{
	"id": "c036ff74-1a58-42ef-b432-1aa55da21b0d",
	"created_at": "2026-04-06T00:13:04.207084Z",
	"updated_at": "2026-04-10T03:24:29.204134Z",
	"deleted_at": null,
	"sha1_hash": "ed761bdbf1b57cc3c531669c44539b786aa9dd3b",
	"title": "SecTopRAT: A Dangerous Remote Access Trojan Spreading Through Google Fake Ads",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3915810,
	"plain_text": "SecTopRAT: A Dangerous Remote Access Trojan Spreading\r\nThrough Google Fake Ads\r\nBy Sarviya\r\nPublished: 2025-02-28 · Archived: 2026-04-05 20:35:07 UTC\r\n6 min read\r\nFeb 28, 2025\r\nSecTopRAT is a type of Remote Access Trojan (RAT) that gives attackers unauthorized access to a victim’s\r\nsystem. It allows them to execute commands, steal sensitive data, and even take full control of the infected device.\r\nThis malware is often spread through malicious software bundles, phishing emails, or deceptive ads, such as fake\r\nChrome installers promoted via Google Ads.\r\nCybercriminals are misusing Google Ads to distribute malware, tricking users into downloading fake Chrome\r\ninstallers from fraudulent Google Sites pages. These pages serve as intermediaries, delivering SecTopRAT or\r\nother malicious payloads to unsuspecting victims.\r\nThis tactic is similar to past large-scale phishing attacks targeting Google accounts, showing how attackers\r\ncontinuously refine their methods to exploit trusted platforms. To stay safe, users should be cautious when\r\nclicking on sponsored ads and only download software from official sources.\r\nPress enter or click to view image in full size\r\nFigure 1: Downloading Googlechrome.exe — by Fake ads\r\nCybercriminals are abusing Google Ads to distribute SecTopRAT by promoting a fake Chrome installer via a\r\nfraudulent website (https://chrome.browser.com.de) in Figure 1. Unsuspecting users who download\r\nhttps://medium.com/@sarviyamalwareanalyst/sectoprat-a-dangerous-remote-access-trojan-spreading-through-google-fake-ads-0c43a15c1cd8\r\nPage 1 of 13\n\ngooglechrome.exe from this site risk malware infection and system compromise.\r\nIn-Depth Analysis of Malware: A Comprehensive Breakdown\r\nNow, let’s dive deep into a thorough analysis of these malware, examining their behaviour, impact, and mitigation\r\nstrategies in detail.\r\nPress enter or click to view image in full size\r\nFigure 2: Die — Overlay\r\nLoad the downloaded googlechrome.exe (w.dat) file into DIE (Detect It Easy), which indicates that the file is\r\npacked and contains an unusual overlay. As shown in Figure 2, the highlighted overlay details reveal a starting\r\noffset of 0x0081FE00 and a size of 0x980F74D in DIE.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@sarviyamalwareanalyst/sectoprat-a-dangerous-remote-access-trojan-spreading-through-google-fake-ads-0c43a15c1cd8\r\nPage 2 of 13\n\nFigure 3. Hxd — Select Block\r\nOpen googlechrome.exe (w.dat) in HxD and press Ctrl + E to select a block of data. Enter the start offset as\r\n0x81FE00 and the length as 0x980F74. After selecting the block, copy it and paste it into a new HxD window.\r\nPress enter or click to view image in full size\r\nFigure 4. HxD — Delete data before MZ\r\nAfter copying the selected block, remove the zero-padded data before the “4D 5A” (MZ header) in HxD. Once\r\ncleaned, save the file.\r\nhttps://medium.com/@sarviyamalwareanalyst/sectoprat-a-dangerous-remote-access-trojan-spreading-through-google-fake-ads-0c43a15c1cd8\r\nPage 3 of 13\n\nFigure 5. Extracted overlay File Hash\r\nNext Phase:\r\nPress enter or click to view image in full size\r\nFigure 6. Die — Extracted overlay File\r\nOpen the extracted overlay file, which indicates that it is a .NET malware. This file also has an unusual overlay,\r\nwith a starting offset of 0x2E00 and a size of 0x97DF75. Extract the overlay file in HxD by selecting the start\r\noffset and size, copying the block, pasting it into a new HxD window, removing data before “4D 5A”, and saving\r\nthe file.\r\nBy clicking on the Entropy option, the file shows high entropy, indicating that it is packed.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@sarviyamalwareanalyst/sectoprat-a-dangerous-remote-access-trojan-spreading-through-google-fake-ads-0c43a15c1cd8\r\nPage 4 of 13\n\nFigure 8: Die — Overlay-Another MZ File\r\nBy clicking on the Overlay option and scrolling down to 0x200, another “MZ” header can be seen, indicating\r\nthe presence of another file within the overlay.\r\nGet Sarviya’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nPhase 3:\r\nPress enter or click to view image in full size\r\nFigure 9. Load the\r\nOpen the extracted overlay file from googlechrome.exe in dnSpy, then right-click and select “Go to Entry\r\nPoint”, scroll up see able to find link as shown in the figure above.\r\nhttps://medium.com/@sarviyamalwareanalyst/sectoprat-a-dangerous-remote-access-trojan-spreading-through-google-fake-ads-0c43a15c1cd8\r\nPage 5 of 13\n\nFigure 10. Execute the script\r\nThe OnStartup() method is triggered when the application starts. It calls RunApplicationAsync(), which is\r\nresponsible for fetching and executing the remote script. If an exception occurs, the program ensures that the\r\nMainWindow UI is displayed, possibly to mislead the user into thinking the application is a legitimate program.\r\nThis behavior suggests an attempt to hide malicious activity behind a decoy interface.\r\nPress enter or click to view image in full size\r\nFigure 11. Payload download from link\r\nThis asynchronous function (RunApplicationAsync()) tries to retrieve a remote script from\r\nhxxxs://launchapps[.]site/getCode[.]php. If the fetched content is empty or an error occurs, the application\r\nopens a window (MainWindow) to maintain a legitimate appearance. Otherwise, if a script is successfully\r\ndownloaded, the function calls ExecuteCodeAsync(), which runs the fetched script on the machine. This function\r\neffectively turns the application into a Remote Access Trojan (RAT), allowing attackers to send and execute\r\nnew payloads dynamically.\r\nhttps://medium.com/@sarviyamalwareanalyst/sectoprat-a-dangerous-remote-access-trojan-spreading-through-google-fake-ads-0c43a15c1cd8\r\nPage 6 of 13\n\nPress enter or click to view image in full size\r\nFigure 12. Remote server- download payload\r\nThis function establishes a connection to the remote server (hxxxs://launchapps[.]site/getCode[.]php) using\r\nHttpClient. If the request is successful, it returns the server’s response as a string, which is expected to be a\r\nscript to execute. If the server fails to respond or returns an error, the function simply returns null. This function\r\nenables command-and-control (C2) communication, meaning that attackers can update the malicious script\r\nat any time without modifying the original malware.\r\nThe next step in our analysis is to examine the payload retrieved from\r\nhxxxs://launchapps[.]site/getCode[.]php. By manually entering the URL in a browser, we were able to\r\nobtain the payload for further investigation.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@sarviyamalwareanalyst/sectoprat-a-dangerous-remote-access-trojan-spreading-through-google-fake-ads-0c43a15c1cd8\r\nPage 7 of 13\n\nFigure 13. Run application as Admin privilege \u0026 Bypass Defender\r\nThe IsRunAsAdministrator() function checks if the script is running with administrative privileges. If not, it\r\nrestarts itself with elevated privileges using cmd.exe and runas verb.\r\nThe AddAppDataToDefenderExclusions() function adds the AppData folder to Windows Defender exclusions\r\nusing PowerShell.This ensures that any malicious files stored in AppData\\BackupWin are not detected by\r\nantivirus scans.\r\nPress enter or click to view image in full size\r\nFigure 14. Download the Encrypted Payload\r\nThe script fetches an encrypted payload from hxxps://launchapps[.]site/3[.]php and decrypts it using AES. The\r\ndecrypted file is saved as decrypted.exe in AppData\\BackupWin and then executed.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@sarviyamalwareanalyst/sectoprat-a-dangerous-remote-access-trojan-spreading-through-google-fake-ads-0c43a15c1cd8\r\nPage 8 of 13\n\nFigure 15. Decryption AES Function\r\nThe DownloadAndDecryptFileAsync function downloads an encrypted file from a remote server and decrypts it.\r\nIt first sends a request to the given URL and checks if the response is successful. The response contains an\r\nencryption key, an initialization vector (IV), and encrypted data, all in Base64 format. The function then decrypts\r\nthe data and saves it as decrypted.exe in the BackupWin folder inside AppData. Finally, it runs the decrypted\r\nfile, which could be used to execute malicious code.\r\nPress enter or click to view image in full size\r\nFigure 16. Check the process Installed- Correspond Application install\r\nIt checks the name of the running process, and if it contains “notion”, “grammarly”, or “chrome”, it downloads\r\nlegitimate installers from their official sources. This is likely a technique to disguise malicious activity. Apart from\r\nthe Google Chrome campaign, we also observed similar campaigns targeting Notion, Grammarly, and\r\nChrome.\r\nhttps://medium.com/@sarviyamalwareanalyst/sectoprat-a-dangerous-remote-access-trojan-spreading-through-google-fake-ads-0c43a15c1cd8\r\nPage 9 of 13\n\nPress enter or click to view image in full size\r\nFigure 17. Add the Persistence in Task schedule\r\nThe ScheduleTask() function creates a scheduled task named BackupWinTask, ensuring that the malware executes\r\non system startup.\r\nPress enter or click to view image in full size\r\nFigure 18. Encrpyted Data- payload\r\nUpon accessing hxxxs://launchapps[.]site/3[.]php in a browser, the payload’s first line contains three parts\r\nseparated by commas: the AES Key, the Initialization Vector (IV), and the encrypted data.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@sarviyamalwareanalyst/sectoprat-a-dangerous-remote-access-trojan-spreading-through-google-fake-ads-0c43a15c1cd8\r\nPage 10 of 13\n\nFigure 19. Cyberchef- decrypt the Data\r\nTo decrypt the data using CyberChef, follow these steps: Add the “From Base64” and “AES Decrypt” recipes.\r\nIn the AES Decrypt section, paste the key and IV from the payload. Set the mode to CBC/NoPadding and select\r\nHex as the output format. Paste the encrypted data into the input section. The output should display 4D 5A,\r\nindicating an MZ header.\r\nhttps://medium.com/@sarviyamalwareanalyst/sectoprat-a-dangerous-remote-access-trojan-spreading-through-google-fake-ads-0c43a15c1cd8\r\nPage 11 of 13\n\nFigure 20. Hxd -Decrpyted data\r\nCopy this output and paste it into HxD — this file is decryptor.exe.\r\nhttps://medium.com/@sarviyamalwareanalyst/sectoprat-a-dangerous-remote-access-trojan-spreading-through-google-fake-ads-0c43a15c1cd8\r\nPage 12 of 13\n\nFigure 21. Hash of the Decrypted File\r\nSource: https://medium.com/@sarviyamalwareanalyst/sectoprat-a-dangerous-remote-access-trojan-spreading-through-google-fake-ads-0c43a1\r\n5c1cd8\r\nhttps://medium.com/@sarviyamalwareanalyst/sectoprat-a-dangerous-remote-access-trojan-spreading-through-google-fake-ads-0c43a15c1cd8\r\nPage 13 of 13\n\nhttps://medium.com/@sarviyamalwareanalyst/sectoprat-a-dangerous-remote-access-trojan-spreading-through-google-fake-ads-0c43a15c1cd8     \nFigure 19. Cyberchef- decrypt the Data    \nTo decrypt the data using CyberChef, follow these steps: Add the “From Base64” and “AES Decrypt” recipes.\nIn the AES Decrypt section, paste the key and IV from the payload. Set the mode to CBC/NoPadding and select\nHex as the output format. Paste the encrypted data into the input section. The output should display 4D 5A,\nindicating an MZ header.     \n  Page 11 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@sarviyamalwareanalyst/sectoprat-a-dangerous-remote-access-trojan-spreading-through-google-fake-ads-0c43a15c1cd8"
	],
	"report_names": [
		"sectoprat-a-dangerous-remote-access-trojan-spreading-through-google-fake-ads-0c43a15c1cd8"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434384,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ed761bdbf1b57cc3c531669c44539b786aa9dd3b.pdf",
		"text": "https://archive.orkl.eu/ed761bdbf1b57cc3c531669c44539b786aa9dd3b.txt",
		"img": "https://archive.orkl.eu/ed761bdbf1b57cc3c531669c44539b786aa9dd3b.jpg"
	}
}