SOC Prime Bias: Medium

21 Apr 2026 18:12
newspaper icon SANS Internet Storm Center

Lumma Stealer infection with Sectop RAT (ArechClient2)

Author Photo
SOC Prime Team linkedin icon Follow
Lumma Stealer infection with Sectop RAT (ArechClient2)
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

The report outlines a two-stage infection chain in which Lumma Stealer is initially delivered through a password-protected 7-Zip archive, followed by the loading of a Sectop RAT (ArechClient2) DLL at a later stage. The first payload arrives as a bloated Windows executable padded with null bytes, a tactic likely intended to evade detection and complicate analysis. The malware is distributed through compromised download pages that mimic legitimate services, increasing the likelihood of user execution. Network telemetry linked the activity to multiple malicious domains and a known IP address used for command-and-control communication.

Investigation

The analyst obtained the malicious archive, extracted the oversized executable, and examined its reduced form after deflation. Sandbox analysis revealed several command-and-control domains associated with Lumma Stealer, along with a separate DLL component that loaded Sectop RAT through rundll32. Network captures also showed HTTP traffic to a malicious IP address over ports 9000 and 443, with the exchanged data appearing to be encoded.

Mitigation

Organizations should use content inspection tools capable of identifying inflated executables and password-protected archives. Known malicious domains and IP addresses tied to the campaign should be blocked at the network layer. Defenders should also monitor for suspicious rundll32 activity involving unexpected DLLs and track outbound connections to the identified command-and-control infrastructure. Strong download controls and restrictions on file-sharing sites hosting cracked or untrusted software can further reduce exposure.

Response

Security teams should alert when password-protected 7-Zip archives are downloaded from suspicious URLs. Additional detections should focus on execution of unusually large padded executables and rundll32 launching DLLs from temporary or user-accessible directories. Network telemetry should be correlated against the listed domains and IP address, and any affected systems should be quarantined immediately for investigation and remediation.

"graph TB %% Class definitions classDef technique fill:#ffcc99 classDef tool fill:#c2f0c2 classDef malware fill:#ffb3b3 classDef operator fill:#ff9900 %% Nodes technique_content_injection["<b>Technique</b> – <b>T1659 Content Injection</b><br/>Compromise websites to inject malicious resources like download links."] class technique_content_injection technique tool_lumma_stealer["<b>Tool</b> – <b>Name</b>: Lumma Stealer<br/><b>Function</b>: Harvests stored passwords and credential manager entries."] class tool_lumma_stealer tool technique_obfuscation_files["<b>Technique</b> – <b>T1027 Obfuscated Files or Information</b><br/>Encode or encrypt payloads to hide malicious content."] class technique_obfuscation_files technique technique_compression["<b>Technique</b> – <b>T1027.015 Archive via Utility</b><br/>Use passwordu2011protected 7u2011zip archive to conceal payload."] class technique_compression technique technique_credential_store["<b>Technique</b> – <b>T1555 Credentials from Password Stores</b><br/>Extract credentials saved in browsers, apps, or OS stores."] class technique_credential_store technique technique_credential_manager["<b>Technique</b> – <b>T1555.004 Windows Credential Manager</b><br/>Dump credentials stored in Windows Credential Manager."] class technique_credential_manager technique technique_unsecured_file["<b>Technique</b> – <b>T1552.001 Unsecured Credentials in Files</b><br/>Read credential data left in plainu2011text files."] class technique_unsecured_file technique technique_rundll32_proxy["<b>Technique</b> – <b>T1218.011 Rundll32</b><br/>Execute DLL code via rundll32.exe with LoadForm entrypoint."] class technique_rundll32_proxy technique technique_appcert_dll["<b>Technique</b> – <b>T1546.009 AppCert DLL</b><br/>Trigger DLL loading through Application Certification mechanism."] class technique_appcert_dll technique malware_netgui_dll["<b>Malware</b> – <b>Name</b>: NetGui.dll<br/><b>Role</b>: Dropped DLL loaded by rundll32."] class malware_netgui_dll malware technique_web_protocol["<b>Technique</b> – <b>T1071.001 Web Protocols</b><br/>Use HTTP/HTTPS for command and control traffic."] class technique_web_protocol technique technique_bidirectional["<b>Technique</b> – <b>T1102.002 Bidirectional Web Service</b><br/>Exchange commands and data over a web service channel."] class technique_bidirectional technique technique_encrypted_channel["<b>Technique</b> – <b>T1573 Encrypted Channel</b><br/>Encrypt C2 traffic to evade detection."] class technique_encrypted_channel technique technique_protocol_tunneling["<b>Technique</b> – <b>T1572 Protocol Tunneling</b><br/>Encapsulate malicious traffic inside legitimate protocols."] class technique_protocol_tunneling technique technique_data_obfuscation["<b>Technique</b> – <b>T1001 Data Obfuscation</b><br/>Obfuscate payload data to hide its purpose."] class technique_data_obfuscation technique %% Connections technique_content_injection –>|uses| tool_lumma_stealer tool_lumma_stealer –>|delivers| technique_obfuscation_files technique_obfuscation_files –>|includes| technique_compression technique_compression –>|leads to| technique_credential_store technique_credential_store –>|also uses| technique_credential_manager technique_credential_manager –>|and| technique_unsecured_file technique_unsecured_file –>|enables| technique_rundll32_proxy technique_rundll32_proxy –>|loads| malware_netgui_dll malware_netgui_dll –>|triggers| technique_appcert_dll technique_appcert_dll –>|establishes| technique_web_protocol technique_web_protocol –>|uses| technique_bidirectional technique_bidirectional –>|protected by| technique_encrypted_channel technique_encrypted_channel –>|further hidden via| technique_protocol_tunneling technique_protocol_tunneling –>|uses| technique_data_obfuscation "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

  • Attack Narrative & Commands:
    The simulated attacker first obtains the Lumma Stealer archive (adobe_premiere_pro_(2026)_full_v26.0.2_español_[mega].7z) from a compromised download site. The archive is dropped to the user’s Downloads folder, then extracted, writing the malicious DLL 16XBPQ29ZBG94TYNOA.dll into the user’s Temp directory. The presence of this DLL is the exact indicator the Sigma rule watches for, representing the payload stage that enables credential harvesting for the subsequent Sectop RAT infection.

  • Regression Test Script:

    # Simulate Lumma Stealer drop and DLL injection
$archiveName = "adobe_premiere_pro_(2026)_full_v26.0.2_español_[mega].7z"
$downloadDir = "$env:USERPROFILEDownloads"
$tempDllPath = "$env:LOCALAPPDATATemp16XBPQ29ZBG94TYNOA.dll"

# Step 1: Create a dummy archive file (simulating the download)
New-Item -Path (Join-Path $downloadDir $archiveName) -ItemType File -Force | Out-Null

# Step 2: Simulate extraction – create the malicious DLL in the Temp folder
New-Item -Path $tempDllPath -ItemType File -Force | Out-Null

Write-Host "Simulation complete: $archiveName created and DLL dropped to Temp."

  • Cleanup Commands:

    # Remove simulated artifacts
Remove-Item -Path "$env:USERPROFILEDownloadsadobe_premiere_pro_(2026)_full_v26.0.2_español_[mega].7z" -Force -ErrorAction SilentlyContinue
Remove-Item -Path "$env:LOCALAPPDATATemp16XBPQ29ZBG94TYNOA.dll" -Force -ErrorAction SilentlyContinue
Write-Host "Cleanup complete."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free