{ "id": "1a029db5-b08c-47fb-8bcf-e7bd09c650ff", "created_at": "2026-04-06T00:14:57.330079Z", "updated_at": "2026-04-10T13:11:48.843153Z", "deleted_at": null, "sha1_hash": "d23ec0d436d758c96acc8301fe629c3fd6e23723", "title": "New SectopRAT - Remote access malware utilizes second desktop to control browsers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 43092, "plain_text": "New SectopRAT - Remote access malware utilizes second desktop\r\nto control browsers\r\nBy Karsten Hahn\r\nPublished: 2019-11-21 · Archived: 2026-04-05 18:50:46 UTC\r\nGeneral appearance and obfuscation\r\nSectopRAT is a .NET based remote access malware. The sample[1] was originally found by MalwareHunterTeam\r\nand announced in a tweet on 15. November 2019. It was compiled on 13. November 2019. Using the following\r\nYara rule we were able to obtain a second sample[2] that was compiled on 14. November 2019 and submitted a\r\nday later to Virustotal.\r\nrule SectopRat\r\n{\r\nmeta:\r\nauthor = \"Karsten Hahn at G DATA CyberDefense AG\"\r\nstrings:\r\n$s_1 = \"RemoteClient\\x00\"\r\n$s_2 = \"InitHDesktop\\x00\"\r\n$s_3 = \"InitBrowser\\x00\"\r\n$s_4 = \"EnoghtSpace\\x00\"\r\n$s_5 = \"SPI_SETSCREENSAVEACTIVE\\x00\"\r\ncondition:\r\nall of them and\r\nuint16(0) == 0x5A4D\r\n}\r\nThe first sample[1] is signed by Sectigo RSA Code Signing CA, uses a Flash icon and has the following Version\r\nInformation.\r\nlanguage ID: 0x0409\r\ncode page: 0x04B0\r\nComments: Idito PleasweN MinIMus Inc.\r\nCompanyName: Nikler  \r\nLegalCopyright: Nikler  \r\nProductName: Idito PleasweN MinIMus Inc.\r\nFileVersion: 3.21.0005\r\nProductVersion: 3.21.0005\r\nhttps://www.gdatasoftware.com/blog/2019/11/35548-new-sectoprat-remote-access-malware-utilizes-second-desktop-to-control-browsers\r\nPage 1 of 2\n\nInternalName: Burataslop  \r\nOriginalFilename: Burataslop.exe \r\nThe second sample[2]is not signed and uses an icon that looks like a red floppy disk. The Version Information\r\nlooks different too but follows a similar pattern of upper and lower case combinations in a jumble of arbitrary\r\nwords.\r\nlanguage ID: 0x0409\r\ncode page: 0x04B0\r\nComments: errORs KilEfnos INCreASe MY Wife  \r\nCompanyName: LAkoRasen Kuscev MeaninG Jow  \r\nLegalCopyright: FAW ISir Polaris ComapNY  \r\nLegalTrademarks: investORS Leanda MikiRUck\r\nProductName: Colleti\r\nFileVersion: 4.01.0009\r\nProductVersion: 4.01.0009\r\nInternalName: Veerfus413  \r\nOriginalFilename: Veerfus413.exe \r\nThe first section of both samples has arbitrary characters for its name and has write and execute characteristics.\r\nThe 5th and last section has no name and contains the entry point. The other sections look rather typical.\r\nThe threat actor used ConfuserEx to obfuscate the control flow and add anti-tamper to the .NET assembly. The\r\nanti-tamper prevents tools like DnSpy from decompiling the code (see picture below).\r\nSource: https://www.gdatasoftware.com/blog/2019/11/35548-new-sectoprat-remote-access-malware-utilizes-second-desktop-to-control-browse\r\nrs\r\nhttps://www.gdatasoftware.com/blog/2019/11/35548-new-sectoprat-remote-access-malware-utilizes-second-desktop-to-control-browsers\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.gdatasoftware.com/blog/2019/11/35548-new-sectoprat-remote-access-malware-utilizes-second-desktop-to-control-browsers" ], "report_names": [ "35548-new-sectoprat-remote-access-malware-utilizes-second-desktop-to-control-browsers" ], "threat_actors": [ { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434497, "ts_updated_at": 1775826708, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d23ec0d436d758c96acc8301fe629c3fd6e23723.pdf", "text": "https://archive.orkl.eu/d23ec0d436d758c96acc8301fe629c3fd6e23723.txt", "img": "https://archive.orkl.eu/d23ec0d436d758c96acc8301fe629c3fd6e23723.jpg" } }