Arechclient2
ArechClient2, also known as SectopRAT, is a .NET remote access trojan with numerous capabilities, including multiple defense-evasion functions. Reporting in the provided content shows it being delivered in several malware distribution chains, including ClearFake drive-by/paste-and-run activity, FakeBat-related MSIX installer campaigns, and follow-on activity observed in Scarlet Goldfinch intrusions; MS-ISAC also reported it using multiple infection vectors. In MSIX abuse cases, ArechClient2 appeared alongside RedLine/Redline stealer and GHOSTPULSE in activity consistent with FakeBat/Storm-1113.
A notable behavior of ArechClient2 is its use of EtherHiding to obtain command-and-control infrastructure from the Binance Smart Chain since at least June 2025. The malware contains one hardcoded C2 and retrieves a second C2 via an RPC eth_call to a smart contract. The returned data is a base64-encoded tuple marked with "START" and "FINISH" that contains an IV and an encrypted C2 IP; the malware uses an embedded hardcoded AES key and the IV to decrypt the C2 details. Earlier samples queried bsc-dataseed1.binance.org, while newer samples queried 10 Binance Smart Chain API subdomains to reach the same smart contract, likely for resilience or to evade blocking. Researchers identified samples communicating with three different smart contracts, including one updated very frequently.
High-confidence indicators mentioned in the content include sample SHA-256 79326544757d48a9f0fc0cfd9628df712a92271fa85e1194c5132fa465896e72, smart contract address 0xbd75e2f339d4aebf72ff13f3af4c27096f709a4d, AES key VOqkXCYMgproaIQIj50Z2tsBru1ULFzXeKKKg19WMTs=, and C2 endpoint 138.226.238.96:443. Reported BSC RPC endpoints queried by newer samples include bsc-dataseed1-4.binance.org, bsc-dataseed1-2.ninicoin.io, and bsc-dataseed1-4.defibit.io. The content does not provide specific industry targeting for ArechClient2; observed campaigns were described as opportunistic and affecting multiple sectors.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
ClearFake has delivered multiple payloads over time, including ArechClient2 and LummaC2; most recently, we’ve observed ACR Stealer, which debuts in this month’s top 10.
If allowed to continue running beyond this stage, researchers have reported additional payloads including StealC and ArechClient2.
Techniques & procedures
29 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
3 techniquesVictims are typically lured through malicious advertising or SEO poisoning campaigns, believing they are downloading legitimate software such as Grammarly, Microsoft Teams, Notion, or Zoom.
MITRE ATT&CK Mapping Tactic Technique ID Notes Resource Development Acquire Infrastructure: Domains T1583.001 casyetnx[.]pw via CNOBIN, hosting via dataforest/VDSINA
Victims are typically lured through malicious advertising or SEO poisoning campaigns, believing they are downloading legitimate software such as Grammarly, Microsoft Teams, Notion, or Zoom.
Initial Access
1 techniqueClearFake is an activity cluster that uses JavaScript injected into compromised websites to deliver malware via drive-by download techniques
Execution
4 techniquesWhen victims open these MSIX packages, the StartingScriptWrapper.ps1 component launches embedded PowerShell scripts that employ process injection to execute POWERTRASH and Carbanak malware... The third identified threat, the FakeBat cluster, also uses Advanced Installer but executes malicious PowerShell scripts via StartingScriptWrapper.ps1.
Stage 3 -- Legitimate Python Binary : The ZIP extracts to a directory containing FNPLicensingService.exe -- which is actually a renamed, legitimately signed CPython 3.15 pythonw.exe... Stage 4 -- Obfuscated Python Loader : chrome_100_percent.pak ... is an ASCII text file containing obfuscated Python code.
often using fake CAPTCHA lures to trick users into executing code via malicious copy and paste (paste and run, ClickFix, fakeCAPTCHA)
The fake CAPTCHA page carries ClickFix instructions that silently copy a malicious script into the user’s clipboard, prompting the victim to paste and execute it manually through the Windows Run dialog box.
Persistence
2 techniquesPrivilege Escalation
3 techniquesRather than the standard CreateThread or NtCreateThreadEx injection techniques... the loader uses Windows Fibers: VirtualAlloc(RWX) ... ConvertThreadToFiber(0) ... CreateFiber(0, addr, 0) ... SwitchToFiber(fiber)
MITRE ATT&CK Mapping Tactic Technique ID Notes Persistence Boot or Logon Autostart T1547 SectopRAT standard persistence
Stealth
7 techniquesClearFake fetches and executes base64 encoded and gzip compressed code... The initial smart contract delivers an obfuscated JavaScript payload... Both SharkStealer and ArechClient2 use AES decryption with a hardcoded key... LoaderOnNet... uses ChaCha20Poly1305 encryption for both data exchange with the C2 server and the data pulled from the smart contract.
MITRE ATT&CK Mapping Tactic Technique ID Notes Defense Evasion Software Packing T1027.002 Reversed Base64 + Zlib compression
MITRE ATT&CK Mapping Tactic Technique ID Notes Defense Evasion Masquerading T1036.005 FNPLicensingService.exe (renamed pythonw.exe)
Rather than the standard CreateThread or NtCreateThreadEx injection techniques... the loader uses Windows Fibers: VirtualAlloc(RWX) ... ConvertThreadToFiber(0) ... CreateFiber(0, addr, 0) ... SwitchToFiber(fiber)
The chrome_100_percent.pak file decodes through three distinct layers... reverse string, base64 decode, zlib decompress ... rolling XOR decrypts embedded SectopRAT PE
One of the more technically notable aspects of this campaign is how it hides harmful code inside packages that also contain legitimate software.
Collection
2 techniquesStage 9: Data Theft Browser credential/cookie theft Cryptocurrency wallet theft Application credential harvesting
The fake CAPTCHA page carries ClickFix instructions that silently copy a malicious script into the user’s clipboard, prompting the victim to paste and execute it manually through the Windows Run dialog box.
Command and Control
8 techniquesSmart contract returns base64 encoded tuple (with “START” and “FINISH” markers) consisting of IV and encrypted C2 IP
Lumma Stealer command and control (C2) domains from Triage sandbox analysis... Example of Sectop RAT C2 traffic from an infected Windows host: hxxp[:]//91.92.241[.]102:9000/wmglb ... tcp[:]//91.92.241[.]102:443/ - encoded or otherwise encrypted traffic (not HTTPS/TLS)
Stage 8: C2 Communication HTTP to 94[.]26[.]106[.]216:9000 /wbinjget -- heartbeat ... /wmglb -- payload/config download
Threat actors store data (for example C2 configuration) or code on a public blockchain... they can access it through a legitimate API endpoint... SharkStealer and ArechClient2... pull their C2 configuration from a smart contract... ZigCryptoStealer... uses smart contracts to receive their C2 configuration.
Follow-up malware... Retrieved from: hxxps[:]//enotsosun[.]pw/NetGui.dll Saved to: C:\Users\ [username] \AppData\Local\Temp\16XBPQ29ZBG94TYNOA.dll
ArechClient2 contains one hardcoded C2, fetches second C2 server from Binance Smart Chain via RPC call (eth_call)
MITRE ATT&CK Mapping ... Command and Control Non-Standard Port T1571 Port 9000
tcp[:]//91.92.241[.]102:443/ - encoded or otherwise encrypted traffic (not HTTPS/TLS)
Exfiltration
1 techniqueMITRE ATT&CK Mapping ... Exfiltration Over C2 Channel T1041 HTTP exfiltration
Other
1 techniqueIOCs tracked for this family
131 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as one of the malware payloads delivered by ClearFake campaigns.
Malware that uses EtherHiding to pull C2 configuration from a smart contract, using AES decryption with a hardcoded key and embedded smart contract data.
An additional payload reportedly delivered in later stages of Scarlet Goldfinch activity.
Payload delivered by malicious MSIX packages in activity consistent with FakeBat operations.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.