Guest Post: Fake PDF Converters Used to Deploy ArechClient2 Malware Warns CloudSEK CloudSEK’s s...
https://itnerd.blog/2025/04/15/guest-post-fake-pdf-converters-used-to-deploy-arechclient2-malware-warns-cloudsek/
#Commentary #CloudSEK
Event Attributes
https://itnerd.blog/2025/04/15/guest-post-fake-pdf-converters-used-to-deploy-arechclient2-malware-warns-cloudsek/
#Commentary #CloudSEK
Event Attributes
April 15, 2025 at 2:56 PM
Guest Post: Fake PDF Converters Used to Deploy ArechClient2 Malware Warns CloudSEK CloudSEK’s s...
https://itnerd.blog/2025/04/15/guest-post-fake-pdf-converters-used-to-deploy-arechclient2-malware-warns-cloudsek/
#Commentary #CloudSEK
Event Attributes
https://itnerd.blog/2025/04/15/guest-post-fake-pdf-converters-used-to-deploy-arechclient2-malware-warns-cloudsek/
#Commentary #CloudSEK
Event Attributes
Guest Post: Fake PDF Converters Used to Deploy ArechClient2 Malware Warns CloudSEK
CloudSEK's security researchers have uncovered a sophisticated malware campaign using fake PDF-to-DOCX conversion tools to infect unsuspecting users with a powerful information stealer. This comes just weeks after…
CloudSEK's security researchers have uncovered a sophisticated malware campaign using fake PDF-to-DOCX conversion tools to infect unsuspecting users with a powerful information stealer. This comes just weeks after…
Guest Post: Fake PDF Converters Used to Deploy ArechClient2 Malware Warns CloudSEK
CloudSEK's security researchers have uncovered a sophisticated malware campaign using fake PDF-to-DOCX conversion tools to infect unsuspecting users with a powerful information stealer. This comes just weeks after the FBI's Denver office issued a public alert warning of malicious online file converters being leveraged to deliver malware. The report reveals how cybercriminals have crafted deceptive websites, such as candyxpdf[.]com and candyconverterpdf[.]com, that meticulously mimic the legitimate pdfcandy.com service.
itnerd.blog
April 15, 2025 at 2:41 PM
Guest Post: Fake PDF Converters Used to Deploy ArechClient2 Malware Warns CloudSEK
CloudSEK's security researchers have uncovered a sophisticated malware campaign using fake PDF-to-DOCX conversion tools to infect unsuspecting users with a powerful information stealer. This comes just weeks after…
CloudSEK's security researchers have uncovered a sophisticated malware campaign using fake PDF-to-DOCX conversion tools to infect unsuspecting users with a powerful information stealer. This comes just weeks after…
Fake PDFCandy sites using Google Ads spread ArechClient2 malware. #malware #phishing #cybersecurity
Fake PDFCandy Websites Distribute ArechClient2 Malware
Fake PDFCandy sites using Google Ads spread ArechClient2 malware. #malware #phishing #cybersecurity
gbhackers.com
April 17, 2025 at 12:27 PM
Fake PDFCandy sites using Google Ads spread ArechClient2 malware. #malware #phishing #cybersecurity
~Elastic~
Campaign uses ClickFix social engineering to deliver GHOSTPULSE loader, which then deploys the ARECHCLIENT2 infostealer/RAT.
-
IOCs: 50. 57. 243. 90, 144. 172. 97. 2, 143. 110. 230. 167
-
#ARECHCLIENT2 #ClickFix #ThreatIntel
Campaign uses ClickFix social engineering to deliver GHOSTPULSE loader, which then deploys the ARECHCLIENT2 infostealer/RAT.
-
IOCs: 50. 57. 243. 90, 144. 172. 97. 2, 143. 110. 230. 167
-
#ARECHCLIENT2 #ClickFix #ThreatIntel
ClickFix Campaign Deploys ARECHCLIENT2
www.elastic.co
June 17, 2025 at 12:38 PM
~Elastic~
Campaign uses ClickFix social engineering to deliver GHOSTPULSE loader, which then deploys the ARECHCLIENT2 infostealer/RAT.
-
IOCs: 50. 57. 243. 90, 144. 172. 97. 2, 143. 110. 230. 167
-
#ARECHCLIENT2 #ClickFix #ThreatIntel
Campaign uses ClickFix social engineering to deliver GHOSTPULSE loader, which then deploys the ARECHCLIENT2 infostealer/RAT.
-
IOCs: 50. 57. 243. 90, 144. 172. 97. 2, 143. 110. 230. 167
-
#ARECHCLIENT2 #ClickFix #ThreatIntel
Highly Obfuscated .NET sectopRAT Mimic as Chrome Extension sectopRAT, also known as Arechclient2,...
https://cyberpress.org/highly-obfuscated-net-sectoprat-mimic/
#Chrome #Cyber #security/hashtag/Security" class="hover:underline text-blue-600 dark:text-sky-400 no-card-link">#Security #newsef="/hashtag/News" class="hover:underline text-blue-600 dark:text-sky-400 no-card-link">#News #Cybersecurity #Cyber #Security #Cyber #security #news
Event Attributes
https://cyberpress.org/highly-obfuscated-net-sectoprat-mimic/
#Chrome #Cyber #security/hashtag/Security" class="hover:underline text-blue-600 dark:text-sky-400 no-card-link">#Security #newsef="/hashtag/News" class="hover:underline text-blue-600 dark:text-sky-400 no-card-link">#News #Cybersecurity #Cyber #Security #Cyber #security #news
Event Attributes
Highly Obfuscated .NET sectopRAT Mimic as Chrome Extension
sectopRAT, also known as Arechclient2, is a highly obfuscated Remote Access Trojan (RAT) developed in .NET, leveraging advanced obfuscation techniques.
cyberpress.org
February 19, 2025 at 10:25 AM
Highly Obfuscated .NET sectopRAT Mimic as Chrome Extension sectopRAT, also known as Arechclient2,...
https://cyberpress.org/highly-obfuscated-net-sectoprat-mimic/
#Chrome #Cyber #security/hashtag/Security" class="hover:underline text-blue-600 dark:text-sky-400 no-card-link">#Security #newsef="/hashtag/News" class="hover:underline text-blue-600 dark:text-sky-400 no-card-link">#News #Cybersecurity #Cyber #Security #Cyber #security #news
Event Attributes
https://cyberpress.org/highly-obfuscated-net-sectoprat-mimic/
#Chrome #Cyber #security/hashtag/Security" class="hover:underline text-blue-600 dark:text-sky-400 no-card-link">#Security #newsef="/hashtag/News" class="hover:underline text-blue-600 dark:text-sky-400 no-card-link">#News #Cybersecurity #Cyber #Security #Cyber #security #news
Event Attributes
SHELLTER: framework commerciale di evasione usato in-the-wild per info-stealer e loader avanzati, con cifratura, polimorfismo e tecniche anti-EDR su Windows.
#ARECHCLIENT2 #INFOSTEALER #Lumma #Rhadamanthys #SHELLTER
www.matricedigitale.it/2025/07/08/s...
#ARECHCLIENT2 #INFOSTEALER #Lumma #Rhadamanthys #SHELLTER
www.matricedigitale.it/2025/07/08/s...
July 8, 2025 at 6:40 AM
SHELLTER: framework commerciale di evasione usato in-the-wild per info-stealer e loader avanzati, con cifratura, polimorfismo e tecniche anti-EDR su Windows.
#ARECHCLIENT2 #INFOSTEALER #Lumma #Rhadamanthys #SHELLTER
www.matricedigitale.it/2025/07/08/s...
#ARECHCLIENT2 #INFOSTEALER #Lumma #Rhadamanthys #SHELLTER
www.matricedigitale.it/2025/07/08/s...
We identified this malware as #HijackLoader, with the final payload being Arechclient2 RAT. This combination has been previously observed by RedCanary here: x.com/redcanary/st...
A complete analysis of HijackLoader is beyond the scope of this thread, but stay tuned for long-form content 👀
6/8🧵
A complete analysis of HijackLoader is beyond the scope of this thread, but stay tuned for long-form content 👀
6/8🧵
Red Canary on X: "Last month we noticed a surprising payload combination in some paste and run (aka ClickFix and fakeCAPTCHA) campaigns: HijackLoader dropping the Arechclient2 RAT. 🐀 💡 Learn more about Arechclient2 and the rest of the month's top 10 threats in our April Intelligence Insights: https://t.co/TRLwhgIknY" / X
Last month we noticed a surprising payload combination in some paste and run (aka ClickFix and fakeCAPTCHA) campaigns: HijackLoader dropping the Arechclient2 RAT. 🐀 💡 Learn more about Arechclient2 and the rest of the month's top 10 threats in our April Intelligence Insights: https://t.co/TRLwhgIknY
x.com
April 25, 2025 at 3:58 PM
We identified this malware as #HijackLoader, with the final payload being Arechclient2 RAT. This combination has been previously observed by RedCanary here: x.com/redcanary/st...
A complete analysis of HijackLoader is beyond the scope of this thread, but stay tuned for long-form content 👀
6/8🧵
A complete analysis of HijackLoader is beyond the scope of this thread, but stay tuned for long-form content 👀
6/8🧵
falsi convertitori pdf sfruttano la fiducia dell’utente per installare il malware arechclient2 tramite comandi powershell e social engineering avanzato
#adobeziptrojan #arechclient2 #candyxpdf #cybercrime #falsiconvertitoripdf #informationstealer #malware
www.matricedigitale.it/sicurezza-in...
#adobeziptrojan #arechclient2 #candyxpdf #cybercrime #falsiconvertitoripdf #informationstealer #malware
www.matricedigitale.it/sicurezza-in...
April 17, 2025 at 6:13 PM
falsi convertitori pdf sfruttano la fiducia dell’utente per installare il malware arechclient2 tramite comandi powershell e social engineering avanzato
#adobeziptrojan #arechclient2 #candyxpdf #cybercrime #falsiconvertitoripdf #informationstealer #malware
www.matricedigitale.it/sicurezza-in...
#adobeziptrojan #arechclient2 #candyxpdf #cybercrime #falsiconvertitoripdf #informationstealer #malware
www.matricedigitale.it/sicurezza-in...
Beware: Fake PDFCandy Converts Your Files into a Cybersecurity Nightmare!
Discover the sneaky malware campaign mimicking PDFCandy.com to spread ArechClient2. Learn the tricks and dodge the traps with Hackread's expert insights!
thenimblenerd.com?p=1042849
Discover the sneaky malware campaign mimicking PDFCandy.com to spread ArechClient2. Learn the tricks and dodge the traps with Hackread's expert insights!
thenimblenerd.com?p=1042849
Beware: Fake PDFCandy Converts Your Files into a Cybersecurity Nightmare!
Beware of PDFCandy.com's evil twin! Cybercriminals are impersonating this popular file converter to distribute the ArechClient2 malware. With a fake website and sneaky CAPTCHA, unsuspecting users fall into their trap. Stay alert and verify URLs to dodge this cunning scam.
thenimblenerd.com
April 15, 2025 at 5:33 PM
Beware: Fake PDFCandy Converts Your Files into a Cybersecurity Nightmare!
Discover the sneaky malware campaign mimicking PDFCandy.com to spread ArechClient2. Learn the tricks and dodge the traps with Hackread's expert insights!
thenimblenerd.com?p=1042849
Discover the sneaky malware campaign mimicking PDFCandy.com to spread ArechClient2. Learn the tricks and dodge the traps with Hackread's expert insights!
thenimblenerd.com?p=1042849
Elastic Security Labs has observed the ClickFix technique gaining popularity for multi-stage campaigns that deliver various malware using social engineering tactics. In one of these campaigns GHOSTPULSE loader is distributed and leads to LUMMA & ARECHCLIENT2. www.elastic.co/security-lab...
June 18, 2025 at 9:55 AM
Elastic Security Labs has observed the ClickFix technique gaining popularity for multi-stage campaigns that deliver various malware using social engineering tactics. In one of these campaigns GHOSTPULSE loader is distributed and leads to LUMMA & ARECHCLIENT2. www.elastic.co/security-lab...
Reverse Engineering Walkthrough | Analyzing A Sample Of Arechclient2 - SentinelOne - https://www.sentinelone.com/blog/reverse-engineering-walkthrough-analyzing-a-sample-of-arechclient2/
Reverse Engineering Walkthrough | Analyzing A Sample Of Arechclient2 - SentinelOne
<p><img src="https://www.sentinelone.com/wp-content/uploads/2023/07/RE-Walkthrough-Analyzing-A-Sample-Of-Arechclient2.jpg" alt="RE-Walkthrough-Analyzing-A-Sample-Of-Are"></p>Read more about <b>Cyber Security</b> · SentinelOne's <b>Cybersecurity</b> Predictions 2023 | What's Next? · Analyzing Attack Opportunities Against Information ...
www.sentinelone.com
July 17, 2023 at 4:37 PM
Reverse Engineering Walkthrough | Analyzing A Sample Of Arechclient2 - SentinelOne - https://www.sentinelone.com/blog/reverse-engineering-walkthrough-analyzing-a-sample-of-arechclient2/
Arechclient2 (sectopRAT) Analysis – A Highly Obfuscated .NET RAT with Malicious Chrome Extension www.reddit.com/r/ReverseEng...
From the ReverseEngineering community on Reddit: Arechclient2 (sectopRAT) Analysis – A Highly Obfuscated .NET RAT with Malicious Chrome Extension
Explore this post and more from the ReverseEngineering community
www.reddit.com
February 18, 2025 at 12:39 PM
Arechclient2 (sectopRAT) Analysis – A Highly Obfuscated .NET RAT with Malicious Chrome Extension www.reddit.com/r/ReverseEng...
Arechclient2 (sectopRAT) Analysis – A Highly Obfuscated .NET RAT with Malicious Chrome Extension
Arechclient2 (sectopRAT) Analysis – A Highly Obfuscated .NET RAT with Malicious Chrome Extension
malwr-analysis.com
February 18, 2025 at 12:24 PM
Arechclient2 (sectopRAT) Analysis – A Highly Obfuscated .NET RAT with Malicious Chrome Extension
Lumma Stealer to SectopRAT: A Deep Dive into the Latest Malware Chain Attack
Introduction: The cybersecurity landscape faces yet another sophisticated attack chain, where Lumma Stealer infections escalate into full SectopRAT (ArechClient2) deployments. This malware campaign leverages deceptive…
Introduction: The cybersecurity landscape faces yet another sophisticated attack chain, where Lumma Stealer infections escalate into full SectopRAT (ArechClient2) deployments. This malware campaign leverages deceptive…
Lumma Stealer to SectopRAT: A Deep Dive into the Latest Malware Chain Attack
Introduction: The cybersecurity landscape faces yet another sophisticated attack chain, where Lumma Stealer infections escalate into full SectopRAT (ArechClient2) deployments. This malware campaign leverages deceptive downloads, persistence mechanisms, and command-and-control (C2) infrastructure to compromise victim machines. Below, we dissect the attack flow, provide actionable detection/mitigation steps, and analyze its implications. Learning Objectives: Understand the infection chain from Lumma Stealer to SectopRAT.
undercodetesting.com
August 15, 2025 at 10:22 PM
Lumma Stealer to SectopRAT: A Deep Dive into the Latest Malware Chain Attack
Introduction: The cybersecurity landscape faces yet another sophisticated attack chain, where Lumma Stealer infections escalate into full SectopRAT (ArechClient2) deployments. This malware campaign leverages deceptive…
Introduction: The cybersecurity landscape faces yet another sophisticated attack chain, where Lumma Stealer infections escalate into full SectopRAT (ArechClient2) deployments. This malware campaign leverages deceptive…
~Elastic~
Threat actors are using the commercial evasion framework SHELLTER to deploy infostealers like LUMMA, ARECHCLIENT2, and RHADAMANTHYS.
-
IOCs: eaglekl. digital, 185. 156. 72. 80, 94. 141. 12. 182
-
#Infostealer #SHELLTER #ThreatIntel
Threat actors are using the commercial evasion framework SHELLTER to deploy infostealers like LUMMA, ARECHCLIENT2, and RHADAMANTHYS.
-
IOCs: eaglekl. digital, 185. 156. 72. 80, 94. 141. 12. 182
-
#Infostealer #SHELLTER #ThreatIntel
SHELLTER Evasion Framework Abused In-the-Wild
www.elastic.co
July 3, 2025 at 4:05 PM
~Elastic~
Threat actors are using the commercial evasion framework SHELLTER to deploy infostealers like LUMMA, ARECHCLIENT2, and RHADAMANTHYS.
-
IOCs: eaglekl. digital, 185. 156. 72. 80, 94. 141. 12. 182
-
#Infostealer #SHELLTER #ThreatIntel
Threat actors are using the commercial evasion framework SHELLTER to deploy infostealers like LUMMA, ARECHCLIENT2, and RHADAMANTHYS.
-
IOCs: eaglekl. digital, 185. 156. 72. 80, 94. 141. 12. 182
-
#Infostealer #SHELLTER #ThreatIntel
Highly Obfuscated .NET sectopRAT Mimic as Chrome Extension sectopRAT, also known as Arechclient2,...
https://cyberpress.org/highly-obfuscated-net-sectoprat-mimic/
#Chrome #Cyber #security/hashtag/Security" class="hover:underline text-blue-600 dark:text-sky-400 no-card-link">#Security #newsef="/hashtag/News" class="hover:underline text-blue-600 dark:text-sky-400 no-card-link">#News #Cybersecurity #Cyber #Security #Cyber #security #news
Event Attributes
https://cyberpress.org/highly-obfuscated-net-sectoprat-mimic/
#Chrome #Cyber #security/hashtag/Security" class="hover:underline text-blue-600 dark:text-sky-400 no-card-link">#Security #newsef="/hashtag/News" class="hover:underline text-blue-600 dark:text-sky-400 no-card-link">#News #Cybersecurity #Cyber #Security #Cyber #security #news
Event Attributes
Highly Obfuscated .NET sectopRAT Mimic as Chrome Extension
sectopRAT, also known as Arechclient2, is a highly obfuscated Remote Access Trojan (RAT) developed in .NET, leveraging advanced obfuscation techniques.
cyberpress.org
February 18, 2025 at 6:41 PM
Highly Obfuscated .NET sectopRAT Mimic as Chrome Extension sectopRAT, also known as Arechclient2,...
https://cyberpress.org/highly-obfuscated-net-sectoprat-mimic/
#Chrome #Cyber #security/hashtag/Security" class="hover:underline text-blue-600 dark:text-sky-400 no-card-link">#Security #newsef="/hashtag/News" class="hover:underline text-blue-600 dark:text-sky-400 no-card-link">#News #Cybersecurity #Cyber #Security #Cyber #security #news
Event Attributes
https://cyberpress.org/highly-obfuscated-net-sectoprat-mimic/
#Chrome #Cyber #security/hashtag/Security" class="hover:underline text-blue-600 dark:text-sky-400 no-card-link">#Security #newsef="/hashtag/News" class="hover:underline text-blue-600 dark:text-sky-400 no-card-link">#News #Cybersecurity #Cyber #Security #Cyber #security #news
Event Attributes
2025-08-15 (Friday): Information from a social media post I wrote for my employer about a #LummaStealer infection leading to #SectopRAT (#ArechClient2). A #pcap of the infection traffc, along with the associated #malware and artifacts are available at www.malware-traffic-analysis.net/2025/08/15/i...
August 15, 2025 at 11:11 PM
2025-08-15 (Friday): Information from a social media post I wrote for my employer about a #LummaStealer infection leading to #SectopRAT (#ArechClient2). A #pcap of the infection traffc, along with the associated #malware and artifacts are available at www.malware-traffic-analysis.net/2025/08/15/i...
Fake PDFCandy File Converter Websites Spread Malware
CloudSEK uncovers a sophisticated malware campaign where attackers impersonate PDFCandy.com to distribute the ArechClient2 information stealer. Learn how…
#hackernews #news
CloudSEK uncovers a sophisticated malware campaign where attackers impersonate PDFCandy.com to distribute the ArechClient2 information stealer. Learn how…
#hackernews #news
Fake PDFCandy File Converter Websites Spread Malware
CloudSEK uncovers a sophisticated malware campaign where attackers impersonate PDFCandy.com to distribute the ArechClient2 information stealer. Learn how…
hackread.com
April 16, 2025 at 5:33 PM
Fake PDFCandy File Converter Websites Spread Malware
CloudSEK uncovers a sophisticated malware campaign where attackers impersonate PDFCandy.com to distribute the ArechClient2 information stealer. Learn how…
#hackernews #news
CloudSEK uncovers a sophisticated malware campaign where attackers impersonate PDFCandy.com to distribute the ArechClient2 information stealer. Learn how…
#hackernews #news