A cybersecurity threat campaign, known as SmartApeSG, has been identified utilizing a social engineering tactic called ClickFix to distribute various malware strains. This campaign, which is also recognized by the aliases ZPHP and HANEYMANEY, highlights the evolving techniques employed by cybercriminals to infiltrate systems.
Recent Campaign Activity
As of March 24, 2026, SmartApeSG was actively delivering four distinct malware payloads within a single infection session. The targeted host received Remcos RAT, NetSupport RAT, StealC, and Sectop RAT, also referred to as ArechClient2. This series of attacks underscores the strategic stacking of multiple malicious tools to inflict extensive harm through one user error.
The method involves injecting harmful scripts into already compromised but legitimate websites. Users visiting these sites are rerouted to a counterfeit CAPTCHA page, which appears to be a routine verification prompt but is actually designed to deceive users into executing a harmful script.
Malware Delivery Mechanism
Researchers from the Internet Storm Center documented the sequential payload delivery on March 24, 2026. The fake CAPTCHA page executes ClickFix instructions that clandestinely copy a malicious script into the user’s clipboard, prompting manual execution via the Windows Run dialog box. This sequence initiates an infection that operates covertly on the compromised machine.
The campaign’s impact is significant due to its layered approach, deploying multiple malware types. Remcos RAT activity was detected at 17:12 UTC, just a minute post-ClickFix execution. NetSupport RAT followed four minutes later, with StealC and Sectop RAT subsequently establishing connections to their respective command-and-control servers. This staggered deployment provides limited time for detection and mitigation before the full-scale infection takes root.
Stealth Techniques and Recommendations
SmartApeSG employs advanced techniques such as DLL side-loading to conceal malicious code. This involves embedding harmful DLL files within packages containing legitimate software, making detection difficult. NetSupport RAT, a genuine remote support tool, is manipulated to connect to attacker-controlled servers instead of trusted ones.
Network traffic analysis using tools like Wireshark reveals the distinct communications each malware strain establishes with its command-and-control server. The initial Remcos RAT download originates from urotypos[.]com, with the ClickFix script erasing traces post-execution, complicating forensic efforts.
Organizations are urged to block domains like urotypos[.]com and fresicrto[.]top at DNS and firewall levels while monitoring traffic towards specified IP addresses. Employee education on the risks of executing clipboard content prompted by websites is crucial. Security teams should also vigilantly monitor for unusual HTA file executions and DLL loading activities in common directories.
Stay informed by following us on Google News, LinkedIn, and X, and set CSN as your preferred source on Google for more updates.
