惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

云风的 BLOG
云风的 BLOG
IT之家
IT之家
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
V
Visual Studio Blog
博客园 - 司徒正美
美团技术团队
Last Week in AI
Last Week in AI
月光博客
月光博客
博客园 - 叶小钗
MongoDB | Blog
MongoDB | Blog
U
Unit 42
T
Tailwind CSS Blog
GbyAI
GbyAI
T
The Blog of Author Tim Ferriss
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
H
Hackread – Cybersecurity News, Data Breaches, AI and More
酷 壳 – CoolShell
酷 壳 – CoolShell
Google DeepMind News
Google DeepMind News
H
Help Net Security
Hugging Face - Blog
Hugging Face - Blog
爱范儿
爱范儿
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
N
Netflix TechBlog - Medium
B
Blog RSS Feed
大猫的无限游戏
大猫的无限游戏
aimingoo的专栏
aimingoo的专栏
A
About on SuperTechFans
Y
Y Combinator Blog
罗磊的独立博客
D
DataBreaches.Net
有赞技术团队
有赞技术团队
MyScale Blog
MyScale Blog
博客园_首页
博客园 - 三生石上(FineUI控件)
G
Google Developers Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
雷峰网
雷峰网
博客园 - 【当耐特】
Engineering at Meta
Engineering at Meta
博客园 - Franky
M
MIT News - Artificial intelligence
B
Blog
The Cloudflare Blog
Apple Machine Learning Research
Apple Machine Learning Research
I
InfoQ
S
SegmentFault 最新的问题
F
Fortinet All Blogs
阮一峰的网络日志
阮一峰的网络日志
Stack Overflow Blog
Stack Overflow Blog
Microsoft Security Blog
Microsoft Security Blog

SANS Internet Storm Center, InfoCON: green

From a VHDX File to a Remcos RAT - SANS Internet Storm Center ISC Stormcast For Tuesday, June 16th, 2026 https://isc.sans.edu/podcastdetail/9974 Evil MSI Background: BASE64 Statistical Analysis - SANS ISC ISC Stormcast For Monday, June 15th, 2026 https://isc.sans.edu/podcastdetail/9972 ISC Stormcast For Friday, June 12th, 2026 https://isc.sans.edu/podcastdetail/9970 ISC Stormcast For Thursday, June 11th, 2026 https://isc.sans.edu/podcastdetail/9968 How has use of framing protection security headers changed in the past 3 years? ISC Stormcast For Wednesday, June 10th, 2026 https://isc.sans.edu/podcastdetail/9966 Microsoft June 2026 Patch Tuesday - SANS Internet Storm Center ISC Stormcast For Tuesday, June 9th, 2026 https://isc.sans.edu/podcastdetail/9964 TeamPCP Supply Chain Campaign: Activity Through 2026-06-07 ISC Stormcast For Monday, June 8th, 2026 https://isc.sans.edu/podcastdetail/9962 The Evil MSI Background is Back! - SANS Internet Storm Center ISC Stormcast For Friday, June 5th, 2026 https://isc.sans.edu/podcastdetail/9960 Microsoft's Coreutils for Windows - SANS Internet Storm Center ISC Stormcast For Thursday, June 4th, 2026 https://isc.sans.edu/podcastdetail/9958 Continuing Scans for swagger.json - SANS Internet Storm Center ISC Stormcast For Wednesday, June 3rd, 2026 https://isc.sans.edu/podcastdetail/9956 New Wave Of Phishing Emails with SVG Files - SANS ISC ISC Stormcast For Tuesday, June 2nd, 2026 https://isc.sans.edu/podcastdetail/9954 ISC Stormcast For Monday, June 1st, 2026 https://isc.sans.edu/podcastdetail/9952 Unidentified RAT pushes NetSupport RAT - SANS ISC YARA-X 1.17.0 Release - SANS Internet Storm Center ISC Stormcast For Friday, May 29th, 2026 https://isc.sans.edu/podcastdetail/9950 Analysis of a Year of Files Uploaded to DShield Sensors ISC Stormcast For Thursday, May 28th, 2026 https://isc.sans.edu/podcastdetail/9948 Reconstructing an Akira Ransomware Kill Chain from Perimeter and Endpoint Logs ISC Stormcast For Wednesday, May 27th, 2026 https://isc.sans.edu/podcastdetail/9946 ISC Stormcast For Tuesday, May 26th, 2026 https://isc.sans.edu/podcastdetail/9944 Possible ACR Stealer From Page Impersonating Claude Microsoft Access VBA - SANS Internet Storm Center Wireshark 4.6.6 Released - SANS Internet Storm Center An Example of Stack String in High Level Language - SANS ISC Cross-Platform NPM Stealer - SANS Internet Storm Center ISC Stormcast For Friday, May 22nd, 2026 https://isc.sans.edu/podcastdetail/9942 Selective HTTP Proxying in Linux - SANS Internet Storm Center ISC Stormcast For Thursday, May 21st, 2026 https://isc.sans.edu/podcastdetail/9940 ISC Stormcast For Wednesday, May 20th, 2026 https://isc.sans.edu/podcastdetail/9938 ISC Stormcast For Tuesday, May 19th, 2026 https://isc.sans.edu/podcastdetail/9936 TeamPCP Supply Chain Campaign: Activity Through 2026-05-17 [Guest Diary] New Malware Libraries means New Signatures ISC Stormcast For Friday, May 15th, 2026 https://isc.sans.edu/podcastdetail/9934 Simple bypass of the link preview function in Outlook Junk folder ISC Stormcast For Thursday, May 14th, 2026 https://isc.sans.edu/podcastdetail/9932 [GUEST DIARY] Tearing apart website fraud to see how it works. ISC Stormcast For Wednesday, May 13th, 2026 https://isc.sans.edu/podcastdetail/9930 Proxying the Unproxyable? Sending EXE traffic to a Proxy Microsoft May 2026 Patch Tuesday - SANS Internet Storm Center ISC Stormcast For Tuesday, May 12th, 2026 https://isc.sans.edu/podcastdetail/9928 Apple Patches Everything - SANS Internet Storm Center Why we use CAPTCHAs - SANS Internet Storm Center ISC Stormcast For Monday, May 11th, 2026 https://isc.sans.edu/podcastdetail/9926 YARA-X 1.16.0 Release - SANS Internet Storm Center Another Universal Linux Local Privilege Escalation (LPE) Vulnerability: Dirty Frag ISC Stormcast For Friday, May 8th, 2026 https://isc.sans.edu/podcastdetail/9924 ISC Stormcast For Wednesday, May 6th, 2026 https://isc.sans.edu/podcastdetail/9920 Cleartext Passwords in MS Edge? In 2026? - SANS ISC SSL.com rotates their root certificate today - SANS ISC ISC Stormcast For Tuesday, May 5th, 2026 https://isc.sans.edu/podcastdetail/9918 TeamPCP Weekly Analysis: 2026-W18 (2026-04-27 through 2026-05-03) DShield Honeypot Update - SANS Internet Storm Center ISC Stormcast For Monday, May 4th, 2026 https://isc.sans.edu/podcastdetail/9916 Wireshark 4.6.5 Released - SANS Internet Storm Center Malicious Ad for Homebrew Leads to MacSync Stealer ISC Stormcast For Friday, May 1st, 2026 https://isc.sans.edu/podcastdetail/9914 ISC Stormcast For Thursday, April 30th, 2026 https://isc.sans.edu/podcastdetail/9912 Danger of Libredtail [Guest Diary] - SANS Internet Storm Center Today's Odd Web Requests - SANS Internet Storm Center ISC Stormcast For Wednesday, April 29th, 2026 https://isc.sans.edu/podcastdetail/9910 HTTP Requests with X-Vercel-Set-Bypass-Cookie Header ISC Stormcast For Tuesday, April 28th, 2026 https://isc.sans.edu/podcastdetail/9908 TeamPCP Supply Chain Campaign: Update 008 - 26-Day Pause Ends with Three Concurrent Compromises (Checkmarx KICS, Bitwarden CLI Cascade, xinference PyPI), CanisterSprawl npm Worm Identified, and Tier 1 Coverage Returns ISC Stormcast For Friday, April 24th, 2026 https://isc.sans.edu/podcastdetail/9906 Apple Patches Exploited Notification Flaw - SANS ISC ISC Stormcast For Thursday, April 23rd, 2026 https://isc.sans.edu/podcastdetail/9904 ISC Stormcast For Wednesday, April 22nd, 2026 https://isc.sans.edu/podcastdetail/9902 [Guest Diary] Beyond Cryptojacking: Telegram tdata as a Credential Harvesting Vector, Lessons from a Honeypot Incident, (Wed, Apr 22nd) A .WAV With A Payload - SANS Internet Storm Center ISC Stormcast For Tuesday, April 21st, 2026 https://isc.sans.edu/podcastdetail/9900 Handling the CVE Flood With EPSS - SANS Internet Storm Center ISC Stormcast For Monday, April 20th, 2026 https://isc.sans.edu/podcastdetail/9898 ISC Stormcast For Friday, April 17th, 2026 https://isc.sans.edu/podcastdetail/9896 ISC Stormcast For Thursday, April 16th, 2026 https://isc.sans.edu/podcastdetail/9894 [Guest Diary] Compromised DVRs and Finding Them in the Wild ISC Stormcast For Wednesday, April 15th, 2026 https://isc.sans.edu/podcastdetail/9892 Scanning for AI Models - SANS Internet Storm Center Microsoft Patch Tuesday April 2026. - SANS ISC ISC Stormcast For Tuesday, April 14th, 2026 https://isc.sans.edu/podcastdetail/9890 Scans for EncystPHP Webshell - SANS Internet Storm Center ISC Stormcast For Monday, April 13th, 2026 https://isc.sans.edu/podcastdetail/9888 Obfuscated JavaScript or Nothing - SANS Internet Storm Center ISC Stormcast For Thursday, April 9th, 2026 https://isc.sans.edu/podcastdetail/9886 Number Usage in Passwords: Take Two - SANS ISC TeamPCP Supply Chain Campaign: Update 007 - Cisco Source Code Stolen via Trivy-Linked Breach, Google GTIG Tracks TeamPCP as UNC6780, and CISA KEV Deadline Arrives with No Standalone Advisory More Honeypot Fingerprinting Scans - SANS Internet Storm Center ISC Stormcast For Wednesday, April 8th, 2026 https://isc.sans.edu/podcastdetail/9884 A Little Bit Pivoting: What Web Shells are Attackers Looking for? ISC Stormcast For Tuesday, April 7th, 2026 https://isc.sans.edu/podcastdetail/9882 How often are redirects used in phishing in 2026? - SANS ISC ISC Stormcast For Monday, April 6th, 2026 https://isc.sans.edu/podcastdetail/9880
Lumma Stealer infection with Sectop RAT (ArechClient2)
2026-04-17 · via SANS Internet Storm Center, InfoCON: green

Introduction

This diary provides indicators from a Lumma Stealer infection that was followed by Sectop RAT (ArechClient2). I searched for cracked versions of popular copyright-protected software, and I downloaded the initial malware after following the results of one such search. This is a common distribution technique for various families of malware, and I often find Lumma Stealer this way.

In this case, the initial malware for Lumma Stealer was delivered as a password-protected 7-zip archive. The extracted malware is an inflated Windows executable (EXE) file at 806 MB. The EXE is padded with null-bytes (0x00), a technical which increases the EXE size while allowing the compressed archive file to be much smaller. The password-protected archive and inflated EXE file are designed to avoid detection.

Images from the infection


Shown above: Example of a page with instructions to download the initial malware file.


Shown above: Traffic from the infection filtered in Wireshark.


Shown above: Sectop RAT persistent on an infected Windows host.

Indicators of Compromise

Example of download link from the site advertising cracked versions of copyright-protected software:

hxxps[:]//incolorand[.]com/how-visual-patch-enhances-ui-consistency-across-releases/?utm_source={CID}&utm_term=Adobe%20Premiere%20Pro%20(2026)%20Full%20v26.0.2%20Espa%C3%B1ol%20[Mega]&utm_content={SUBID1}&utm_medium={SUBID2}

Example of URL for page with the file download instructions:

hxxps[:]//mega-nz.goldeneagletransport[.]com/Adobe_Premiere_Pro_%282026%29_Full_v26.0.2_Espa%C3%B1ol_%5BMega%5D.zip?c=ABUZ4WkRgQUA_YUCAFVTFwASAAAAAACh&s=360721

Example of URL for file download from site above site impersonating MEGA:

hxxps[:]//arch.primedatahost3[.]cfd/auth/media/JvWcFd5vUoYTrImvtWQAASTh/Adobe_Premiere_Pro_(2026)_Full_v26.0.2_Espa%C3%B1ol_%5BMega%5D.zip

Downloaded file:

Extracted malware:

  • SHA256 hash: 4849f76dafbef516df91fecfc23a72afffaf77ade51f805eae5ad552bed88923
  • File size: 806,127,604 bytes
  • File name: appFile.exe
  • File type: PE32 executable (GUI) Intel 80386, for MS Windows
  • File description: Inflated Windows EXE file for Lumma Stealer, padded with null-bytes

Deflated malware:

Lumma Stealer command and control (C2) domains from Triage sandbox analysis:

  • cankgmr[.]cyou
  • carytui[.]vu
  • decrnoj[.]club
  • genugsq[.]best
  • longmbx[.]click
  • mushxhb[.]best
  • pomflgf[.]vu
  • strikql[.]shop
  • ulmudhw[.]shop

Follow-up malware:

Example of Sectop RAT C2 traffic from an infected Windows host:

  • hxxp[:]//91.92.241[.]102:9000/wmglb
  • hxxp[:]//91.92.241[.]102:9000/wbinjget?q=66B553A8B94CE37C16F4EBC863D51FCC
  • tcp[:]//91.92.241[.]102:443/ - encoded or otherwise encrypted traffic (not HTTPS/TLS)

---
Bradley Duncan
brad [at] malware-traffic-analysis.net