{"id":2112,"date":"2026-03-25T01:05:34","date_gmt":"2026-03-25T01:05:34","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/25\/smartapesg-campaign-pushes-remcos-rat-netsupport-rat-stealc-and-sectop-rat-arechclient2-wed-mar-25th\/"},"modified":"2026-03-25T01:05:34","modified_gmt":"2026-03-25T01:05:34","slug":"smartapesg-campaign-pushes-remcos-rat-netsupport-rat-stealc-and-sectop-rat-arechclient2-wed-mar-25th","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/25\/smartapesg-campaign-pushes-remcos-rat-netsupport-rat-stealc-and-sectop-rat-arechclient2-wed-mar-25th\/","title":{"rendered":"SmartApeSG campaign pushes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (ArechClient2), (Wed, Mar 25th)"},"content":{"rendered":"<div>\n<p><em><strong>Introduction<\/strong><\/em><\/p>\n<p>This diary provides indicators from the SmartApeSG (ZPHP, HANEYMANEY) campaign I saw on Tuesday, 2026-03-24. SmartApeSG is one of many campaigns that use the <a href=\"https:\/\/unit42.paloaltonetworks.com\/preventing-clickfix-attack-vector\/\">ClickFix<\/a> technique. This past week, I&#8217;ve seen NetSupport RAT as follow-up malware from Remcos RAT pushed by this campaign. But this time, I also saw indicators for StealC malware and Sectop RAT (ArecheClient2) after NetSupport RAT appeared on my infected lab host.<\/p>\n<p>Not all of the follow-up malware appears shortly after the initial Remcos RAT malware. Here&#8217;s the timeline for malware from my SmartApeSG activity on Tuesday 2026-03-24:<\/p>\n<ul>\n<li>17:11 UTC &#8211; Ran ClickFix script from SmartApeSG fake CAPTCHA page<\/li>\n<li>17:12 UTC &#8211; Remcos RAT post-infection traffic starts<\/li>\n<li>17:16 UTC &#8211; NetSupport RAT post-infection traffic starts<\/li>\n<li>18:18 UTC &#8211; StealC post-infection traffic starts<\/li>\n<li>19:36 UTC &#8211; Sectop RAT post-infection traffic starts<\/li>\n<\/ul>\n<p>While the NetSupport RAT activity happened approximately 4 minutes after the Remcos RAT activity, the StealC traffic didn&#8217;t happen until approximately 1 hour after the NetSupport RAT activity started. And the traffic for Sectop RAT happened approximately 1 hour and 18 minutes after the StealC activity started.<\/p>\n<p><em><strong>Images from the infection<\/strong><\/em><\/p>\n<p><a href=\"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-03-25-ISC-diary-image-01.png\"><img decoding=\"async\" alt=\"\" src=\"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-03-25-ISC-diary-image-01a.png\" style=\"border-width: 2px; border-style: solid;\"><\/a><br \/>\n<em>Shown above: Page from a legitimate but compromised website with injected script for the fake CAPTCHA page.<\/em><\/p>\n<p><a href=\"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-03-25-ISC-diary-image-02.png\"><img decoding=\"async\" alt=\"\" src=\"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-03-25-ISC-diary-image-02a.png\" style=\"border-width: 2px; border-style: solid;\"><\/a><br \/>\n<em>Shown above: Fake CAPTCHA page with ClickFix instructions. This image shows the malicious script injected into a user&#8217;s clipboard.<\/em><\/p>\n<p><a href=\"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-03-25-ISC-diary-image-03c.png\"><img decoding=\"async\" alt=\"\" src=\"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-03-25-ISC-diary-image-03d.png\" style=\"border-width: 2px; border-style: solid;\"><\/a><br \/>\n<em>Shown above: Traffic from the infection filtered in Wireshark.<\/em><\/p>\n<p><em><strong>Indicators of Compromise<\/strong><\/em><\/p>\n<p>Associated domains and IP addresses:<\/p>\n<ul>\n<li><span style=\"font-family:Courier New,Courier,monospace;\">fresicrto[.]top<\/span> &#8211; Domain for server hosting fake CAPTCHA page<\/li>\n<li><span style=\"font-family:Courier New,Courier,monospace;\">urotypos[.]com<\/span> &#8211; Called by ClickFix instructions, this domain is for a server hosting the initial malware<\/li>\n<li><span style=\"font-family:Courier New,Courier,monospace;\">95.142.45[.]231:443<\/span> &#8211; Remcos RAT C2 server<\/li>\n<li><span style=\"font-family:Courier New,Courier,monospace;\">185.163.47[.]220:443<\/span> &#8211; NetSupport RAT C2 server<\/li>\n<li><span style=\"font-family:Courier New,Courier,monospace;\">89.46.38[.]100:80<\/span> &#8211; StealC C2 server<\/li>\n<li><span style=\"font-family:Courier New,Courier,monospace;\">195.85.115[.]11:9000<\/span> &#8211; Sectop RAT (ArechClient2) C2 server<\/li>\n<\/ul>\n<p>Example of HTA file retrieved by ClickFix script:<\/p>\n<ul>\n<li>SHA256 hash: <a href=\"https:\/\/bazaar.abuse.ch\/sample\/212d8007a7ce374d38949cf54d80133bd69338131670282008940f1995d7a720\/\"><span style=\"font-family:Courier New,Courier,monospace;\">212d8007a7ce374d38949cf54d80133bd69338131670282008940f1995d7a720<\/span><\/a><\/li>\n<li>File size: 47,714 bytes<\/li>\n<li>File type: HTML document text, ASCII text, with very long lines (6272)<\/li>\n<li>Retrieved from: <span style=\"font-family:Courier New,Courier,monospace;\">hxxps[:]\/\/urotypos[.]com\/cd\/temp<\/span><\/li>\n<li>Saved location: <span style=\"font-family:Courier New,Courier,monospace;\">C:Users[username]AppDataLocalpost.hta<\/span><\/li>\n<li>Note: ClickFix script deletes the file after retrieving and running it<\/li>\n<\/ul>\n<p>Example of ZIP archive for Remcos RAT retrieved by the above HTA file:<\/p>\n<ul>\n<li>SHA256 hash: <a href=\"https:\/\/bazaar.abuse.ch\/sample\/a6a748c0606fb9600fdf04763523b7da20b382b054b875fdd1ef1c36fc16079a\"><span style=\"font-family:Courier New,Courier,monospace;\">a6a748c0606fb9600fdf04763523b7da20b382b054b875fdd1ef1c36fc16079a<\/span><\/a><\/li>\n<li>File size: 85,328,653 bytes<\/li>\n<li>File type: Zip archive data, at least v2.0 to extract, compression method=deflate<\/li>\n<li>Retrieved from: <span style=\"font-family:Courier New,Courier,monospace;\">hxxps:\/\/urotypos[.]com\/ls\/production<\/span><\/li>\n<li>Saved location: <span style=\"font-family:Courier New,Courier,monospace;\">C:Users[username]AppDataLocal361118191361118191.pdf<\/span><\/li>\n<\/ul>\n<p>ZIP archive containing NetSupport RAT package:<\/p>\n<ul>\n<li>SHA256 hash: <a href=\"https:\/\/bazaar.abuse.ch\/sample\/6e26ff49387088178319e116700b123d27216d98ba3ae1ce492544cb9acd38f0\/\"><span style=\"font-family:Courier New,Courier,monospace;\">6e26ff49387088178319e116700b123d27216d98ba3ae1ce492544cb9acd38f0<\/span><\/a><\/li>\n<li>File size: 9,171,647 bytes<\/li>\n<li>File type: Zip archive data, at least v2.0 to extract, compression method=deflate<\/li>\n<li>File name: <span style=\"font-family:Courier New,Courier,monospace;\">UpdateInstaller.zip<\/span><\/li>\n<li>Note: I created this zip archive from the extracted files under C:ProgramDataUpdateInstaller<\/li>\n<\/ul>\n<p>RAR archive for StealC package:<\/p>\n<ul>\n<li>SHA256 hash: <a href=\"https:\/\/bazaar.abuse.ch\/sample\/a7b9be1211c6de76bab31dbcd3a1c99861cf18e3230ea9f634e07d22c179d1ca\/\"><span style=\"font-family:Courier New,Courier,monospace;\">a7b9be1211c6de76bab31dbcd3a1c99861cf18e3230ea9f634e07d22c179d1ca<\/span><\/a><\/li>\n<li>File size: 6,178,471 bytes<\/li>\n<li>File type: RAR archive data, v5<\/li>\n<li>Saved location: <span style=\"font-family:Courier New,Courier,monospace;\">C:UsersPublicMusicfinalmesh.zip<\/span><\/li>\n<\/ul>\n<p>RAR archive for Sectop RAT (ArechClient2) package:<\/p>\n<ul>\n<li>SHA256 hash: <a href=\"https:\/\/bazaar.abuse.ch\/sample\/c90435370728d48cba1c00d92cc3bf99e85f01aa52ecd6c6df2e8137db964796\/\"><span style=\"font-family:Courier New,Courier,monospace;\">c90435370728d48cba1c00d92cc3bf99e85f01aa52ecd6c6df2e8137db964796<\/span><\/a><\/li>\n<li>File size: 6,908,049 bytes<\/li>\n<li>File type: RAR archive data, v5<\/li>\n<li>Saved location: <span style=\"font-family:Courier New,Courier,monospace;\">C:ProgramDatadrag2pdf.zip<\/span><\/li>\n<\/ul>\n<p><em><strong>Final words<\/strong><\/em><\/p>\n<p>The archive files for Remcos RAT, StealC and Sectop RAT are packages that use legitimate EXE files to side-load malicious DLLs (a technique called DLL side-loading). The NetSupport RAT package is a legitimate tool that&#8217;s configured to use an attacker-controlled server.<\/p>\n<p>As always, the files, URLs and domains for SmartApeSG activity change on a near-daily basis. And names of the HTA file and ZIP archive for Remcos RAT are different for each infection. The indicators described in this article may no longer be current as you read this. However, this activity confirms that the SmartApeSG campaign can push a variety of malware after an initial infection.<\/p>\n<p>&#8212;<br \/>\nBradley Duncan<br \/>\nbrad [at] malware-traffic-analysis.net<\/p>\n<p> (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Introduction This diary provides indicators from the SmartApeSG (ZPHP, HANEYMANEY) campaign I saw on Tuesday, 2026-03-24. SmartApeSG is one of many campaigns that use the ClickFix technique. This past week, I&#8217;ve seen NetSupport RAT as follow-up malware from Remcos RAT pushed by this campaign. But this time, I also saw indicators for StealC malware and [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[90],"tags":[91],"class_list":["post-2112","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","tag-cybersecurity"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>SmartApeSG campaign pushes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (ArechClient2), (Wed, Mar 25th) - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/25\/smartapesg-campaign-pushes-remcos-rat-netsupport-rat-stealc-and-sectop-rat-arechclient2-wed-mar-25th\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SmartApeSG campaign pushes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (ArechClient2), (Wed, Mar 25th) - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"Introduction This diary provides indicators from the SmartApeSG (ZPHP, HANEYMANEY) campaign I saw on Tuesday, 2026-03-24. SmartApeSG is one of many campaigns that use the ClickFix technique. This past week, I&#8217;ve seen NetSupport RAT as follow-up malware from Remcos RAT pushed by this campaign. But this time, I also saw indicators for StealC malware and [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/25\/smartapesg-campaign-pushes-remcos-rat-netsupport-rat-stealc-and-sectop-rat-arechclient2-wed-mar-25th\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2026-03-25T01:05:34+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-03-25-ISC-diary-image-01a.png\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/25\/smartapesg-campaign-pushes-remcos-rat-netsupport-rat-stealc-and-sectop-rat-arechclient2-wed-mar-25th\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/25\/smartapesg-campaign-pushes-remcos-rat-netsupport-rat-stealc-and-sectop-rat-arechclient2-wed-mar-25th\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"SmartApeSG campaign pushes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (ArechClient2), (Wed, Mar 25th)\",\"datePublished\":\"2026-03-25T01:05:34+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/25\/smartapesg-campaign-pushes-remcos-rat-netsupport-rat-stealc-and-sectop-rat-arechclient2-wed-mar-25th\/\"},\"wordCount\":679,\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/25\/smartapesg-campaign-pushes-remcos-rat-netsupport-rat-stealc-and-sectop-rat-arechclient2-wed-mar-25th\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-03-25-ISC-diary-image-01a.png\",\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"Cybersecurity\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/25\/smartapesg-campaign-pushes-remcos-rat-netsupport-rat-stealc-and-sectop-rat-arechclient2-wed-mar-25th\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/25\/smartapesg-campaign-pushes-remcos-rat-netsupport-rat-stealc-and-sectop-rat-arechclient2-wed-mar-25th\/\",\"name\":\"SmartApeSG campaign pushes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (ArechClient2), (Wed, Mar 25th) - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/25\/smartapesg-campaign-pushes-remcos-rat-netsupport-rat-stealc-and-sectop-rat-arechclient2-wed-mar-25th\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/25\/smartapesg-campaign-pushes-remcos-rat-netsupport-rat-stealc-and-sectop-rat-arechclient2-wed-mar-25th\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-03-25-ISC-diary-image-01a.png\",\"datePublished\":\"2026-03-25T01:05:34+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/25\/smartapesg-campaign-pushes-remcos-rat-netsupport-rat-stealc-and-sectop-rat-arechclient2-wed-mar-25th\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/25\/smartapesg-campaign-pushes-remcos-rat-netsupport-rat-stealc-and-sectop-rat-arechclient2-wed-mar-25th\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/25\/smartapesg-campaign-pushes-remcos-rat-netsupport-rat-stealc-and-sectop-rat-arechclient2-wed-mar-25th\/#primaryimage\",\"url\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-03-25-ISC-diary-image-01a.png\",\"contentUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-03-25-ISC-diary-image-01a.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/25\/smartapesg-campaign-pushes-remcos-rat-netsupport-rat-stealc-and-sectop-rat-arechclient2-wed-mar-25th\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"SmartApeSG campaign pushes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (ArechClient2), (Wed, Mar 25th)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"SmartApeSG campaign pushes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (ArechClient2), (Wed, Mar 25th) - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/25\/smartapesg-campaign-pushes-remcos-rat-netsupport-rat-stealc-and-sectop-rat-arechclient2-wed-mar-25th\/","og_locale":"en_US","og_type":"article","og_title":"SmartApeSG campaign pushes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (ArechClient2), (Wed, Mar 25th) - Imperative Business Ventures Limited","og_description":"Introduction This diary provides indicators from the SmartApeSG (ZPHP, HANEYMANEY) campaign I saw on Tuesday, 2026-03-24. SmartApeSG is one of many campaigns that use the ClickFix technique. This past week, I&#8217;ve seen NetSupport RAT as follow-up malware from Remcos RAT pushed by this campaign. But this time, I also saw indicators for StealC malware and [&hellip;]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/25\/smartapesg-campaign-pushes-remcos-rat-netsupport-rat-stealc-and-sectop-rat-arechclient2-wed-mar-25th\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2026-03-25T01:05:34+00:00","og_image":[{"url":"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-03-25-ISC-diary-image-01a.png","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/25\/smartapesg-campaign-pushes-remcos-rat-netsupport-rat-stealc-and-sectop-rat-arechclient2-wed-mar-25th\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/25\/smartapesg-campaign-pushes-remcos-rat-netsupport-rat-stealc-and-sectop-rat-arechclient2-wed-mar-25th\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"SmartApeSG campaign pushes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (ArechClient2), (Wed, Mar 25th)","datePublished":"2026-03-25T01:05:34+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/25\/smartapesg-campaign-pushes-remcos-rat-netsupport-rat-stealc-and-sectop-rat-arechclient2-wed-mar-25th\/"},"wordCount":679,"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/25\/smartapesg-campaign-pushes-remcos-rat-netsupport-rat-stealc-and-sectop-rat-arechclient2-wed-mar-25th\/#primaryimage"},"thumbnailUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-03-25-ISC-diary-image-01a.png","keywords":["Cybersecurity"],"articleSection":["Cybersecurity"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/25\/smartapesg-campaign-pushes-remcos-rat-netsupport-rat-stealc-and-sectop-rat-arechclient2-wed-mar-25th\/","url":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/25\/smartapesg-campaign-pushes-remcos-rat-netsupport-rat-stealc-and-sectop-rat-arechclient2-wed-mar-25th\/","name":"SmartApeSG campaign pushes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (ArechClient2), (Wed, Mar 25th) - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/25\/smartapesg-campaign-pushes-remcos-rat-netsupport-rat-stealc-and-sectop-rat-arechclient2-wed-mar-25th\/#primaryimage"},"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/25\/smartapesg-campaign-pushes-remcos-rat-netsupport-rat-stealc-and-sectop-rat-arechclient2-wed-mar-25th\/#primaryimage"},"thumbnailUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-03-25-ISC-diary-image-01a.png","datePublished":"2026-03-25T01:05:34+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/25\/smartapesg-campaign-pushes-remcos-rat-netsupport-rat-stealc-and-sectop-rat-arechclient2-wed-mar-25th\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2026\/03\/25\/smartapesg-campaign-pushes-remcos-rat-netsupport-rat-stealc-and-sectop-rat-arechclient2-wed-mar-25th\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/25\/smartapesg-campaign-pushes-remcos-rat-netsupport-rat-stealc-and-sectop-rat-arechclient2-wed-mar-25th\/#primaryimage","url":"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-03-25-ISC-diary-image-01a.png","contentUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-03-25-ISC-diary-image-01a.png"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/25\/smartapesg-campaign-pushes-remcos-rat-netsupport-rat-stealc-and-sectop-rat-arechclient2-wed-mar-25th\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"SmartApeSG campaign pushes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (ArechClient2), (Wed, Mar 25th)"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/2112","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=2112"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/2112\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=2112"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=2112"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=2112"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}