Wednesday, May 7, 2025
HomeChromeHighly Obfuscated .NET sectopRAT Mimic as Chrome Extension

Highly Obfuscated .NET sectopRAT Mimic as Chrome Extension

Published on

SIEM as a Service

Follow Us on Google News

SectopRAT, also known as Arechclient2, is a sophisticated Remote Access Trojan (RAT) developed using the .NET framework.

This malware is notorious for its advanced obfuscation techniques, making it challenging to analyze and detect.

Recently, cybersecurity researchers uncovered a new campaign where sectopRAT disguises itself as a legitimate Google Chrome extension named “Google Docs,” further amplifying its stealth and data-theft capabilities.

- Advertisement - Google News

Advanced Obfuscation and Capabilities

SectopRAT employs the calli obfuscator, a technique that significantly complicates static analysis.

Despite attempts to deobfuscate the code using tools like CalliFixer, the malware’s core functionalities remain concealed.

However, through partial decompilation, researchers identified its extensive capabilities, which include:

  • Stealing browser data such as cookies, saved passwords, autofill information, and encrypted keys.
  • Profiling victim systems by collecting details about hardware, operating systems, and installed software.
  • Targeting applications like VPNs (NordVPN, ProtonVPN), game launchers (Steam), and communication platforms (Telegram, Discord).
  • Scanning for cryptocurrency wallets and FTP credentials.

sectopRAT’s ability to exfiltrate sensitive information highlights its dual role as both an infostealer and a remote control tool.

According to an analysis, it communicates with its Command and Control (C2) server using encrypted channels, typically over ports 9000 and 15647.

Malicious Chrome Extension Disguise

One of the most alarming aspects of this campaign is sectopRAT’s use of a fake Google Chrome extension masquerading as “Google Docs.”

Upon infection, the malware downloads files such as manifest.json, content.js, and background.js from its C2 server.

These files enable the extension to:

  • Inject malicious scripts into all visited web pages.
  • Capture user inputs like usernames, passwords, credit card details, and form data.
  • Transmit stolen data to the attacker’s C2 server.

The extension operates under the guise of providing offline editing capabilities for Google Docs but instead functions as a sophisticated keylogger and data exfiltration tool.

Key IoCs associated with this campaign include:

  • File Hash: EED3542190002FFB5AE2764B3BA7393B
  • C2 Servers: 91.202.233.18 on ports 9000 and 15647
  • Malicious URLs: http://91.202.233[.]18/wbinjget?q=... and https://pastebin.com/raw/wikwTRQc
  • Mutex Name: 49c5e6d7577e447ba2f4d6747f56c473

sectopRAT’s ability to mimic legitimate software while evading detection poses a significant threat to individuals and organizations alike.

The malware’s anti-analysis features, such as anti-virtual machine mechanisms and encrypted C2 communication, make it particularly elusive.

To mitigate risks:

  1. Block network traffic to identified C2 servers.
  2. Monitor for suspicious file activity in directories like %AppData%/Local/llg.
  3. Remove unknown or suspicious Chrome extensions.
  4. Employ behavioral-based threat detection systems.
  5. Restrict execution of untrusted .NET applications.

This campaign underscores the evolving tactics of cybercriminals in leveraging trusted platforms like browsers to deploy highly evasive malware.

Enhanced vigilance and proactive security measures are essential to combat such threats effectively.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Researchers Simulate DPRK’s Largest Cryptocurrency Heist Through Compromised macOS Developer and AWS Pivoting

Security researchers at Elastic have recreated the intricate details of the February 21, 2025,...

Lampion Banking Malware Uses ClickFix Lures to Steal Banking Credentials

Unit 42 researchers at Palo Alto Networks, a highly targeted malicious campaign orchestrated by...

DragonForce: Emerging Hybrid Cyber Threat in the 2025 Ransomware Landscape

DragonForce has swiftly risen as a formidable player in 2025, embodying a hybrid threat...

Mirai Botnet Actively Targeting GeoVision IoT Devices for Command Injection Exploits

The Akamai Security Intelligence and Response Team (SIRT) has identified active exploitation of command...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Researchers Simulate DPRK’s Largest Cryptocurrency Heist Through Compromised macOS Developer and AWS Pivoting

Security researchers at Elastic have recreated the intricate details of the February 21, 2025,...

Lampion Banking Malware Uses ClickFix Lures to Steal Banking Credentials

Unit 42 researchers at Palo Alto Networks, a highly targeted malicious campaign orchestrated by...

DragonForce: Emerging Hybrid Cyber Threat in the 2025 Ransomware Landscape

DragonForce has swiftly risen as a formidable player in 2025, embodying a hybrid threat...