Saturday, May 24, 2025
HomeChromeHighly Obfuscated .NET sectopRAT Mimic as Chrome Extension

Highly Obfuscated .NET sectopRAT Mimic as Chrome Extension

Published on

SIEM as a Service

Follow Us on Google News

SectopRAT, also known as Arechclient2, is a sophisticated Remote Access Trojan (RAT) developed using the .NET framework.

This malware is notorious for its advanced obfuscation techniques, making it challenging to analyze and detect.

Recently, cybersecurity researchers uncovered a new campaign where sectopRAT disguises itself as a legitimate Google Chrome extension named “Google Docs,” further amplifying its stealth and data-theft capabilities.

- Advertisement - Google News

Advanced Obfuscation and Capabilities

SectopRAT employs the calli obfuscator, a technique that significantly complicates static analysis.

Despite attempts to deobfuscate the code using tools like CalliFixer, the malware’s core functionalities remain concealed.

However, through partial decompilation, researchers identified its extensive capabilities, which include:

  • Stealing browser data such as cookies, saved passwords, autofill information, and encrypted keys.
  • Profiling victim systems by collecting details about hardware, operating systems, and installed software.
  • Targeting applications like VPNs (NordVPN, ProtonVPN), game launchers (Steam), and communication platforms (Telegram, Discord).
  • Scanning for cryptocurrency wallets and FTP credentials.

sectopRAT’s ability to exfiltrate sensitive information highlights its dual role as both an infostealer and a remote control tool.

According to an analysis, it communicates with its Command and Control (C2) server using encrypted channels, typically over ports 9000 and 15647.

Malicious Chrome Extension Disguise

One of the most alarming aspects of this campaign is sectopRAT’s use of a fake Google Chrome extension masquerading as “Google Docs.”

Upon infection, the malware downloads files such as manifest.json, content.js, and background.js from its C2 server.

These files enable the extension to:

  • Inject malicious scripts into all visited web pages.
  • Capture user inputs like usernames, passwords, credit card details, and form data.
  • Transmit stolen data to the attacker’s C2 server.

The extension operates under the guise of providing offline editing capabilities for Google Docs but instead functions as a sophisticated keylogger and data exfiltration tool.

Key IoCs associated with this campaign include:

  • File Hash: EED3542190002FFB5AE2764B3BA7393B
  • C2 Servers: 91.202.233.18 on ports 9000 and 15647
  • Malicious URLs: http://91.202.233[.]18/wbinjget?q=... and https://pastebin.com/raw/wikwTRQc
  • Mutex Name: 49c5e6d7577e447ba2f4d6747f56c473

sectopRAT’s ability to mimic legitimate software while evading detection poses a significant threat to individuals and organizations alike.

The malware’s anti-analysis features, such as anti-virtual machine mechanisms and encrypted C2 communication, make it particularly elusive.

To mitigate risks:

  1. Block network traffic to identified C2 servers.
  2. Monitor for suspicious file activity in directories like %AppData%/Local/llg.
  3. Remove unknown or suspicious Chrome extensions.
  4. Employ behavioral-based threat detection systems.
  5. Restrict execution of untrusted .NET applications.

This campaign underscores the evolving tactics of cybercriminals in leveraging trusted platforms like browsers to deploy highly evasive malware.

Enhanced vigilance and proactive security measures are essential to combat such threats effectively.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...