Distribution of SectopRAT (ArechClient2) Disguised as Notion Installer

Notion installers have been mimicked by threat actors to distribute downloader DLLs that fetch payloads such as LummaC2 and SectopRAT, enabling data exfiltration and remote control. Typosquatted URLs and bundled DLL downloaders install “decrypted.exe” payloads which connect to C2 servers to retrieve and run infostealer/RAT components. #LummaC2 #SectopRAT

Keypoints

Attackers use typosquatted or fake web pages posing as Notion to trick users into downloading malicious installers.
Downloaded installers drop a malicious DLL that acts as a downloader and loader for additional payloads.
The DLL connects to a C2 server to download final payloads, commonly named “decrypted.exe”.
Observed payloads include LummaC2 (infostealer) and SectopRAT (RAT/infostealer), both capable of exfiltration.
SectopRAT behaves similarly to RedLine: stealing browser data, credentials, cookies, screenshots, and executing C2 commands.
Reported IOCs include specific MD5 hashes, C2 URLs, a typosquatted FQDN, and an IP address used for payload delivery.

MITRE Techniques

[T1040] Infostealer (LummaC2) – Steals sensitive information from the infected system. [‘Steals sensitive information from the infected system.’]
[T1041] Remote Access Trojan (SectopRAT) – Receives commands from a C2 server and exfiltrates credentials/cookies and other data. [‘Receives commands from a C&C server.’]

Indicators of Compromise

[MD5 hashes] Installer/payload hashes – 2573317128ca9e79c3d23b0d374dc384, 50ab29f322265d07930cc23bcdd71e05, and 3 more hashes
[URLs] C2 / payload endpoints – http://45[.]141[.]87[.]50[:]9000/wbinjget, https://affecthorsedpo[.]shop/api, and other shop/api endpoints
[FQDN] Typosquatted distribution domain – launchapps[.]site
[IP address] Payload/C2 host – 45[.]141[.]87[.]50

The technical infection chain begins with a typosquatted Notion download page (for example using ‘notlon[.]be’ where an “l” replaces an “i”) that delivers a malicious installer. When executed, the installer drops a DLL designed as a downloader/loader; this DLL is installed and invoked by the installer process and subsequently establishes network connections to a C2 server to retrieve additional payloads.

The downloaded payloads are typically written to disk as files named like “decrypted.exe” and have included infostealer and RAT families such as LummaC2 and SectopRAT. The DLL-first approach allows the actor to maintain a small installer footprint while fetching and executing larger, modular components from remote hosts (observed C2 endpoints and shop/api domains), enabling dynamic payload selection at runtime.

SectopRAT in particular mirrors RedLine-like routines: it harvests browser-stored credentials, cookies, autofill data, screenshots, and potentially cryptocurrency wallet files, and listens for remote commands from its C2 to execute arbitrary actions. Detection and mitigation should focus on blocking known C2 domains/IPs, scanning for the listed file hashes, validating installer sources, and preventing execution of unsigned installers from untrusted pages.