VMRay releases 30 new YARA rules, phishkit detection VTI set, and config extractors for ArechClient2/SectopRAT and Gh0stRAT. May 2026 detection update covers Office controls, Windows Defender evasion, and PowerShell environment variable abuse. Key technical additions: • New VTIs detect suspicious Office ActiveX/OLE controls, NtIsProcessInJob API calls for Windows Defender emulator evasion (T1497), and PowerShell execution from environment variables (iex($env:var) pattern) • Meta-VTI combines Microsoft password-reset indicators, line-broken login text, and auth service connections to identify EvilProxy-style phishkit behavior • 30 YARA rules added covering spyware (Agarthax, RogueDaemon, Vidar v1.5), loaders (INTDBLoader, GhostLoader), ransomware (X2Anylock), and exploits (BlueHammer, RedSun, ZombieZIP CVE-2026-0866) • New config extractors for ArechClient2/SectopRAT (.NET RAT/stealer) and Gh0stRAT variants with modular plugin support Hunt for RegAsm.exe spawning from environment variable PowerShell execution and Office documents with embedded ActiveX controls connecting to low-reputation domains. #DFIR_Radar

When threat actors host C2 infrastructure on a public blockchain, traditional takedown requests fail. The data is immutable. The infrastructure is decentralized. And the API endpoints used to access it are, by themselves, entirely legitimate. vmray.com/threat-intelligenc… That last point is what makes EtherHiding difficult to detect through IOC feeds. The same blockchain API endpoints used by malware to retrieve C2 configurations from smart contracts are also used for legitimate purposes — which means they can't easily be added to blocklists. But they can be used for threat hunting. In a new piece from the VMRay Labs team, we walk through that approach: starting from a list of public blockchain API endpoints, pivoting through sandbox analysis, and identifying both known malware families using EtherHiding and previously unknown samples surfaced through the same method. What's in the post: 🔹 Known families confirmed using EtherHiding: SharkStealer, ArechClient2, ClearFake, and a ClickFix campaign hosting multi-stage JavaScript on smart contracts 🔹 A newer variant of ZigCryptoStealer that moved from BSC Testnet to Mainnet, with a C2 domain previously identified in other smart contracts created by the same author 🔹 Two unknown Polygon-based samples: a Java stealer, and a .NET backdoor called LoaderOnNet that uses Steam user profiles as dead-drop resolvers 🔗 vmray.com/threat-intelligenc…

VMRay researchers demonstrate blockchain-based threat hunting methodology, discovering new malware families using "EtherHiding" technique across BNB Smart Chain and Polygon networks. Research reveals LoaderOnNet backdoor with dual C2 channels and Steam profile dead-drops. Key technical findings: • EtherHiding abuse spans BSC Mainnet/Testnet and Polygon chains - legitimate API endpoints used to fetch C2 configs from smart contracts • Known families identified: SharkStealer, ArechClient2 (AES hardcoded keys), ClearFake (base64/gzip payloads), ClickFix (multi-stage JS) • ZigCryptoStealer evolved from BSC Testnet (hxxps[://]data-seed-prebsc-1-s1[.]binance[.]org:8545) to Mainnet (hxxps[://]bsc-dataseed[.]bnbchain[.]org) New discoveries: • Java Stealer: Polygon-based clipboard monitor downloading from connect[.]mcleaks[.]de (Minecraft-themed) • LoaderOnNet: .NET backdoor with ChaCha20Poly1305 encryption, scheduled task persistence (WindowsSecurityHealthSasde), process hollowing capabilities • Dual infrastructure: hardcoded C2 31[.]130[.]132[.]86:80 blockchain-retrieved 85[.]11[.]161[.]32:80 • Steam profiles as backup dead-drops (15 hardcoded profile URLs) Monitor blockchain RPC endpoints for anomalous requests patterns. Hunt for scheduled tasks with suspicious names and PowerShell reflection loading. Full IOC list in the VMRay report. #DFIR_Radar

SANS ISC researcher documents Lumma Stealer infection chain leading to Sectop RAT deployment. Attack uses fake Adobe Premiere Pro 2026 crack distributed through password-protected archives with 806MB inflated executables. Technical breakdown: • Initial delivery via fake software crack sites impersonating MEGA cloud storage • Lumma Stealer packed in password-protected 7zip (password: 6919) with null-byte padding evasion • SHA256: c7489e3bf546c5f2d958ac833cc7dbca4368dfba03a792849bc99c48a6b2a14f (archive), 4849f76dafbef516df91fecfc23a72afffaf77ade51f805eae5ad552bed88923 (inflated EXE) • 9 Lumma C2 domains identified: cankgmr[.]cyou, carytui[.]vu, decrnoj[.]club, genugsq[.]best Follow-up payload: • Sectop RAT (ArechClient2) deployed as NetGui.dll via rundll32 LoadForm export • C2 traffic to 91.92.241[.]102:9000 and :443 with custom encryption • Persistence established on infected Windows hosts Hunt for oversized executables (>100MB) with high entropy ratios and rundll32 spawning network connections to non-standard ports. Full IOCs and sandbox analysis links available in SANS report. #DFIR_Radar

Lumma Stealer infection with Sectop RAT (ArechClient2) isc.sans.edu/diary/rss/32904

ISC Diary: #LummaStealer infection with #SectopRAT (#ArechClient2) isc.sans.edu/diary/32904

🚨Alert: Evolution of EtherHiding in ArechClient2 🔬Report: vmray.com/analyses/etherhidi… ArechClient2 has been using the Binance Smart Chain (BSC) to fetch C2 servers (a technique known as EtherHiding) since at least June 2025, but we observed a change in the technique in a more recent sample. In the past, a single API endpoint hxxps[:]//bsc-dataseed1[.]binance[.]org was used for this, but in this new sample we see requests to 10 different API (sub)domains. While it is currently unclear why the sample queries the same smart contract on 10 different API endpoints, it is likely an attempt to circumvent blocking, or a first step into diversification of API endpoints used to access the smart contracts. Either way, due a limited number of possible API endpoints, this still is a great detection opportunity to detect malware (for example ArechClient2, SharkStealer) that uses EtherHiding. 🔎In a nutshell: - ArechClient2 contains one hardcoded C2, fetches second C2 server from Binance Smart Chain via RPC call (eth_call) - Smart contract returns base64 encoded tuple (with “START” and “FINISH” markers) consisting of IV and encrypted C2 IP - Executable uses embedded hardcoded key plus IV to decrypt C2 channel (AES) - We identified samples communicating with three different smart contracts, one of them being updated very frequently - 10 different BSC API endpoints queried in recent sample 🔐Find the full decryption procedure here: gchq.github.io/CyberChef/#re… 🧬IoCs: - 79326544757d48a9f0fc0cfd9628df712a92271fa85e1194c5132fa465896e72 - Contract: 0xbd75e2f339d4aebf72ff13f3af4c27096f709a4d - AES Key: VOqkXCYMgproaIQIj50Z2tsBru1ULFzXeKKKg19WMTs= - C2:138[.]226[.]238[.]96:443 🌐BSC API endpoints - hxxps[:]//bsc-dataseed1[.]binance[.]org - hxxps[:]//bsc-dataseed2[.]binance[.]org - hxxps[:]//bsc-dataseed3[.]binance[.]org - hxxps[:]//bsc-dataseed4[.]binance[.]org - hxxps[:]//bsc-dataseed1[.]ninicoin[.]io - hxxps[:]//bsc-dataseed2[.]ninicoin[.]io - hxxps[:]//bsc-dataseed1[.]defibit[.]io - hxxps[:]//bsc-dataseed2[.]defibit[.]io - hxxps[:]//bsc-dataseed3[.]defibit[.]io - hxxps[:]//bsc-dataseed4[.]defibit[.]io

Scarlet Goldfinch threat actor evolved through 7 distinct "epochs" of paste-and-run tactics in 2025, ranking as 6th most prevalent threat. Campaign demonstrates rapid adaptation to defenses with continuous command-line obfuscation techniques. Key Technical Details: • Evolution from fake browser updates to ClickFix/paste-and-run lures tricking users into executing malicious PowerShell/cmd commands • Epoch 7 (Jan 2026-present): Split download/execute using curl mshta with delayed environment variable expansion (cmd.exe /v:on) • Advanced obfuscation: escape characters (^s^t^a^r^t^), substring variable manipulation to scramble commands like "curl" • Kill chain: Paste-and-run → HTA download → Remcos DLL sideloading → NetSupport Manager persistence • Final payloads include StealC and ArechClient2 info stealers Attack Methodology: • Initial access via compromised websites displaying fake CAPTCHA/error messages (T1204.004) • Creates 7-10 digit staging folders in AppData\Local for payload deployment • Uses legitimate executables for DLL sideloading to evade detection • Establishes persistence through NetSupport Manager remote access tool DFIR Artifacts: • Monitor for mshta.exe network connections and HTA file downloads • Hunt for curl commands with suspicious file extensions masquerading as PDFs • Look for tar -xf extraction in AppData\Local with random numeric folder names • Detection opportunity: cmd.exe /v:on flag usage with delayed variable expansion #DFIR_Radar

SmartApeSG campaign pushes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (ArechClient2), (Wed, Mar 25th) #CISO isc.sans.edu/diary/rss/32826

📌 Zararlı PDF'ler, Türkiye'yi doğrudan hedef alıyor. IoC’ler: • c28f8fa5f0cb8c6a942b6b7f1884dcf5 • c6c3194a1f081ab7dc840cbf588e2ef4 • 176[.]65[.]132[.]6 • evgshippingline[.]com #StealC - #Vidar - #ArechClient2 - #SectopRAT kaynak: @kaspersky IoC claim: @malpulse

son zamanlarda Türkiye hedefli yeni bir malware kampanyası keşfedilmiş: Türkçe popüler e-kitaplar (sahte PDF) üzerinden LazyGo dropper dağıtımı gözlemlenmiş. LazyGo aracılığıyla çeşitli zararlı yazılımlar drop ediliyor. kimlik bilgileri, tarayıcı verileri, kripto cüzdanlar ve bulut credential’ları hedefleniyor. github linkleri yem olarak kullanılıyor. Dropper: LazyGo -Dağıtılan payload’lar: -StealC -Vidar -ArechClient2 / SectopRAT

36[.]255[.]98[.]59:9000/wbinjget AS208137 Feo Prest SRL 🇹🇼 #Arechclient2 #SecTopRAT #RedlineStealer

107[.]189[.]21[.]86:9000/wbinjget AS14956 ROUTERHOSTING 🇳🇱 #Arechclient2 #SecTopRAT

🕵️ SectopRAT (ArechClient2) is still active and gaining traction with cybercriminals. Obfuscated .NET RAT w/ HVNC remote control, C2 fallback & data theft (creds, wallets, VPNs, browser data). In case you missed our public report 👉catalyst.prodaft.com/public/… #threatintel #malware

looks like arechclient2/sectoprat based on ioc

2025-08-15 (Friday): #LummaStealer infection leads to #SectopRAT (#ArechClient2). Details at bit.ly/45ATcjf

Similar findings from the @elasticseclabs on SectopRAT (aka Arechclient2) & GHOSTPULSE elastic.co/security-labs/a-w…

Defending against ClickFix delivering SectopRAT (Arechclient2)? Recently, Coinbase-themed ClickFix attacks have been observed deploying GHOSTPULSE & SectopRAT PS → URL → PS → EXE Use these four sigma rules and refer to the process tree to detect potential threats

SHELLTER Elite v11.0（商用AV/EDR回避ツール）の不正コピー、LUMMA/RHADAMANTHYS/ARECHCLIENT2配布に悪用。難読化＋DLLプリロード＋VEHプロキシ＋AMSIバイパス搭載。高度回避マルウェアの標準化懸念。#SHELLTER #Infostealer securityonline.info/shellter…