Skip to content

SectopRAT

Also known as: 1xxbot, ArechClient

SectopRAT, aka ArechClient2, is a .NET RAT with numerous capabilities including multiple stealth functions. Arechclient2 can profile victim systems, steal information such as browser and crypto-wallet data, and launch a hidden secondary desktop to control browser sessions. Additionally, it has several anti-VM and anti-emulator capabilities.

C2 Infrastructure

Hosting/VPS 100%

Last 7 days

Jul 11, 2026
C2 Hosts: 1

Further Reading

A Wretch Client: From ClickFix deception to information stealer deployment — Elastic Security Labs opens in a new tab

Elastic Security Labs detected a surge in ClickFix campaigns, using GHOSTPULSE to deploy Remote Access Trojans and data-stealing malware.

elastic.co
GHOSTPULSE haunts victims using defense evasion bag o' tricks — Elastic Security Labs opens in a new tab

Elastic Security Labs reveals details of a new campaign leveraging defense evasion capabilities to infect victims with malicious MSIX executables.

elastic.co
New SectopRAT: Remote access malware utilizes second desktop to control browsers opens in a new tab

This new remote access malware creates a second desktop that is invisible to the system's user. The threat actor can surf the Internet using the infected machine.

gdatasoftware.com
SecTopRAT: Updates and Encrypted C2 communications opens in a new tab

A recently discovered version of SecTopRAT adds encrypted C2 communications as well as several new commands - a clear sign that this malware is under active development. Learn more on the G DATA Blog!

gdatasoftware.com
Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers | Rapid7 Blog opens in a new tab

Rapid7 has observed the Fake Browser Update lure utilizing a sophisticated new loader to execute infostealers.

rapid7.com
Rewterz Threat Alert – Widely Abused MSIX App Installer Disabled by Microsoft – Active IOCs - Rewterz opens in a new tab

Severity High Analysis Summary Microsoft stated that it is disabling the ms-appinstaller protocol handler again after various threat actors exploited it as an initial access vector to distribute ma...

rewterz.com

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.