home.social

#sectoprat — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #sectoprat, aggregated by home.social.

  1. 2025-08-15 (Friday): Here are some images from a post I wrote for my employer on other social media platforms.

    This is from a #LummaStealer infection that led to #SectopRAT (#ArechClient2).

    A #pcap of the infection traffc, along with the associated #malware and artifacts are available at malware-traffic-analysis.net/2

  2. We've observed an interesting infection chain ⛓️ in the wild, starting with #LummaStealer spread through a fake gaming website and resulting in #Latrodectus and #SectopRat 🪲🔍👀

    See below for more ⬇️

  3. We've observed an interesting infection chain ⛓️ in the wild, starting with #LummaStealer spread through a fake gaming website and resulting in #Latrodectus and #SectopRat 🪲🔍👀

    See below for more ⬇️

  4. We've observed an interesting infection chain ⛓️ in the wild, starting with #LummaStealer spread through a fake gaming website and resulting in #Latrodectus and #SectopRat 🪲🔍👀

    See below for more ⬇️

  5. We've observed an interesting infection chain ⛓️ in the wild, starting with #LummaStealer spread through a fake gaming website and resulting in #Latrodectus and #SectopRat 🪲🔍👀

    See below for more ⬇️

  6. We've observed an interesting infection chain ⛓️ in the wild, starting with #LummaStealer spread through a fake gaming website and resulting in #Latrodectus and #SectopRat 🪲🔍👀

    See below for more ⬇️

  7. 2025-07-15 (Tuesday): #LummaStealer infection with #SecTopRAT.

    A #pcap of the #Lumma traffic and #SecTop #RAT activity, the #malware/artifacts from an infection, and the associated IOCs are available at malware-traffic-analysis.net/2

  8. I noticed new activity on one of the domains associated with the loader for SectopRAT, which I recently analyzed.

    It turns out, the threat actor was testing out new methods for initial access.

    I wrote up my findings in a short update.

    The killchain:
    .url file -> .lnk -> WMIC/mshta -> .hta -> VBScript -> PowerShell -> Loader

    rerednawyerg.github.io/posts/m

    IOCs
    cloudinstalller73489[.]shop
    pputty[.]us
    179.43.142[.]86

    #threatintel #sectoprat

  9. I got a chance to really dig into a malware sample stemming from a malicious Google ad, and finally finished a full writeup for it.

    To summarize: Google ad --> fake PuTTY download site --> loader --> dropper --> SectopRAT

    rerednawyerg.github.io/posts/m

    h/t @rmceoin
    h/t @dr4k0nia

    #SectopRAT #malvertising #intel