ブログ
/
Network
/
November 20, 2023

Understanding and Mitigating Sectop RAT

Understand the risks posed by the Sectop remote access Trojan and how Darktrace implements strategies to enhance cybersecurity defenses.
Written by
Justin Torres
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Justin Torres
Cyber Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
20
Nov 2023

Introduction

As malicious actors across the threat landscape continue to look for new ways to gain unauthorized access to target networks, it is unsurprising to see Remote Access Trojans (RATs) leveraged more and more. These RATs are downloaded discretely without the target’s knowledge, typically through seemingly legitimate software downloads, and are designed to gain highly privileged network credentials, ultimately allowing attackers to have remote control over compromised devices. [1]

SectopRAT is one pertinent example of a RAT known to adopt a number of stealth functions in order to gather and exfiltrate sensitive data from its targets including passwords, cookies, autofill and history data stores in browsers, as well as cryptocurrency wallet details and system hardware information. [2]

In early 2023, Darktrace identified a resurgence of the SectopRAT across customer environments, primarily targeting educational industries located in the United States (US), Europe, the Middle East and Africa (EMEA) and Asia-Pacific (APAC) regions. Darktrace DETECT™ was able to successfully identify suspicious activity related to SectopRAT at the network level, as well as any indicators of post-compromise on customer environments that did not have Darktrace RESPOND™ in place to take autonomous preventative action.

What is SectopRAT?

First discovered in early 2019, the SectopRAT is a .NET RAT that contains information stealing capabilities. It is also known under the alias ‘ArechClient2’, and is commonly distributed through drive-by downloads of illegitimate software and utilizes malvertising, including via Google Ads, to increase the chances of it being downloaded.

The malware’s code was updated at the beginning of 2021, which led to refined and newly implemented features, including command and control (C2) communication encryption with Advanced Encryption Stanard 256 (AES256) and additional commands. SectopRAT also has a function called "BrowserLogging", ultimately sending any actions it conducts on web browsers to its C2 infrastructure. When the RAT is executed, it then connects to a Pastebin associated hostname to retrieve C2 information; the requested file reaches out to get the public IP address of the infected device. To receive commands, it connects to its C2 server primarily on port 15647, although other ports have been highlighted by open source intelligence (OSINT), which include 15678, 15649, 228 and 80. Ultimately, sensitive data data gathered from target networks is then exfiltrated to the attacker’s C2 infrastructure, typically in a JSON file [3].

Darktrace Coverage

During autonomous investigations into affected customer networks, Darktrace DETECT was able to identify SSL connections to the endpoint pastebin[.]com over port 443, followed by failed connections to one of the IPs and ports (i.e., 15647, 15648, 15649) associated with SectopRAT. This resulted in the devices breaching the ‘Compliance/Pastebin and Anomalous Connection/Multiple Failed Connections to Rare Endpoint’ models, respectively.

In some instances, Darktrace observed a higher number of attempted connections that resulted in the additional breach of the model ‘Compromise / Large Number of Suspicious Failed Connections’.

Over a period of three months, Darktrace investigated multiple instances of SectopRAT infections across multiple clients, highlighting indicators of compromise (IoCs) through related endpoints.Looking specififically at one customer’s activity which centred on January 25, 2023, one device was observed initially making suspicious connections to a Pastebin endpoint, 104.20.67[.]143, likely in an attempt to receive C2 information.

Darktrace DETECT recognized this activity as suspicious, causing the 'Compliance / Pastebin' DETECT models to breach. In response to this detection, Darktrace RESPOND took swift action against the Pastebin connections by blocking them and preventing the device from carrying out further connections with Pastebin endpoints. Darktrace RESPOND actions related to blocking Pastebin connections were commonly observed on this device throughout the course of the attack and likely represented threat actors attempting to exfiltrate sensitive data outside the network.

Darktrace UI image
Figure 1: Model breach event log highlighting the Darktrace DETECT model breach ‘Compliance / Pastebin’.

Around the same time, Darktrace observed the device making a large number of failed connections to an unusual exernal location in the Netherlands, 5.75.147[.]135, via port 15647. Darktrace recognized that this endpoint had never previously been observed on the customer’s network and that the frequency of the failed connections could be indicative of beaconing activity. Subsequent investigation into the endpoint using OSINT indicated it had links to malware, though Darktrace’s successful detection did not need to rely on this intelligence.

Darktrace model breach event log
Figure 2: Model breach event log highlighting the multiple failed connectiosn to the suspicious IP address, 5.75.147[.]135 on January 25, 2023, causing the Darktrace DETECT model ‘Anomalous Connection / Multiple Failed Connections to Rare Endpoint’ to breach.

After these initial set of breaches on January 25, the same device was observed engaging in further external connectivity roughly a month later on February 27, including additional failed connections to the IP 167.235.134[.]14 over port 15647. Once more, multiple OSINT sources revealed that this endpoint was indeed a malicious C2 endpoint.

Darktrace model breach event log 2
Figure 3: Model breach event log highlighting the multiple failed connectiosn to the suspicious IP address, 167.235.134[.]14 on February 27, 2023, causing the Darktrace DETECT model ‘Anomalous Connection / Multiple Failed Connections to Rare Endpoint’ to breach.

While the initial Darktrace coverage up to this point has highlighted the attempted C2 communication and how DETECT was able to alert on the suspicious activity, Pastebin activity was commonly observed throughout the course of this attack. As a result, when enabled in autonomous response mode, Darktrace RESPOND was able to take swift mitigative action by blocking all connections to Pastebin associated hostnames and IP addresses. These interventions by RESPOND ultimately prevented malicious actors from stealing sensitive data from Darktrace customers.

Darktrace RESPOND action list
Figure 4: A total of nine Darktrace RESPOND actions were applied against suspicious Pastebin activity during the course of the attack.

In another similar case investigated by the Darktrace, multiple devices were observed engaging in external connectivity to another malicious endpoint,  88.218.170[.]169 (AS207651 Hosting technology LTD) on port 15647.  On April 17, 2023, at 22:35:24 UTC, the breach device started making connections; of the 34 attempts, one connection was successful – this connection lasted 8 minutes and 49 seconds. Darktrace DETECT’s Self-Learning AI understood that these connections represented a deviation from the device’s usual pattern of behavior and alerted on the activity with the ‘Multiple Connections to new External TCP Port’ model.

Darktrace model breach event log
Figure 5: Model breach event log highlighting the affected device successfully connecting to the suspicious endpoint, 88.218.170[.]169.
Darktrace advanced search query
Figure 6: Advanced Search query highlighting the one successful connection to the endpoint 88.218.170[.]169 out of the 34 attempted connections.

A few days later, on April 20, 2023, at 12:33:59 (UTC) the source device connected to a Pastebin endpoint, 172.67.34[.]170 on port 443 using the SSL protocol, that had never previously be seen on the network. According to Advanced Search data, the first SSL connection lasted over two hours. In total, the device made 9 connections to pastebin[.]com and downloaded 85 KB of data from it.

Darktrace UI highlighting connections
Figure 7: Screenshot of the Darktrace UI highlighting the affected device making multiple connections to Pastebin and downloading 85 KB of data.

Within the same minute, Darktrace detected the device beginning to make a large number of failed connections to another suspicious endpoints, 34.107.84[.]7 (AS396982 GOOGLE-CLOUD-PLATFORM) via port 15647. In total the affected device was observed initiating 1,021 connections to this malicious endpoint, all occurring over the same port and resulting the failed attempts.

Darktrace advanced search query 2
Figure 8: Advanced Search query highlighting the affected device making over one thousand connections to the suspicious endpoint 34.107.84[.]7, all of which failed.

Conclusion

Ultimately, thanks to its Self-Learning AI and anomaly-based approach to threat detection, Darktrace was able to preemptively identify any suspicious activity relating to SectopRAT at the network level, as well as post-compromise activity, and bring it to the immediate attention of customer security teams.

In addition to the successful and timely detection of SectopRAT activity, when enabled in autonomous response mode Darktrace RESPOND was able to shut down suspicious connections to endpoints used by threat actors as malicious infrastructure, thus preventing successful C2 communication and potential data exfiltration.

In the face of a Remote Access Trojan, like SectopRAT, designed to steal sensitive corporate and personal information, the Darktrace suite of products is uniquely placed to offer organizations full visibility over any emerging activity on their networks and respond to it without latency, safeguarding their digital estate whilst causing minimal disruption to business operations.

Credit to Justin Torres, Cyber Analyst, Brianna Leddy, Director of Analysis

Appendices

Darktrace Model Detection:

  • Compliance / Pastebin
  • Anomalous Connection / Multiple Failed Connections to Rare Endpoint
  • Compromise / Large Number of Suspicious Failed Connections
  • Anomalous Connection / Multiple Connections to New External TCP Port

List of IoCs

IoC - Type - Description + Confidence

5.75.147[.]135 - IP - SectopRAT C2 Endpoint

5.75.149[.]1 - IP - SectopRAT C2 Endpoint

34.27.150[.]38 - IP - SectopRAT C2 Endpoint

34.89.247[.]212 - IP - SectopRAT C2 Endpoint

34.107.84[.]7 - IP - SectopRAT C2 Endpoint

34.141.16[.]89 - IP - SectopRAT C2 Endpoint

34.159.180[.]55 - IP - SectopRAT C2 Endpoint

35.198.132[.]51 - IP - SectopRAT C2 Endpoint

35.226.102[.]12 - IP - SectopRAT C2 Endpoint

35.234.79[.]173 - IP - SectopRAT C2 Endpoint

35.234.159[.]213 - IP - SectopRAT C2 Endpoint

35.242.150[.]95 - IP - SectopRAT C2 Endpoint

88.218.170[.]169 - IP - SectopRAT C2 Endpoint

162.55.188[.]246 - IP - SectopRAT C2 Endpoint

167.235.134[.]14 - IP - SectopRAT C2 Endpoint

MITRE ATT&CK Mapping

Model: Compliance / Pastebin

ID: T1537

Tactic: EXFILTRATION

Technique Name: Transfer Data to Cloud Account

Model: Anomalous Connection / Multiple Failed Connections to Rare Endpoint

ID: T1090.002

Sub technique of: T1090

Tactic: COMMAND AND CONTROL

Technique Name: External Proxy

ID: T1095

Tactic: COMMAND AND CONTROL

Technique Name: Non-Application Layer Protocol

ID: T1571

Tactic: COMMAND AND CONTROL

Technique Name: Non-Standard Port

Model: Compromise / Large Number of Suspicious Failed Connections

ID: T1571

Tactic: COMMAND AND CONTROL

Technique Name: Non-Standard Port

ID: T1583.006

Sub technique of: T1583

Tactic: RESOURCE DEVELOPMENT

Technique Name: Web Services

Model: Anomalous Connection / Multiple Connections to New External TCP Port

ID: T1095        

Tactic: COMMAND AND CONTROL    

Technique Name: Non-Application Layer Protocol

ID: T1571

Tactic: COMMAND AND CONTROL    

Technique Name: Non-Standard Port

References

1.     https://www.techtarget.com/searchsecurity/definition/RAT-remote-access-Trojan

2.     https://malpedia.caad.fkie.fraunhofer.de/details/win.sectop_rat

3.     https://threatfox.abuse.ch/browse/malware/win.sectop_rat

執筆者
Justin Torres
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Justin Torres
Cyber Analyst

CVE-2026-1731: How Darktrace Sees the BeyondTrust Exploitation Wave Unfolding

February 13, 2026
Emma Foulger
Global Threat Research Operations Lead
Watch the NIS2 Webinar
よく読まれているブログ
1
Securing Generative AI: Managing Risk in Amazon Bedrock with Darktrace / CLOUD
Nov 19, 2025
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024

More in this series

No items found.
さらに読む
Network
February 10, 2026

AI/LLMで生成されたマルウェアを使ったReact2Shellエクスプロイト

ダークトレースは、React2Shellの脆弱性をエクスプロイトするAI/LLM生成によるマルウェアを自社のCloudypots環境内で検知しました。この事例は、LLM(Large Language Model:大規模原語モデル)支援の開発によって低スキルの攻撃者であっても効果的なエクスプロイトツールを迅速に作成できることを示しています。このブログではその攻撃チェーンとAIで生成されたペイロードを分析し、容易に入手可能なAIサイバー脅威がもたらす、防御上の問題の深刻化について解説します。
Nathaniel Bill
Malware Research Engineer
Read more
Network
February 5, 2026

AppleScript Abuse: Unpacking a macOS Phishing Campaign

This blog explores a macOS phishing campaign that leverages social engineering, AppleScript loaders, and attempted abuse of the macOS’ TCC feature to gain privileged access. It highlights a broader trend: attackers increasingly exploit user trust rather than system vulnerabilities, using staged payload delivery and persistence techniques to maintain long‑term access.
Tara Gould
Malware Research Lead
Read more
Network
February 3, 2026

Darktrace Malware Analysis: Unpacking SnappyBee

his blog details how to unpack malware like SnappyBee, a modular backdoor linked to Salt Typhoon, revealing its custom packing, DLL sideloading, dynamic API resolution, and multi‑stage in‑memory decryption. It provides analysts with a step‑by‑step guide to extract hidden payloads and understand advanced evasion techniques by sophisticated malware strains.
Nathaniel Bill
Malware Research Engineer
Read more

Blog

/

/

February 13, 2026

CVE-2026-1731: How Darktrace Sees the BeyondTrust Exploitation Wave Unfolding

Default blog imageDefault blog image

Note: Darktrace's Threat Research team is publishing now to help defenders. We will update continue updating this blog as our investigations unfold.

Background

On February 6, 2026, the Identity & Access Management solution BeyondTrust announced patches for a vulnerability, CVE-2026-1731, which enables unauthenticated remote code execution using specially crafted requests.  This vulnerability affects BeyondTrust Remote Support (RS) and particular older versions of Privileged Remote Access (PRA) [1].

A Proof of Concept (PoC) exploit for this vulnerability was released publicly on February 10, and open-source intelligence (OSINT) reported exploitation attempts within 24 hours [2].

Previous intrusions against Beyond Trust technology have been cited as being affiliated with nation-state attacks, including a 2024 breach targeting the U.S. Treasury Department. This incident led to subsequent emergency directives from  the Cybersecurity and Infrastructure Security Agency (CISA) and later showed attackers had chained previously unknown vulnerabilities to achieve their goals [3].

Additionally, there appears to be infrastructure overlap with React2Shell mass exploitation previously observed by Darktrace, with command-and-control (C2) domain  avg.domaininfo[.]top seen in potential post-exploitation activity for BeyondTrust, as well as in a React2Shell exploitation case involving possible EtherRAT deployment.

Darktrace Detections

Darktrace’s Threat Research team has identified highly anomalous activity across several customers that may relate to exploitation of BeyondTrust since February 10, 2026. Observed activities include:

-              Outbound connections and DNS requests for endpoints associated with Out-of-Band Application Security Testing; these services are commonly abused by threat actors for exploit validation.  Associated Darktrace models include:

o    Compromise / Possible Tunnelling to Bin Services

-              Suspicious executable file downloads. Associated Darktrace models include:

o    Anomalous File / EXE from Rare External Location

-              Outbound beaconing to rare domains. Associated Darktrace models include:

o   Compromise / Agent Beacon (Medium Period)

o   Compromise / Agent Beacon (Long Period)

o   Compromise / Sustained TCP Beaconing Activity To Rare Endpoint

o   Compromise / Beacon to Young Endpoint

o   Anomalous Server Activity / Rare External from Server

o   Compromise / SSL Beaconing to Rare Destination

-              Unusual cryptocurrency mining activity. Associated Darktrace models include:

o   Compromise / Monero Mining

o   Compromise / High Priority Crypto Currency Mining

And model alerts for:

o    Compromise / Rare Domain Pointing to Internal IP

IT Defenders: As part of best practices, we highly recommend employing an automated containment solution in your environment. For Darktrace customers, please ensure that Autonomous Response is configured correctly. More guidance regarding this activity and suggested actions can be found in the Darktrace Customer Portal.  

Appendices

Potential indicators of post-exploitation behavior:

·      217.76.57[.]78 – IP address - Likely C2 server

·      hXXp://217.76.57[.]78:8009/index.js - URL -  Likely payload

·      b6a15e1f2f3e1f651a5ad4a18ce39d411d385ac7  - SHA1 - Likely payload

·      195.154.119[.]194 – IP address – Likely C2 server

·      hXXp://195.154.119[.]194/index.js - URL – Likely payload

·      avg.domaininfo[.]top – Hostname – Likely C2 server

·      104.234.174[.]5 – IP address - Possible C2 server

·      35da45aeca4701764eb49185b11ef23432f7162a – SHA1 – Possible payload

·      hXXp://134.122.13[.]34:8979/c - URL – Possible payload

·      134.122.13[.]34 – IP address – Possible C2 server

·      28df16894a6732919c650cc5a3de94e434a81d80 - SHA1 - Possible payload

References:

1.        https://nvd.nist.gov/vuln/detail/CVE-2026-1731

2.        https://www.securityweek.com/beyondtrust-vulnerability-targeted-by-hackers-within-24-hours-of-poc-release/

3.        https://www.rapid7.com/blog/post/etr-cve-2026-1731-critical-unauthenticated-remote-code-execution-rce-beyondtrust-remote-support-rs-privileged-remote-access-pra/

Continue reading
About the author
Emma Foulger
Global Threat Research Operations Lead

Blog

/

AI

/

February 13, 2026

How AI is redefining cybersecurity and the role of today’s CIO

Default blog imageDefault blog image

Why AI is essential to modern security

As attackers use automation and AI to outpace traditional tools and people, our approach to cybersecurity must fundamentally change. That’s why one of my first priorities as Withum's CIO was to elevate cybersecurity from a technical function to a business enabler.

What used to be “IT’s problem” is now a boardroom conversation – and for good reason. Protecting our data, our people, and our clients directly impacts revenue, reputation and competitive positioning.  

As CIOs / CISOs, our responsibilities aren’t just keeping systems running, but enabling trust, protecting our organization's reputation, and giving the business confidence to move forward even as the digital world becomes less predictable. To pull that off, we need to know the business inside-out, understand risk, and anticipate what's coming next. That's where AI becomes essential.

Staying ahead when you’re a natural target

With more than 3,100 team members and over 1,000 CPAs (Certified Public Accountant), Withum’s operates in an industry that naturally attracts attention from attackers. Firms like ours handle highly sensitive financial and personal information, which puts us squarely in the crosshairs for sophisticated phishing, ransomware, and cloud-based attacks.

We’ve built our security program around resilience, visibility, and scale. By using Darktrace’s AI-powered platform, we can defend against both known and unknown threats, across email and network, without slowing our teams down.

Our focus is always on what we’re protecting: our clients’ information, our intellectual property, and the reputation of the firm. With Darktrace, we’re not just keeping up with the massive volume of AI-powered attacks coming our way, we’re staying ahead. The platform defends our digital ecosystem around the clock, detecting potential threats across petabytes of data and autonomously investigating and responding to tens of thousands of incidents every year.

Catching what traditional tools miss

Beyond the sheer scale of attacks, Darktrace ActiveAI Security PlatformTM is critical for identifying threats that matter to our business. Today’s attackers don’t use generic techniques. They leverage automation and AI to craft highly targeted attacks – impersonating trusted colleagues, mimicking legitimate websites, and weaving in real-world details that make their messages look completely authentic.

The platform, covering our network, endpoints, inboxes, cloud and more is so effective because it continuously learns what’s normal for our business: how our users typically behave, the business- and industry-specific language we use, how systems communicate, and how cloud resources are accessed. It picks up on minute details that would sail right past traditional tools and even highly trained security professionals.

Freeing up our team to do what matters

On average, Darktrace autonomously investigates 88% of all our security events, using AI to connect the dots across email, network, and cloud activity to figure out what matters. That shift has changed how our team works. Instead of spending hours sorting through alerts, we can focus on proactive efforts that actually strengthen our security posture.

For example, we saved 1,850 hours on investigating security issues over a ten-day period. We’ve reinvested the time saved into strengthening policies, refining controls, and supporting broader business initiatives, rather than spending endless hours manually piecing together alerts.

Real confidence, real results

The impact of our AI-driven approach goes well beyond threat detection. Today, we operate from a position of confidence, knowing that threats are identified early, investigated automatically, and communicated clearly across our organization.

That confidence was tested when we withstood a major ransomware attack by a well-known threat group. Not only were we able to contain the incident, but we were able to trace attacker activity and provided evidence to law enforcement. That was an exhilarating experience! My team did an outstanding job, and moments like that reinforce exactly why we invest in the right technology and the right people.

Internally, this capability has strengthened trust at the executive level. We share security reporting regularly with leadership, translating technical activity into business-relevant insights. That transparency reinforces cybersecurity as a shared responsibility, one that directly supports growth, continuity, and reputation.

Culturally, we’ve embedded security awareness into daily operations through mandatory monthly training, executive communication, and real-world industry examples that keep cybersecurity top of mind for every employee.

The only headlines we want are positive ones: Withum expanding services, Withum growing year over year. Security plays a huge role in making sure that’s the story we get to tell.

What’s next

Looking ahead, we’re expanding our use of Darktrace, including new cloud capabilities that extend AI-driven visibility and investigation into our AWS and Azure environments.

As I continue shaping our security team, I look for people with passion, curiosity, and a genuine drive to solve problems. Those qualities matter just as much as formal credentials in my view. Combined with AI, these attributes help us build a resilient, engaged security function with low turnover and high impact.

For fellow technology leaders, my advice is simple: be forward-thinking and embrace change. We must understand the business, the threat landscape, and how technology enables both. By augmenting human expertise rather than replacing it, AI allows us to move upstream by anticipating risk, advising the business, and fostering stronger collaboration across teams.

Continue reading
About the author
あなたのデータ × DarktraceのAI
唯一無二のDarktrace AIで、ネットワークセキュリティを次の次元へ