Lumma Stealer and Sectop RAT (ArechClient2) Malware Campaign Infects Windows Users
What Happened — A new wave of Lumma Stealer infections was observed on April 17, 2026, delivering the Sectop Remote Access Trojan (payload name ArechClient2). The malware chain harvests credentials, browser data, and can provide full remote control of compromised machines.
Why It Matters for TPRM —
- Credential theft can expose third‑party vendor logins and API keys.
- Remote‑access capability enables lateral movement into partner networks.
- The campaign’s use of a legitimate‑looking stealer masks the RAT, increasing detection difficulty.
Who Is Affected — Financial services, SaaS providers, healthcare IT, and any organization that relies on Windows‑based endpoints for remote work.
Recommended Actions —
- Verify that all third‑party vendors enforce multi‑factor authentication and least‑privilege access.
- Deploy updated endpoint detection and response (EDR) signatures for Lumma Stealer and Sectop RAT.
- Conduct a credential‑reuse audit across all vendor accounts.
Technical Notes — The infection vector appears to be phishing emails with malicious attachments or compromised software downloads. Lumma Stealer extracts saved passwords, cookies, and cryptocurrency wallets; Sectop RAT (ArechClient2) establishes C2 channels for command execution and data exfiltration. No public CVE is associated, but the payload leverages known Windows API calls to evade sandboxing. Source: SANS Internet Storm Center