sectopRAT, also known as Arechclient2, is a highly obfuscated Remote Access Trojan (RAT) developed in .NET, leveraging advanced obfuscation techniques to evade detection and analysis.
The malware employs the calli obfuscator, which significantly complicates reverse engineering efforts.
Despite attempts to deobfuscate the code using tools like CalliFixer, the malware’s structure remained largely unreadable, though partial insights were obtained using dnSpy.
The analyzed sample, identified by the hash EED3542190002FFB5AE2764B3BA7393B, was distributed under the name Bluefin.exe and exhibited extensive data exfiltration and surveillance functionalities.
Static analysis revealed that sectopRAT targets sensitive user information by extracting browser data such as stored credentials, cookies, autofill details, and browser extensions.
It also scans for system details, including hardware specifications, OS version, language settings, and active processes.
Furthermore, it identifies installed software like VPNs (e.g., NordVPN and ProtonVPN), game launchers (e.g., Steam), and communication platforms (e.g., Discord and Telegram).
This comprehensive data collection underscores its potential use in credential theft and surveillance operations.
Dynamic Behavior and Malicious Chrome Extension
When executed in a controlled environment, sectopRAT connected to its Command and Control (C2) server at IP address 91.202.233.18 via ports 9000 and 15647.
The malware downloaded additional files disguised as a Chrome extension named “Google Docs,” which was specifically designed for data theft.
These files included manifest.json, content.js, and background.js.
The malicious extension granted itself broad permissions to inject scripts across all web pages visited by the victim, enabling it to capture sensitive user inputs such as usernames, passwords, credit card details, and form data.
The core functionality of the extension was split across its components:
- manifest.json declared misleading descriptions to appear legitimate while granting extensive permissions for script injection.
- content.js monitored user interactions on web pages by injecting event listeners into input fields.
- background.js acted as an intermediary to bypass browser security policies, transmitting stolen data to the C2 server.
The malware also connected to an external URL hosted on Pastebin (https://pastebin.com/raw/wikwTRQc), which contained references to its C2 infrastructure.
This behavior suggests dynamic payload delivery capabilities depending on the victim’s environment.
Security Implications
sectopRAT’s ability to masquerade as a legitimate Chrome extension while exfiltrating sensitive user data poses a significant cybersecurity threat.
Its advanced obfuscation techniques make detection challenging for traditional antivirus solutions.
Organizations are advised to block traffic to known malicious IPs (91.202.233.18:9000 and 91.202.233.18:15647) and monitor for suspicious file creations in system directories like %AppData%/Local/llg.
Security teams should also enforce strict browser extension controls and restrict execution of untrusted .NET applications to mitigate risks associated with such threats.
This analysis highlights the growing sophistication of malware targeting browsers through stealthy extensions, emphasizing the need for enhanced monitoring and proactive threat detection mechanisms in enterprise environments.
 developed in .NET, leveraging advanced obfuscation techniques.){kind=link}