Skip to main content
Mallory
Back to malware
MalwareUsed by 3 actors

Sectop RAT

Sectop RAT, also referred to in the provided reporting as ArechClient2, is a Windows remote access trojan observed as a follow-on payload in multiple malware delivery chains. The content links it to financially motivated malware distribution activity rather than a single exclusive operator. It has been observed after Lumma Stealer infections delivered through cracked-software lures and fake download pages, in SmartApeSG/ZPHP/HANEYMANEY ClickFix infections alongside Remcos RAT, NetSupport RAT, and StealC, and as a possible follow-on payload from Storm-1113/EugenLoader and Storm-1674 campaigns abusing malicious MSIX/App Installer workflows and Teams phishing. Rapid7 reporting in the content also states earlier IDAT loader variants were disguised as a 7-Zip installer that delivered SecTop RAT.

In the cracked-software infection chain described in the content, a password-protected 7-zip archive masquerading as Adobe Premiere Pro delivered an inflated Lumma Stealer executable padded with null bytes to reduce detection, after which Sectop RAT was retrieved as a 64-bit DLL from hxxps://enotsosun[.]pw/NetGui.dll. That DLL had SHA256 d9b576eb6827f38e33eda037d2cda4261307511303254a8509eeb28048433b2f, size 16,450,560 bytes, was saved as C:\Users[username]\AppData\Local\Temp\16XBPQ29ZBG94TYNOA.dll, and was executed via rundll32 [file path],LoadForm. Example command-and-control traffic for this sample included hxxp://91.92.241[.]102:9000/wmglb and hxxp://91.92.241[.]102:9000/wbinjget?q=66B553A8B94CE37C16F4EBC863D51FCC, and the infected host also communicated with 91.92.241[.]102 over TCP/443 using encoded or encrypted traffic that was not HTTPS/TLS.

In SmartApeSG ClickFix activity observed on 2026-03-24, Sectop RAT appeared as a later-stage payload after the victim executed clipboard-injected script from a fake CAPTCHA page. The campaign delivered four payloads to one host in sequence: Remcos RAT, NetSupport RAT, StealC, and Sectop RAT. Reporting states the Remcos RAT, StealC, and Sectop RAT packages used DLL side-loading with legitimate executables. In that campaign, Sectop RAT activity began at 19:36 UTC, and one cited package was a RAR archive saved as C:\ProgramData\drag2pdf.zip with SHA256 c90435370728d48cba1c00d92cc3bf99e85f01aa52ecd6c6df2e8137db964796. The associated C2 noted in the content was 195.85.115[.]11:9000.

The content also places Sectop RAT in broader malware ecosystem reporting: Microsoft states Storm-1113/EugenLoader can deliver Sectop RAT among other payloads, and Storm-1674 lures likely drop SectopRAT or DarkGate. C2 Tracker material referenced in the content lists Sectop RAT among tracked RAT infrastructure families.

High-confidence indicators directly mentioned in the content include: SHA256 d9b576eb6827f38e33eda037d2cda4261307511303254a8509eeb28048433b2f for a Sectop RAT DLL; retrieval URL hxxps://enotsosun[.]pw/NetGui.dll; execution via rundll32 with export LoadForm; local path C:\Users[username]\AppData\Local\Temp\16XBPQ29ZBG94TYNOA.dll; C2 91.92.241[.]102 on ports 9000 and 443 with URIs /wmglb and /wbinjget?q=66B553A8B94CE37C16F4EBC863D51FCC; SmartApeSG-associated C2 195.85.115[.]11:9000; and SmartApeSG package hash c90435370728d48cba1c00d92cc3bf99e85f01aa52ecd6c6df2e8137db964796 for C:\ProgramData\drag2pdf.zip.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
SmartApeSG

The campaign, active as recently as March 24, 2026, delivered four separate malware payloads to a single infected host in one session: Remcos RAT, NetSupport RAT, StealC, and Sectop RAT, also known as ArechClient2.

via cyber security newscybersecuritynews.com
ZPHP

The campaign, active as recently as March 24, 2026, delivered four separate malware payloads to a single infected host in one session: Remcos RAT, NetSupport RAT, StealC, and Sectop RAT, also known as ArechClient2.

via cyber security newscybersecuritynews.com
HANEYMANEY

The campaign, active as recently as March 24, 2026, delivered four separate malware payloads to a single infected host in one session: Remcos RAT, NetSupport RAT, StealC, and Sectop RAT, also known as ArechClient2.

via cyber security newscybersecuritynews.com
MITRE ATT&CK

Techniques & procedures

10 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1189Drive-by CompromiseEvidence2
TacticInitial Access

SmartApeSG works by injecting malicious scripts into legitimate but already-compromised websites. When a user visits one of these sites, they are redirected to a fake CAPTCHA page.

Execution

2 techniques
T1204User ExecutionEvidence1
TacticExecution

A threat campaign known as SmartApeSG ... has been observed pushing multiple strains of malware through a social engineering technique called ClickFix.

T1204.002Malicious FileEvidence1
TacticExecution

The fake CAPTCHA page carries ClickFix instructions that silently copy a malicious script into the user’s clipboard, prompting the victim to paste and execute it manually through the Windows Run dialog box.

Persistence

1 technique
T1547.001Registry Run Keys / Startup FolderEvidence1
TacticsPersistencePrivilege Escalation

Shown above: Sectop RAT persistent on an infected Windows host.

Privilege Escalation

1 technique
T1547.001Registry Run Keys / Startup FolderEvidence1
TacticsPersistencePrivilege Escalation

Shown above: Sectop RAT persistent on an infected Windows host.

Stealth

2 techniques
T1218System Binary Proxy ExecutionEvidence1
TacticStealth

One of the more technically notable aspects of this campaign is how it hides harmful code inside packages that also contain legitimate software.

T1218.011Rundll32Evidence2
TacticStealth

Run method: rundll32 [file path] ,LoadForm

Collection

1 technique
T1115Clipboard DataEvidence1
TacticCollection

The fake CAPTCHA page carries ClickFix instructions that silently copy a malicious script into the user’s clipboard, prompting the victim to paste and execute it manually through the Windows Run dialog box.

Command and Control

3 techniques
T1071Application Layer ProtocolEvidence5
TacticCommand and Control

Lumma Stealer command and control (C2) domains from Triage sandbox analysis... Example of Sectop RAT C2 traffic from an infected Windows host: hxxp[:]//91.92.241[.]102:9000/wmglb ... tcp[:]//91.92.241[.]102:443/ - encoded or otherwise encrypted traffic (not HTTPS/TLS)

T1105Ingress Tool TransferEvidence2
TacticCommand and Control

Follow-up malware... Retrieved from: hxxps[:]//enotsosun[.]pw/NetGui.dll Saved to: C:\Users\ [username] \AppData\Local\Temp\16XBPQ29ZBG94TYNOA.dll

T1573Encrypted ChannelEvidence1
TacticCommand and Control

tcp[:]//91.92.241[.]102:443/ - encoded or otherwise encrypted traffic (not HTTPS/TLS)

INDICATORS OF COMPROMISE

IOCs tracked for this family

16 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
8 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
5 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
3 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app2 months ago
hash.md5●●●●●●●●●●●●View more in app2 months ago
hash.sha256●●●●●●●●●●●●View more in app2 months ago
ip.v4●●●●●●●●●●●●View more in app2 months ago
uri●●●●●●●●●●●●View more in app2 months ago
uri●●●●●●●●●●●●View more in app2 months ago
ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
handlers diary fullNews
Apr 17, 2026
Lumma Stealer infection with Sectop RAT (ArechClient2)

A remote access trojan delivered as follow-up malware after Lumma Stealer infection, installed and executed via rundll32 using the exported function LoadForm, and communicating with command-and-control infrastructure over HTTP and TCP.

Read more
sans iscNews
Apr 17, 2026
Lumma Stealer infection with Sectop RAT (ArechClient2)

A remote access trojan delivered as a 64-bit DLL and executed via rundll32 using the LoadForm export. It establishes persistence on infected Windows hosts and communicates with C2 infrastructure over HTTP and TCP on ports 9000 and 443.

Read more
malware traffic analysis blogNews
Apr 16, 2026
Malware-Traffic-Analysis.net - 2026-04-16: Files for an ISC diary (Lumma Stealer infection with Sectop RAT/ArechClient2)

A remote access trojan referenced as part of an infection chain alongside Lumma Stealer.

Read more
cyber security newsNews
Mar 25, 2026
SmartApeSG ClickFix Campaign Delivers Remcos, NetSupport RAT, StealC and Sectop RAT

A second remote access trojan in the SmartApeSG payload chain, delivered after StealC and concealed via DLL side-loading to provide additional attacker access on the compromised host.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching16

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping10

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.