Intelligence Insights: April 2025

Red Canary observed a March 2025 surge of HijackLoader delivering Arechclient2 (SectopRAT), a RAT with hidden secondary desktop and stealer functionality; operators used paste-and-run (fake CAPTCHA) and malvertising/SEO poisoning lures leading to encoded PowerShell execution, loader activity, C2 retrieval via pastebin and atypical TCP ports, and Arechclient2 has been associated with follow-on deployments of Cobalt Strike, Brute Ratel, and BlackSuit ransomware. The report highlights detection opportunities earlier in the chain (encoded PowerShell, network connections, executable writes) and lists observable IOCs and behaviors for defenders.