SectopRAT's Live C2: Python 3.15, AMSI Bypass, and Fiber-Based Shellcode in a Multi-Stage ACRStealer Campaign
Published: 2026-03-10
Author: GHOST -- Breakglass Intelligence
Tags: SectopRAT, Arechclient2, ACRStealer, AMSI bypass, shellcode, Python abuse, MediaFire, info-stealer
Read online: https://intel.breakglass.tech/post/sectoprat-acrstealer-amsi-bypass-fiber-shellcode-march-2026
TL;DR: A live SectopRAT/Arechclient2 campaign was caught actively serving payloads during investigation on March 10, 2026. The attack chain begins with an ACRStealer PowerShell dropper hosted on a domain registered just five days earlier, which downloads a ZIP archive from MediaFire containing a renamed Python 3.15 interpreter. The Python runtime executes an obfuscated loader disguised as chrome_100_percent.pak that decodes through three layers (reversed base64, zlib, exec), boots the .NET CLR, patches amsi.dll in memory to disable Windows Defender scanning, and injects shellcode via the unusual CreateFiber/SwitchToFiber technique rather than the more commonly detected CreateThread. The C2 server at 94[.]26[.]106[.]216:9000 was confirmed live and responding with heartbeat messages, hosted on German infrastructure sub-allocated through a Bulgarian LIR. Across the campaign, four SectopRAT C2 servers and seven ACRStealer C2 servers were mapped, with activity spanning from February 20 through March 10, 2026.
Background
SectopRAT (also tracked as Arechclient2) is a .NET-based information stealer and remote access trojan that has been active since at least 2019. It is typically delivered as a second-stage payload by other malware families -- in this case, ACRStealer, a PowerShell-based dropper that has gained popularity in 2025-2026 for its use of legitimate file hosting services to stage payloads. The combination creates a delivery chain that abuses multiple trusted services (Cloudflare, MediaFire, signed Python binaries) to evade detection at every stage.
This investigation began with a ZIP archive (SHA256: fbc71b214f4e8684b2caf24fef0ace848ac2331947900d516db917628724fb58) reported on MalwareBazaar on March 7, 2026. Unlike many malware investigations where the C2 is already dead by analysis time, we confirmed the primary C2 was live and actively serving encrypted payloads during our investigation on March 10 -- making this an active, ongoing threat at time of publication.
Key Findings
1. Live C2 Confirmed -- Actively Serving Payloads
During the investigation, we directly confirmed C2 activity:
| Endpoint | Response | Meaning |
|---|---|---|
hxxp://94[.]26[.]106[.]216:9000/wbinjget | "Internal error!" | Heartbeat/check-in confirmation |
hxxp://94[.]26[.]106[.]216:9000/wmglb | 117KB encrypted blob | Payload/configuration delivery |
The C2 endpoints require no authentication -- they respond to unauthenticated HTTP GET requests. The /wbinjget endpoint returns the string "Internal error!" which functions as a beacon confirmation (the ironic error message is a known SectopRAT signature). The /wmglb endpoint serves a 117KB encrypted binary blob containing the actual SectopRAT payload or configuration update.
The server runs Ubuntu Linux but returns a spoofed Server: Microsoft-HTTPAPI/2.0 header -- a trivially detectable fingerprint mismatch that reveals the operator's attempt to disguise the server as a Windows host. Additional headers include Access-Control-Allow-Origin: * and Host: *:9000.
2. Multi-Stage Delivery Chain Abusing Legitimate Services
The delivery chain is designed to avoid detection at every stage by leveraging trusted infrastructure:
Stage 1 -- ACRStealer Dropper:
A PowerShell script hosted at hxxps://casyetnx[.]pw/eq8e1l4b0qjd22w (domain registered March 5, 2026, via CNOBIN registrar in Hong Kong, behind Cloudflare). The .pw TLD and Chinese registrar are common choices for disposable malware delivery domains.
Stage 2 -- MediaFire Payload Hosting:
The PS1 script downloads chrome_100_percent.zip from MediaFire's premium file hosting service. Abusing MediaFire provides high-bandwidth delivery, CDN distribution, and avoids IP reputation issues since MediaFire is a legitimate, widely-used service.
Stage 3 -- Legitimate Python Binary:
The ZIP extracts to a directory containing FNPLicensingService.exe -- which is actually a renamed, legitimately signed CPython 3.15 pythonw.exe (PDB path: D:\a\1\b\bin\amd64\pythonw.pdb). Using a signed Python interpreter means the execution binary itself passes signature verification checks.
Stage 4 -- Obfuscated Python Loader:
chrome_100_percent.pak is not a Chromium PAK resource file -- it is an ASCII text file containing obfuscated Python code. The file name mimics a legitimate Chrome resource to evade cursory inspection.
3. AMSI Bypass via CLR Memory Patching
The Python loader implements a sophisticated AMSI (Antimalware Scan Interface) bypass:
1. Load .NET CLR v4.0.30319 into the Python process
2. Locate the "amsi.dll" string in the CLR's .rdata section
3. VirtualProtect to make the memory region writable
4. Patch "amsi.dll" to "amXi.dll" (single character change)
5. VirtualProtect to restore original permissions
The result: when the CLR attempts to initialize AMSI scanning, it tries to load "amXi.dll" instead of "amsi.dll". Since that DLL does not exist, AMSI initialization silently fails, and all subsequent .NET code execution proceeds without Defender scanning. This is more elegant than the common AmsiScanBuffer patching technique because it operates at the string level before the DLL is even loaded, making it harder to detect with hooks on AMSI API functions.
The actual code uses a misdirection technique: "ansi.dll".replace("n", "m") to construct the target string "amsi.dll" without ever containing it as a literal -- avoiding simple string-based YARA detection.
4. Fiber-Based Shellcode Execution
Rather than the standard CreateThread or NtCreateThreadEx injection techniques that most EDR solutions monitor, the loader uses Windows Fibers:
VirtualAlloc(RWX) -- Allocate executable memory
memcpy(shellcode) -- Copy shellcode to allocated region
ConvertThreadToFiber(0) -- Convert current thread to fiber context
CreateFiber(0, addr, 0) -- Create new fiber pointing to shellcode
SwitchToFiber(fiber) -- Transfer execution
Fibers are cooperative multitasking primitives that execute within the context of the calling thread. Because no new thread is created, thread-based monitoring and injection detection techniques are blind to this execution method. The shellcode itself is an 822KB blob consisting of a 90KB NOP sled, a PEB-walking API resolver, and a rolling XOR decryptor that unpacks the final SectopRAT PE.
5. Obfuscation Layering
The chrome_100_percent.pak file decodes through three distinct layers:
| Layer | Technique | Output |
|---|---|---|
| 0 | oweruyul() function: reverse string, base64 decode, zlib decompress | Layer 1 Python code |
| 1 | Plaintext Python with ctypes FFI | 3.3MB shellcode loader + AMSI bypass + CLR bootstrap |
| 2 | NOP sled + PEB-walking stub + rolling XOR | Decrypted SectopRAT PE binary |
| 3 | Reflective PE loading | SectopRAT .NET assembly executing in memory |
The initial 21-second sleep() call in the Python loader serves as sandbox evasion -- most automated sandbox environments have execution timeouts of 30-60 seconds, and the 21-second delay consumes a significant portion of that window before any malicious behavior begins.
6. Broad Campaign Infrastructure
Pivoting from the primary C2 reveals a substantial infrastructure footprint:
SectopRAT C2 Servers (4):
| IP | ASN | Location | Ports | Status |
|---|---|---|---|---|
| 94[.]26[.]106[.]216 | AS215607 (dataforest GmbH) | Germany | 9000, 8080 | LIVE |
| 89[.]110[.]107[.]177 | VDSINA | Netherlands | 443, 9000 | LIVE |
| 144[.]31[.]90[.]139 | -- | Netherlands | 443 | LIVE |
| 194[.]150[.]220[.]218 | Global Connectivity Solutions | Netherlands | 80 | LIVE (payload delivery) |
ACRStealer C2 Servers (7):
| IP | Port |
|---|---|
| 91[.]214[.]78[.]85 | 443 |
| 89[.]167[.]47[.]162 | 443 |
| 212[.]118[.]41[.]7 | 443 |
| 45[.]150[.]34[.]229 | 443 |
| 46[.]149[.]74[.]97 | 443 |
| 77[.]91[.]96[.]203 | 443 |
| 212[.]118[.]41[.]180 | 443 |
The geographic spread across Germany and the Netherlands, combined with the use of multiple ASNs and providers, indicates an operator with some infrastructure management sophistication.
Attack Chain
Stage 1: Initial Delivery
ACRStealer PowerShell dropper served from casyetnx[.]pw
Domain behind Cloudflare (104[.]21[.]27[.]50 / 172[.]67[.]168[.]236)
Registered 2026-03-05 via CNOBIN (Hong Kong registrar)
Stage 2: Payload Download
PS1 script downloads chrome_100_percent.zip from MediaFire
ZIP contains: FNPLicensingService.exe + python315.dll + python315.zip + chrome_100_percent.pak
Stage 3: Execution via Signed Binary
FNPLicensingService.exe (legitimate signed pythonw.exe) loads Python 3.15 runtime
Python imports chrome_100_percent.pak via standard module loading
Stage 4: Deobfuscation
oweruyul() function: reverse string -> base64 decode -> zlib decompress -> exec()
Output: 3.3MB Python shellcode loader
Stage 5: Defense Evasion
sleep(21) -- sandbox timeout evasion
start_clr() -- loads .NET CLR v4.0.30319
disable_ansi() -- patches "amsi.dll" -> "amXi.dll" in CLR .rdata section
Result: AMSI scanning completely disabled for subsequent .NET execution
Stage 6: Shellcode Injection (Fiber-Based)
VirtualAlloc(RWX) allocates executable memory
822KB shellcode copied to allocation
ConvertThreadToFiber + CreateFiber + SwitchToFiber
No new thread created -- evades thread-based monitoring
Stage 7: PE Loading
90KB NOP sled traversed
PEB-walking API resolver locates kernel32/ntdll functions
Rolling XOR decrypts embedded SectopRAT PE
Reflective loading into memory -- no file on disk
Stage 8: C2 Communication
HTTP to 94[.]26[.]106[.]216:9000
/wbinjget -- heartbeat (response: "Internal error!")
/wmglb -- payload/config download (117KB encrypted blob)
Spoofed Server: Microsoft-HTTPAPI/2.0 header
Stage 9: Data Theft
Browser credential/cookie theft
Cryptocurrency wallet theft
Application credential harvesting
Data exfiltration over C2 channel
Infrastructure Analysis
Hosting Hierarchy
The primary C2 sits behind several layers of allocation:
Tier 0 -- Upstream Transit
AS58212 / AS199524
Tier 1 -- ASN Owner
AS215607 -- DF-Transit (dataforest GmbH, Kriftel, Germany)
Tier 2 -- Sub-allocation
lir-bg-telco-1-MNT (Bulgarian LIR)
Abuse contact: abuse@vmheaven.io (VM Heaven reseller)
Tier 3 -- Operational
94.26.106.0/24
.216 = SectopRAT C2 (this investigation)
.217 = suraenlinea.st (likely unrelated)
The Bulgarian LIR sub-allocation and "VM Heaven" reseller layer are common patterns in abuse-resistant hosting arrangements. Abuse reports must traverse: VM Heaven -> Bulgarian LIR -> dataforest GmbH, creating delay at each stage.
Delivery Domain Analysis
The casyetnx[.]pw domain was registered on March 5, 2026, just two days before the malware sample appeared:
| Property | Value |
|---|---|
| Registrar | CNOBIN (Hong Kong) |
| Nameservers | chloe.ns.cloudflare.com / rommy.ns.cloudflare.com |
| TLS Certificate | Cloudflare shared SSL + Let's Encrypt E7 |
| CDN IPs | 104[.]21[.]27[.]50 / 172[.]67[.]168[.]236 |
CNOBIN is a registrar known in the threat intelligence community for lax abuse enforcement, making it a preferred choice for disposable malware delivery domains. The Cloudflare CDN fronting hides the true origin server IP.
Campaign Timeline
| Date | Event |
|---|---|
| 2025-03-21 | SectopRAT delivery via freemonflask.click (Maison Worm campaign) |
| 2025-11-16 | C2 at 144[.]31[.]90[.]139:443 reported |
| 2026-02-04 | C2 at 89[.]110[.]107[.]177:9000 reported |
| 2026-02-20 | copal.zip and nu6wyj9sur2.zip samples appear |
| 2026-02-28 | Vernicle.exe sample |
| 2026-03-01 | beben.zip sample |
| 2026-03-05 | casyetnx[.]pw domain registered |
| 2026-03-07 | chrome_100_percent.zip + eq8e1l4b0qjd22w.ps1 first seen |
| 2026-03-07 | wslservice.zip parallel payload observed same day |
| 2026-03-10 | C2 confirmed live, actively serving encrypted payloads |
The nearly year-long operational history (March 2025 to March 2026) and regular sample production indicate a persistent, professional operation rather than a one-off campaign.
Threat Actor Profile
Attribution Assessment: MEDIUM confidence
The geographic and infrastructure patterns suggest an Eastern European/CIS nexus:
- VDSINA (Russian hosting provider) for historical C2
- Bulgarian LIR for IP sub-allocation
- Chinese registrar for disposable domains (common procurement pattern)
- Spanish origin flag on MalwareBazaar samples (likely VPN exit or victim location)
- Yandex domain impersonation observed on historical C2 infrastructure
The consistent reuse of port 9000 across campaigns, identical /wbinjget and /wmglb endpoint names, and the Microsoft-HTTPAPI/2.0 spoofed header create a reliable fingerprint for tracking this operator across infrastructure changes.
Detection
YARA Summary
Detection rules target:
- chrome_100_percent.pak Loader: ASCII file named
chrome_100_percent.pakcontaining Python code withoweruyulfunction name,reversed+b64decode+zlib.decompresscall chain - FNPLicensingService.exe Abuse: PE file with internal name
pythonw.exeand original filename containing "FNPLicensingService" - AMSI Bypass Pattern: Python code containing
"ansi.dll".replace("n", "m")or equivalent construction - Fiber Shellcode Injection: Python ctypes calls to
ConvertThreadToFiber+CreateFiber+SwitchToFiberin sequence - Shellcode Blob: Variable name
blgczffdxfollowed by large byte string assignment (shellcode variable) - SectopRAT C2 Response: HTTP response body containing exactly
"Internal error!"from non-standard port
Suricata Summary
Network detection rules cover:
- SectopRAT Heartbeat: HTTP GET to
/wbinjgeton any port returning"Internal error!"response - SectopRAT Payload Delivery: HTTP response from
/wmglbendpoint withMicrosoft-HTTPAPI/2.0server header andAccess-Control-Allow-Origin: * - C2 Port 9000 Traffic: HTTP connections to known SectopRAT C2 IPs on port 9000
- ACRStealer Dropper: PowerShell download cradle fetching from
casyetnx[.]pwor similar CNOBIN-registered.pwdomains - MediaFire Abuse: Downloads of
chrome_100_percent.pakorchrome_100_percent.zipfrom MediaFire file hosting
IOCs (Defanged)
Network Indicators
# SectopRAT C2 (Primary -- LIVE)
94[.]26[.]106[.]216:9000
hxxp://94[.]26[.]106[.]216:9000/wbinjget (heartbeat)
hxxp://94[.]26[.]106[.]216:9000/wmglb (payload delivery)
# SectopRAT C2 (Historical -- LIVE)
89[.]110[.]107[.]177:9000
144[.]31[.]90[.]139:443
194[.]150[.]220[.]218:80
# ACRStealer C2 Servers
91[.]214[.]78[.]85:443
89[.]167[.]47[.]162:443
212[.]118[.]41[.]7:443
45[.]150[.]34[.]229:443
46[.]149[.]74[.]97:443
77[.]91[.]96[.]203:443
212[.]118[.]41[.]180:443
# Delivery infrastructure
casyetnx[.]pw (Cloudflare: 104[.]21[.]27[.]50 / 172[.]67[.]168[.]236)
hxxps://casyetnx[.]pw/eq8e1l4b0qjd22w
hxxps://www[.]mediafire[.]com/file_premium/eq8e1l4b0qjd22w/chrome_100_percent.pak/file
File Indicators
# Main ZIP payload
SHA256: fbc71b214f4e8684b2caf24fef0ace848ac2331947900d516db917628724fb58
MD5: ffeb98c1de55e90f7d98cca8e79a30de
SHA1: 284fdcb3b7271672031b1d0589c89687e019be47
# Legitimate pythonw.exe (renamed FNPLicensingService.exe)
SHA256: b35f09b876edb18695347860f79acddc68993f711274556156769476cd05ae8a
# ACRStealer PowerShell dropper
SHA256: 77cb520ef9fe93eaafa8bc7bad967f9aabfb22ea51ad2d05fa9b9d2702b33c84
# Extracted shellcode blob
SHA256: 43b222390bd4217a15bbc86314a5c7d73f8bf576afc7f51098f5f6794eb8d3a4
# C2 payload from /wmglb
SHA256: 7c380c9a22ab203462075cc27a8db5bdff4d42bde96b8e96e6c264180b47f062
# Related campaign: wslservice.zip
SHA256: 73b6d0a0961306006bff16ae23a87de66972d342649702ea0f425bc1609ff3fc
# Related campaign: wslservice.ps1
SHA256: 13022088dd79e9d7d2116365215bc447f5182104393cdfbce4a201c65022b398
Host Indicators
# Process indicators
FNPLicensingService.exe spawning network connections to port 9000
python315.dll loaded by non-Python application
chrome_100_percent.pak opened as ASCII text (real PAK files are binary)
# Behavioral indicators
21-second sleep before payload execution
amsi.dll patched to amXi.dll in CLR memory
ConvertThreadToFiber + CreateFiber + SwitchToFiber call sequence
.NET CLR v4.0.30319 loaded into Python process
# Code artifacts
Function name: oweruyul()
Shellcode variable: blgczffdx
Server header mismatch: Microsoft-HTTPAPI/2.0 on Linux host
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Notes |
|---|---|---|---|
| Resource Development | Acquire Infrastructure: Domains | T1583.001 | casyetnx[.]pw via CNOBIN, hosting via dataforest/VDSINA |
| Initial Access | Drive-by Compromise | T1189 | Lure websites deliver ACRStealer PS1 |
| Execution | PowerShell | T1059.001 | ACRStealer PS1 dropper |
| Execution | Python | T1059.006 | Embedded Python 3.15 runs obfuscated loader |
| Persistence | Boot or Logon Autostart | T1547 | SectopRAT standard persistence |
| Defense Evasion | Masquerading | T1036.005 | FNPLicensingService.exe (renamed pythonw.exe) |
| Defense Evasion | Software Packing | T1027.002 | Reversed Base64 + Zlib compression |
| Defense Evasion | Impair Defenses: Disable or Modify Tools | T1562.001 | AMSI bypass via CLR string patching |
| Defense Evasion | Process Injection: Thread Execution Hijacking | T1055.012 | CreateFiber/SwitchToFiber shellcode execution |
| Defense Evasion | Deobfuscate/Decode Files | T1140 | Multi-layer runtime decryption |
| Command and Control | Application Layer Protocol: Web Protocols | T1071.001 | HTTP C2 on port 9000 |
| Command and Control | Non-Standard Port | T1571 | Port 9000 |
| Collection | Data from Local System | T1005 | Browser credentials, crypto wallets |
| Exfiltration | Over C2 Channel | T1041 | HTTP exfiltration |
Recommendations
Immediate (24-48 hours)
- Block C2 IPs at perimeter firewall:
94[.]26[.]106[.]216,89[.]110[.]107[.]177,144[.]31[.]90[.]139,194[.]150[.]220[.]218 - Block all seven ACRStealer C2 IPs listed in the IOC section.
- Block DNS for
casyetnx[.]pw. - Deploy Suricata rules for
/wbinjgetand/wmglbendpoint patterns -- these are consistent across the campaign. - Hunt for
FNPLicensingService.execo-located withchrome_100_percent.pakorpython315.dllon endpoints. - Search for
python315.dllorpython315.zipin endpoint telemetry -- Python 3.15 is a development build not typically found in production environments.
Short-term (1-2 weeks)
- Deploy YARA rules for the
oweruyul()decoder function, AMSI bypass pattern, and fiber-based injection sequence. - Review historical DNS logs for
casyetnx[.]pwqueries to identify potential earlier compromises. - Audit MediaFire access logs for
chrome_100_percent.pakdownloads. - Monitor outbound connections on port 9000 to AS215607 address space.
- Review PowerShell execution logs for large (1.9MB+) script execution patterns.
Medium-term (1-3 months)
- Submit abuse reports to dataforest GmbH (abuse@dataforest.net), VM Heaven (abuse@vmheaven.io), and Cloudflare for the delivery domain.
- Monitor MalwareBazaar for new SectopRAT/Arechclient2 submissions -- the operator produces new samples regularly.
- Track AS215607 for additional malicious infrastructure deployments.
- Monitor CNOBIN registrar for similar
.pwdomain registrations -- these are typically disposable and rotated frequently. - Consider application control policies that prevent renamed Python interpreters from executing in non-standard directories.
References
- MalwareBazaar Sample
- ThreatFox IOC #1760512
- Tria.ge Sandbox Report
- Malpedia -- SectopRAT
- Censys -- 94.26.106.216
GHOST -- Breakglass Intelligence Automated threat intelligence. Zero analyst fatigue.