{"id":2558,"date":"2026-04-17T01:05:46","date_gmt":"2026-04-17T01:05:46","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/17\/lumma-stealer-infection-with-sectop-rat-arechclient2-fri-apr-17th\/"},"modified":"2026-04-17T01:05:46","modified_gmt":"2026-04-17T01:05:46","slug":"lumma-stealer-infection-with-sectop-rat-arechclient2-fri-apr-17th","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/17\/lumma-stealer-infection-with-sectop-rat-arechclient2-fri-apr-17th\/","title":{"rendered":"Lumma Stealer infection with Sectop RAT (ArechClient2), (Fri, Apr 17th)"},"content":{"rendered":"
\n

Introduction<\/strong><\/em><\/p>\n

This diary provides indicators from a Lumma Stealer<\/a> infection that was followed by Sectop RAT<\/a> (ArechClient2). I searched for cracked versions of popular copyright-protected software, and I downloaded the initial malware after following the results of one such search. This is a common distribution technique for various families of malware, and I often find Lumma Stealer this way.<\/p>\n

In this case, the initial malware for Lumma Stealer was delivered as a password-protected 7-zip archive. The extracted malware is an inflated Windows executable (EXE) file at 806 MB. The EXE is padded with null-bytes (0x00), a technical which increases the EXE size while allowing the compressed archive file to be much smaller. The password-protected archive and inflated EXE file are designed to avoid detection.<\/p>\n

Images from the infection<\/strong><\/em><\/p>\n

\"\"<\/a>
\nShown above: Example of a page with instructions to download the initial malware file.<\/em><\/p>\n

\"\"<\/a>
\nShown above: Traffic from the infection filtered in Wireshark.<\/em><\/p>\n

\"\"<\/a>
\nShown above: Sectop RAT persistent on an infected Windows host.<\/em><\/p>\n

Indicators of Compromise<\/strong><\/em><\/p>\n

Example of download link from the site advertising cracked versions of copyright-protected software:<\/p>\n

hxxps[:]\/\/incolorand[.]com\/how-visual-patch-enhances-ui-consistency-across-releases\/?utm_source={CID}&utm_term=Adobe%20Premiere%20Pro%20(2026)%20Full%20v26.0.2%20Espa%C3%B1ol%20[Mega]&utm_content={SUBID1}&utm_medium={SUBID2}<\/span><\/p>\n

Example of URL for page with the file download instructions:<\/p>\n

hxxps[:]\/\/mega-nz.goldeneagletransport[.]com\/Adobe_Premiere_Pro_%282026%29_Full_v26.0.2_Espa%C3%B1ol_%5BMega%5D.zip?c=ABUZ4WkRgQUA_YUCAFVTFwASAAAAAACh&s=360721<\/span><\/p>\n

Example of URL for file download from site above site impersonating MEGA:<\/p>\n

hxxps[:]\/\/arch.primedatahost3[.]cfd\/auth\/media\/JvWcFd5vUoYTrImvtWQAASTh\/Adobe_Premiere_Pro_(2026)_Full_v26.0.2_Espa%C3%B1ol_%5BMega%5D.zip<\/span><\/p>\n

Downloaded file:<\/p>\n