verification.

The actor then injects malicious content into existing conversations within the account’s inbox, which makes the messages look legitimate.

the activity we saw in March 2025 leveraged encoded PowerShell to make network communications, download resources, and execute files early in the execution chain.

In most scenarios, once users interact with the Fix or Verify button in the lure, the button will covertly copy an obfuscated PowerShell command to the clipboard and present the user with “verification steps.”

The adversary is trying to entice the user into verifying or fixing something by typing a command into a terminal, run dialog box, or PowerShell.

If executed, it uses SMB to access an executable from the remote share, which installs the malware.

MITRE ATT&CK Mapping Tactic Technique ID Notes Persistence Boot or Logon Autostart T1547 SectopRAT standard persistence

Suspicious behaviors by a cmd.exe-created process that Arechclient2 is injected into, for example msbuild.exe

MITRE ATT&CK Mapping Tactic Technique ID Notes Persistence Boot or Logon Autostart T1547 SectopRAT standard persistence

ClearFake fetches and executes base64 encoded and gzip compressed code... The initial smart contract delivers an obfuscated JavaScript payload... Both SharkStealer and ArechClient2 use AES decryption with a hardcoded key... LoaderOnNet... uses ChaCha20Poly1305 encryption for both data exchange with the C2 server and the data pulled from the smart contract.

MITRE ATT&CK Mapping Tactic Technique ID Notes Defense Evasion Software Packing T1027.002 Reversed Base64 + Zlib compression

Polymorphic Junk Code SHELLTER-protected samples commonly employ self-modifying shellcode with polymorphic obfuscation to embed themselves within legitimate programs. This combination of legitimate instructions and polymorphic code helps these files evade static detection and signatures, allowing them to remain undetected.

Malicious ads trick users into navigating to adversary-designed sites that mimic legitimate software downloads including Google Chrome, Zoom, and NordVPN among others.

Suspicious behaviors by a cmd.exe-created process that Arechclient2 is injected into, for example msbuild.exe

SHELLTER encrypts its final, user-defined payloads using AES-128 CBC mode... In Shellter Elite v11.0, by default, payloads are compressed using the LZNT1 algorithm before being encrypted.

Run method: rundll32 [file path] ,LoadForm

Finally, it loads the .NET Common Language Runtime (CLR) in memory with CLRCreateInstance Windows API before reflectively loading ARECHCLIENT2.

ARECHCLIENT2 explicitly targets cryptocurrency wallets, browser-saved passwords, cookies, and autofill data.

ARECHCLIENT2 gathers extensive system details, including the operating system version, hardware information, IP address, machine name, and geolocation (city, country, and time zone).

If executed, it uses SMB to access an executable from the remote share, which installs the malware.

Elastic uses the MITRE ATT&CK framework... Techniques... Data from Local System.

the button will covertly copy an obfuscated PowerShell command to the clipboard and present the user with “verification steps.”

The emails include download links to archive files (.rar), which contain legitimate promotional content packaged with a SHELLTER-protected executable.

Smart contract returns base64 encoded tuple (with “START” and “FINISH” markers) consisting of IV and encrypted C2 IP

Netconns to pastebin[.]com, which Arechclient2 often uses to retrieve its command and control (C2) IP addresses

Threat actors store data (for example C2 configuration) or code on a public blockchain... they can access it through a legitimate API endpoint... SharkStealer and ArechClient2... pull their C2 configuration from a smart contract... ZigCryptoStealer... uses smart contracts to receive their C2 configuration.

By following the “verification steps,” the user inadvertently runs the command and additional commands will reach out and download malware or tools.

Netconns to pastebin[.]com, which Arechclient2 often uses to retrieve its command and control (C2) IP addresses

Arechclient2 frequently leverages atypical ports in its C2 communication; port numbers reported in OSINT include 15647, 15678, 15649, 15847, and 9000.

tcp[:]//91.92.241[.]102:443/ - encoded or otherwise encrypted traffic (not HTTPS/TLS)

MITRE ATT&CK Mapping ... Exfiltration Over C2 Channel T1041 HTTP exfiltration