Lumma Stealer + Sectop RAT (ArechClient2): Two-Stage Attack Chain via Fake Cracked Software
Executive Summary
On April 17, 2026, SANS Internet Storm Center documented a Lumma Stealer campaign followed by Sectop RAT (ArechClient2) targeting users searching for pirated software. Attackers used a fake MEGA page to distribute a password-protected 7-zip archive containing an 806 MB EXE padded with null-bytes — a straightforward but still effective technique that bypasses most file-size-limited AV scanning. When the victim executes the binary, Lumma Stealer harvests credentials, cookies, and cryptocurrency wallets before retrieving a secondary DLL to install Sectop RAT, establishing a persistent remote access backdoor.
For enterprise environments, the impact goes well beyond personal account compromise: stolen session cookies enable MFA bypass, reused credentials allow pivoting into internal infrastructure, and the RAT provides a foothold for future lateral movement.
Priority action: Block all C2 domains and IPs in the IOC section, deploy detection rules for rundll32 loading DLLs from %APPDATA%\Local\Temp, and run a retrospective threat hunt on endpoint logs from the past 30 days.
1. Campaign Context
Lumma Stealer — Persistent MaaS Threat
Lumma Stealer (also known as LummaC2) is a C-language infostealer operating as Malware-as-a-Service (MaaS) on Russian-speaking forums since at least August 2022. The developer is believed to be the threat actor "Shamel" (alias "Lumma"), whose platform primarily targets cryptocurrency wallets, browser-based 2FA extensions, and sensitive data at large. Microsoft Threat Intelligence tracks the developer group as Storm-2477, whose affiliates pay for panel access to build malware binaries and manage C2 infrastructure before deploying their own campaigns.
This affiliate model explains why Lumma's distribution vectors constantly evolve: each affiliate customizes delivery while the core stealer remains the same. In May 2025, a coordinated operation involving Microsoft and Europol seized over 2,300 Lumma C2 domains. Within weeks, targeted account volumes returned to pre-takedown levels — demonstrating that the MaaS model allows operations to continue with minimal disruption even after major infrastructure takedowns. The April 2026 campaign documented here is direct evidence of that resilience.
Sectop RAT (ArechClient2) — Underappreciated Persistent Access Tool
Sectop RAT, also known as ArechClient2, is a .NET Remote Access Trojan delivered primarily as a DLL loaded via rundll32.exe. Across multiple campaigns tracked in 2024–2026, Sectop RAT consistently appears as a second-stage payload after an infostealer completes its initial data collection mission. This pairing reflects a broader shift in attacker objectives: from smash-and-grab credential theft toward maintaining long-term persistent access for follow-on operations.
2. Kill Chain / Attack Flow
[Victim] → Searches "Adobe Premiere Pro crack 2026"
│
▼
[SEO Poisoning / Malvertising]
incolorand[.]com → Redirects to fake MEGA page
│
▼
[Fake MEGA Page] — mega-nz.goldeneagletransport[.]com
│ Displays download instructions for "Adobe Premiere Pro 2026"
▼
[File Download] — arch.primedatahost3[.]cfd
│ adobe_premiere_pro_(2026)_full_v26.0.2_español_[mega].7z
│ Password: 6919 | Size: ~3.8 MB compressed
▼
[Extract] → appFile.exe (806 MB — inflated with null-bytes)
│
▼
[Stage 1 — Lumma Stealer]
│ Collects: browser credentials, cookies, crypto wallets
│ C2 beacon to: cankgmr[.]cyou, carytui[.]vu, decrnoj[.]club, ...
▼
[Stage 2 Download] — enotsosun[.]pw/NetGui.dll
│ Saved to: C:\Users\[username]\AppData\Local\Temp\16XBPQ29ZBG94TYNOA.dll
▼
[Stage 2 — Sectop RAT]
│ rundll32 [path]\16XBPQ29ZBG94TYNOA.dll,LoadForm
│ C2: 91.92.241[.]102:9000 (HTTP) + 91.92.241[.]102:443 (custom encrypted)
▼
[Persistent Backdoor — Remote Access]
3. Technical Analysis
3.1 Distribution: SEO Poisoning + Fake Download Infrastructure
The attackers impersonate MEGA's file hosting platform, providing download instructions for a cracked Adobe Premiere Pro 2026 installer. The 7-zip archive weighs only ~3.8 MB but decompresses to an 806 MB EXE.
The URL chain is deliberately structured in three layers:
# Layer 1: Landing page (SEO/ad click sink)
hxxps[:]//incolorand[.]com/how-visual-patch-enhances-ui-consistency-across-releases/
?utm_term=Adobe%20Premiere%20Pro%20(2026)%20Full%20v26.0.2
# Layer 2: Fake MEGA page (social trust)
hxxps[:]//mega-nz.goldeneagletransport[.]com/Adobe_Premiere_Pro_(2026)_Full_v26.0.2_...zip
# Layer 3: Actual file hosting (short-lived, rotatable)
hxxps[:]//arch.primedatahost3[.]cfd/auth/media/JvWcFd5vUoYTrImvtWQAASTh/...zip
This layered architecture serves distinct purposes: the first layer tracks victim origins via UTM parameters, the second provides visual legitimacy through MEGA branding, and the third hosts the actual payload on a short-lived domain that can be quickly rotated.
3.2 Evasion: Inflated EXE + Password-Protected Archive
The most technically notable aspect of this campaign is the dual evasion approach:
Null-byte padded (inflated) EXE:
Deflated (real) payload: 7,114,156 bytes (~7 MB)
Distributed as: 806,127,604 bytes (~806 MB)
Padding added: ~799 MB of 0x00 null-bytes
This serves two functions:
AV scan evasion: Many antivirus engines and cloud sandboxes skip or truncate analysis of files exceeding 100–500 MB due to resource constraints.
Social engineering plausibility: An 806 MB installer is not suspicious to a user expecting a large video editing application. Password-protected archive:
The password6919is provided directly on the fake download page. This isn't intended to hide the content from victims — it prevents email gateways and file transfer proxies from automatically extracting and scanning the archive, since those systems don't have the password.
3.3 Stage 1: Lumma Stealer — Credential Harvesting
SHA256 (deflated): 353ddce78d58aef2083ca0ac271af93659cf0039b0b29d0d169fc015bd3610bc
Upon execution, Lumma Stealer:
Extracts saved passwords and session cookies from Chromium-based browsers (Chrome, Edge, Brave, etc.) and Firefox
Steals cryptocurrency wallet data from browser extensions (MetaMask, Exodus, etc.)
Harvests 2FA authenticator extension data
Exfiltrates collected data to C2 domains (see IOC section) The Lumma core binary uses LLVM Control Flow Flattening, Control Flow Obfuscation, and customized stack decryption. Critical API calls are implemented via low-level syscalls and Heaven's Gate technology to bypass EDR user-mode hooking — which makes behavioral detection significantly more effective than signature-based approaches.
After completing exfiltration, Lumma retrieves the second-stage payload.
3.4 Stage 2: Sectop RAT (ArechClient2) — Persistent Backdoor
Download URL: hxxps[:]//enotsosun[.]pw/NetGui.dll
Saved to: C:\Users\[username]\AppData\Local\Temp\16XBPQ29ZBG94TYNOA.dll
Execution: rundll32 [path]\16XBPQ29ZBG94TYNOA.dll,LoadForm
SHA256: d9b576eb6827f38e33eda037d2cda4261307511303254a8509eeb28048433b2f
Sectop RAT communicates via two parallel C2 channels:
| Channel | Endpoint | Purpose |
|---|---|---|
| HTTP | hxxp[:]//91.92.241[.]102:9000/wmglb |
Beacon / check-in |
| HTTP | hxxp[:]//91.92.241[.]102:9000/wbinjget?q=66B553A8B94CE37C16F4EBC863D51FCC |
Command retrieval |
| TCP | tcp[:]//91.92.241[.]102:443 |
Encrypted traffic (not standard TLS) |
Port 443 usage is deliberate — it blends in with HTTPS traffic at the network layer. However, the absence of a valid TLS handshake and certificate makes this detectable via deep packet inspection, JA3/JA4 fingerprinting, or TLS certificate inspection. Basic firewall rules that only block by port will miss this traffic.
Sectop RAT maintains persistence on the infected host, giving the attacker capabilities including remote command execution, file transfer, screen capture, and a foothold for subsequent lateral movement.
4. Indicators of Compromise (IOC)
⚠️ Note: All domains and IPs have been defanged. Re-fang before adding to blocklists/SIEM.
File Artifacts
# Initial 7-zip archive
SHA256: c7489e3bf546c5f2d958ac833cc7dbca4368dfba03a792849bc99c48a6b2a14f
Name: adobe_premiere_pro_(2026)_full_v26.0.2_español_[mega].7z
Size: 3,888,051 bytes
Password: 6919
# Lumma Stealer EXE (inflated — as distributed)
SHA256: 4849f76dafbef516df91fecfc23a72afffaf77ade51f805eae5ad552bed88923
Name: appFile.exe
Size: 806,127,604 bytes
# Lumma Stealer EXE (deflated — preferred for detection)
SHA256: 353ddce78d58aef2083ca0ac271af93659cf0039b0b29d0d169fc015bd3610bc
Size: 7,114,156 bytes
# Sectop RAT DLL
SHA256: d9b576eb6827f38e33eda037d2cda4261307511303254a8509eeb28048433b2f
Name: NetGui.dll → dropped as [random].dll in %TEMP%
Size: 16,450,560 bytes
Network Indicators — Lumma Stealer C2
cankgmr[.]cyou
carytui[.]vu
decrnoj[.]club
genugsq[.]best
longmbx[.]click
mushxhb[.]best
pomflgf[.]vu
strikql[.]shop
ulmudhw[.]shop
Network Indicators — Payload Hosting & Sectop RAT C2
# Stage 2 payload source
hxxps[:]//enotsosun[.]pw/NetGui.dll
# Sectop RAT C2
91.92.241[.]102 (IP)
91.92.241[.]102:9000 (HTTP C2)
91.92.241[.]102:443 (Custom encrypted — NOT standard HTTPS)
Distribution Infrastructure
incolorand[.]com (landing/redirect)
mega-nz.goldeneagletransport[.]com (fake MEGA page)
arch.primedatahost3[.]cfd (file hosting)
Host-Based Indicators
# Sectop RAT file path pattern
C:\Users\[username]\AppData\Local\Temp\[16-char-random].dll
# Suspicious process chain
[malware EXE] → rundll32.exe [temp_path]\[random].dll,LoadForm
# Persistence locations to inspect
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
5. MITRE ATT&CK Mapping
| Phase | Technique ID | Technique Name | Description |
|---|---|---|---|
| Initial Access | T1566 | Phishing | Fake software download pages |
| Initial Access | T1659 | Content Injection | SEO poisoning / malicious link injection |
| Execution | T1204.002 | User Execution: Malicious File | Victim manually runs EXE |
| Execution | T1218.011 | System Binary Proxy: Rundll32 | Sectop RAT DLL loaded via rundll32 |
| Defense Evasion | T1027 | Obfuscated Files or Information | Null-byte padding inflates EXE size |
| Defense Evasion | T1027.015 | Archive via Utility | Password-protected 7-zip container |
| Defense Evasion | T1036 | Masquerading | Disguised as Adobe Premiere installer |
| Credential Access | T1555.003 | Credentials from Web Browsers | Harvests browser-saved passwords |
| Credential Access | T1539 | Steal Web Session Cookie | Session cookie theft |
| Collection | T1005 | Data from Local System | Files, wallet data collection |
| Command & Control | T1571 | Non-Standard Port | Port 443 with custom protocol |
| Command & Control | T1573 | Encrypted Channel | Custom encryption over TCP |
| Persistence | T1547.001 | Registry Run Keys | Sectop RAT persistence |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | Data sent through Lumma C2 |
6. Expert Analysis
Why This Still Works
Users hunting for pirated software consistently accept higher risk, disable more safeguards, and overlook more warning signs than they would in almost any other scenario. Threat actors know this, and families like Lumma continue to exploit it without needing to innovate on the lure.
The delivery chain layers multiple simple-but-effective evasion techniques: password-protected archives block gateway scanning, inflated EXEs defeat size-based detection thresholds, fake MEGA pages establish visual trust, and custom-encrypted C2 on port 443 confuses basic network monitoring. None of these techniques are novel in isolation — but their combination is sufficient to bypass endpoint security at default configuration in most environments.
The Stealer + RAT Pairing: A Strategic Shift
The Lumma + Sectop RAT combination signals an evolution from "smash-and-grab" to "long game" operations. Rather than just stealing credentials and exfiltrating immediately, attackers now want persistent access to:
Sell footholds to initial access brokers (IABs) serving ransomware groups
Monitor high-value targets over extended periods
Leverage infected machines as botnet nodes or proxy pivots Trend Micro documented a parallel pattern in Lumma campaigns distributed via GitHub, where Lumma pulled in SectopRAT, Vidar, and Cobeacon as secondary payloads — indicating these TTPs are systematically reused across multiple campaigns, not isolated incidents.
Structural Resilience of MaaS Operations
The May 2025 takedown of Lumma's infrastructure — 2,300+ domains seized, central C2 disrupted — was significant. Yet within weeks, telemetry returned to pre-takedown volumes. The MaaS model creates structural resilience: the developer provides the platform, affiliates run the operations, and infrastructure is distributed enough that no single takedown is fatal. Defenders cannot rely on infrastructure disruption alone; detection at the endpoint and network layer remains essential.
7. Recommendations
Immediate (0–24 hours)
1. Block at firewall/proxy:
- All Lumma C2 domains from IOC section
- IP: 91.92.241.102 (all ports)
- Domains: enotsosun.pw, goldeneagletransport.com, primedatahost3.cfd
2. Hunt in EDR/SIEM:
- Process: rundll32.exe with unusual parent or DLL path in %TEMP%
- File: *.dll in %APPDATA%\Local\Temp loaded by rundll32
- Hash: match against IOC file hashes
3. Review outbound traffic logs:
- Connections to .cyou, .vu, .club, .best, .click, .shop TLDs (unusual activity)
- TCP connections to port 9000
- Port 443 connections without valid TLS certificate exchange
Short-Term (1–7 days)
4. Deploy detection rules (see Detection Logic section below)
5. Internal communication: Alert staff about cracked software risk,
specifically about 7-zip archives requiring passwords from unknown sources
6. BYOD policy review: Are personal devices accessing corporate
resources? Is MDM enrollment enforced?
7. Browser credential hygiene: Encourage dedicated password managers
over browser-stored passwords (Lumma specifically targets browser stores)
Long-Term
8. Application control (AppLocker/WDAC):
Block unsigned EXEs and DLLs from %TEMP%, %APPDATA%
9. Enable Script Block Logging and PowerShell Constrained Language Mode
10. Deploy DNS filtering with newly registered domain (NRD) blocking:
Most Lumma C2 domains are freshly registered
11. Configure sandbox to handle large file analysis:
Files >500 MB → auto-deflate and scan deflated version
8. Detection Logic
Sigma Rule — Sectop RAT DLL Load via Rundll32
title: Sectop RAT DLL Loaded via Rundll32 from Temp Directory
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
status: experimental
description: Detects rundll32 loading a DLL from Temp directory with LoadForm export
(Sectop RAT / ArechClient2 pattern)
references:
- https://isc.sans.edu/diary/32904
author: Security Research Team
date: 2026/04/26
tags:
- attack.execution
- attack.t1218.011
- attack.persistence
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\rundll32.exe'
CommandLine|contains|all:
- '\AppData\Local\Temp\'
- '.dll'
- 'LoadForm'
condition: selection
falsepositives:
- Unlikely in standard environments
level: high
KQL (Microsoft Sentinel / Defender) — Lumma C2 Domain Detection
// Lumma Stealer C2 Domain Detection
let LummaC2Domains = dynamic([
"cankgmr.cyou", "carytui.vu", "decrnoj.club",
"genugsq.best", "longmbx.click", "mushxhb.best",
"pomflgf.vu", "strikql.shop", "ulmudhw.shop"
]);
union DeviceNetworkEvents, DnsEvents
| where RemoteUrl has_any (LummaC2Domains)
or Name has_any (LummaC2Domains)
| project TimeGenerated, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName
| order by TimeGenerated desc
KQL — Suspicious Large EXE Execution from Downloads
// Detect abnormally large EXEs executed from user-writable paths
DeviceProcessEvents
| join kind=leftouter (
DeviceFileEvents
| where FileSize > 500000000 // >500 MB
| where FileName endswith ".exe"
| project DeviceId, FileName, FileSize, FolderPath
) on DeviceId
| where isnotempty(FileSize)
| where FolderPath has_any ("Downloads", "Temp", "AppData")
| project TimeGenerated, DeviceName, FileName, FileSize, ProcessCommandLine
YARA Rule — Null-Byte Padded PE Detection
rule Inflated_PE_NullByte_Padding {
meta:
description = "Detects PE files with large null-byte padding (Lumma Stealer delivery)"
author = "Security Research Team"
date = "2026-04-26"
reference = "https://isc.sans.edu/diary/32904"
strings:
$mz = { 4D 5A }
$null_block = { 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
condition:
$mz at 0 and
filesize > 500MB and
#null_block > 1000
}
9. References
Brad Duncan, SANS ISC — Lumma Stealer infection with Sectop RAT (ArechClient2), 2026-04-17
Microsoft Security Blog — Lumma Stealer: Breaking down the delivery techniques and capabilities, 2025-05-21
Trend Micro — Back to Business: Lumma Stealer Returns with Stealthier Methods, 2025-07-22
Trend Micro — Lumma Stealer's GitHub-Based Delivery via MDR, 2025-01-30
Microsoft On the Issues — Disrupting Lumma Stealer, 2025-05-21
Malpedia — Lumma Stealer
Malpedia — Sectop RAT
ANY.RUN — Lumma Sample Analysis
ANY.RUN — Sectop RAT DLL Analysis
