MalwareUsed by 3 actors

Sectop RAT

Sectop RAT is a Windows remote access trojan also referred to in the provided reporting as ArechClient2. It has been observed as a follow-on payload in multiple malware delivery chains and is associated in the cited reporting with SmartApeSG, also tracked as ZPHP and HANEYMANEY. Prior SmartApeSG campaigns delivered Sectop RAT alongside other malware families including Remcos RAT, NetSupport RAT, and StealC.

The malware has been delivered through several infection vectors mentioned in the content. In SmartApeSG campaigns, victims were redirected from compromised websites to fake CAPTCHA or ClickFix pages and tricked into pasting attacker-provided commands into the Windows Run dialog, leading to staged delivery of multiple payloads. In one documented March 24, 2026 infection session, Sectop RAT was the fourth payload delivered after Remcos RAT, NetSupport RAT, and StealC, appearing about 1 hour and 18 minutes after StealC activity began. The content also describes a pirated-software lure in which a password-protected 7-zip archive delivered Lumma Stealer first, followed by Sectop RAT as a 64-bit DLL. Microsoft reporting in the content further notes that Storm-1113 and Storm-1674 activity involving malicious MSIX/App Installer delivery chains has included or likely dropped Sectop RAT.

Behaviorally, the content identifies Sectop RAT as a RAT deployed on Windows systems and, in observed campaigns, packaged for DLL side-loading or executed via rundll32. In the Lumma-followed-by-Sectop chain, the follow-on sample was a PE32+ 64-bit DLL retrieved from hxxps://enotsosun[.]pw/NetGui.dll, saved as C:\Users[username]\AppData\Local\Temp\16XBPQ29ZBG94TYNOA.dll, and executed with rundll32 [file path],LoadForm. In SmartApeSG reporting, Sectop RAT delivery archives used legitimate executables to side-load malicious DLLs. Rapid7 reporting cited in the content states earlier versions of the IDAT loader were disguised as a 7-Zip installer that delivered SecTop RAT.

Known network indicators in the provided content include command-and-control traffic to 91.92.241[.]102 over port 9000, including hxxp://91.92.241[.]102:9000/wmglb and hxxp://91.92.241[.]102:9000/wbinjget?q=66B553A8B94CE37C16F4EBC863D51FCC, as well as encoded or encrypted non-HTTPS traffic to 91.92.241[.]102 over TCP 443. Separate SmartApeSG reporting identifies 195.85.115[.]11:9000 as a Sectop RAT (ArechClient2) command-and-control server in a March 2026 campaign. A sample hash provided for a Sectop RAT DLL is d9b576eb6827f38e33eda037d2cda4261307511303254a8509eeb28048433b2f, and a Sectop RAT package hash from SmartApeSG reporting is c90435370728d48cba1c00d92cc3bf99e85f01aa52ecd6c6df2e8137db964796.

Overall, the provided content consistently places Sectop RAT as a Windows-focused second-stage or later-stage RAT used in financially motivated malware delivery ecosystems, commonly following social-engineering or malware-loader activity and often co-deployed with stealers and other RATs.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

SmartApeSG

The group has been linked to past campaigns that delivered dangerous tools including NetSupport RAT, Remcos RAT, StealC, and Sectop RAT.

via cyber security newscybersecuritynews.com

ZPHP

The campaign, active as recently as March 24, 2026, delivered four separate malware payloads to a single infected host in one session: Remcos RAT, NetSupport RAT, StealC, and Sectop RAT, also known as ArechClient2.

via cyber security newscybersecuritynews.com

HANEYMANEY

via cyber security newscybersecuritynews.com

MITRE ATT&CK

Techniques & procedures

16 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

3 techniques

T1189Drive-by CompromiseEvidence2

SmartApeSG works by injecting malicious scripts into legitimate but already-compromised websites. When a user visits one of these sites, they are redirected to a fake CAPTCHA page.

T1195Supply Chain CompromiseEvidence2

A newly discovered supply chain attack has put thousands of e-commerce websites at risk after a popular third-party reviews widget was quietly turned into a malware delivery tool.

T1566PhishingEvidence1

The attack used ClickFix-style social engineering lures in later stages.

Execution

4 techniques

T1059.001PowerShellEvidence2

That command then pulled down a PowerShell script or HTML Application file, which installed a remote access tool or information stealer on the victim’s machine.

T1059.007JavaScriptEvidence1

In this incident, the SmartApeSG injected JavaScript behaved as a staged loader, and did not attempt to execute every action immediately.

T1204User ExecutionEvidence3

Victims who passed these filters were shown a fake CAPTCHA or verification screen, a technique known as ClickFix. These prompts instructed users to open the Windows Run menu and paste a command that was already copied silently to their clipboard.

T1204.002Malicious FileEvidence1

The fake CAPTCHA page carries ClickFix instructions that silently copy a malicious script into the user’s clipboard, prompting the victim to paste and execute it manually through the Windows Run dialog box.

Persistence

1 technique

T1547.001Registry Run Keys / Startup FolderEvidence1

Shown above: Sectop RAT persistent on an infected Windows host.

Privilege Escalation

1 technique

T1547.001Registry Run Keys / Startup FolderEvidence1

Shown above: Sectop RAT persistent on an infected Windows host.

Stealth

3 techniques

T1218System Binary Proxy ExecutionEvidence1

One of the more technically notable aspects of this campaign is how it hides harmful code inside packages that also contain legitimate software.

T1218.005MshtaEvidence2

That command then pulled down a PowerShell script or HTML Application file, which installed a remote access tool or information stealer on the victim’s machine.

T1218.011Rundll32Evidence2

Run method: rundll32 [file path] ,LoadForm

Collection

1 technique

T1115Clipboard DataEvidence1

Command and Control

4 techniques

T1071Application Layer ProtocolEvidence5

Lumma Stealer command and control (C2) domains from Triage sandbox analysis... Example of Sectop RAT C2 traffic from an infected Windows host: hxxp[:]//91.92.241[.]102:9000/wmglb ... tcp[:]//91.92.241[.]102:443/ - encoded or otherwise encrypted traffic (not HTTPS/TLS)

T1105Ingress Tool TransferEvidence2

Follow-up malware... Retrieved from: hxxps[:]//enotsosun[.]pw/NetGui.dll Saved to: C:\Users\ [username] \AppData\Local\Temp\16XBPQ29ZBG94TYNOA.dll

T1219Remote Access ToolsEvidence1

Deploy remote access tools or information stealers.

T1573Encrypted ChannelEvidence1

tcp[:]//91.92.241[.]102:443/ - encoded or otherwise encrypted traffic (not HTTPS/TLS)

INDICATORS OF COMPROMISE

IOCs tracked for this family

22 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

11 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

5 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

6 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app8 days ago

uri●●●●●●●●●●●●View more in app8 days ago

domain●●●●●●●●●●●●View more in app8 days ago

ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

11 SOURCESView more in app

cyber security newsNews

Jun 19, 2026

Hackers Abuse Third-Party Okendo Reviews Script to Spread SmartApeSG Malware Campaign

Remote access trojan used to take control of a victim’s computer remotely.

malware newsNews

Jun 18, 2026

SmartApeSG Launches Okendo Reviews Supply Chain Attack - Malware News - Malware Analysis, News and Indicators

A remote access trojan associated with prior SmartApeSG campaigns.

zscaler threat labzNews

Jun 18, 2026

SmartApeSG Supply Chain Attack Targets Okendo | ThreatLabz

Remote access trojan deployed in prior SmartApeSG-linked campaigns as a follow-on payload.

handlers diary fullNews

Apr 17, 2026

Lumma Stealer infection with Sectop RAT (ArechClient2)

A remote access trojan delivered as follow-up malware after Lumma Stealer infection, installed and executed via rundll32 using the exported function LoadForm, and communicating with command-and-control infrastructure over HTTP and TCP.

+6 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching22

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping16

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.