The SmartApeSG social engineering campaign has resurfaced, utilizing ClickFix scripts to surreptitiously install remote access malware on Windows systems. This operation targets users through deceptive verification pages, resulting in the execution of harmful scripts without the user’s awareness.
Deceptive Tactics and Infection Process
The campaign initiates when a user visits a compromised website displaying a fraudulent verification page. This page instructs users to execute a PowerShell or similar script, employing the ClickFix method. As the script runs, it silently connects to attacker-controlled servers, downloading the first stage of the malware infection.
Victims remain oblivious to the ongoing attack, while perpetrators gain persistent access to their systems. The Internet Storm Center identified this campaign after noticing a suspicious infection on May 27, 2026. Researcher Brad Duncan revealed that the campaign had been active for several weeks, generating encoded traffic to a command and control server.
Two-Stage Attack and Advanced Persistence
One of the notable aspects of this campaign is its two-stage design. The initial stage deploys an unidentified RAT, which communicates with its C2 server over TCP port 443, resembling standard web traffic. Once established, a secondary payload, the NetSupport Manager RAT, is downloaded, offering attackers remote control capabilities.
This second-stage RAT is installed to persist through system reboots. Post-installation, the setup scripts are automatically removed, complicating forensic investigations and indicating the campaign’s sophisticated planning.
Defense Strategies and Indicators of Compromise
To counteract these threats, it is crucial to monitor for unusual PowerShell activity linked to browser events, which could signify ClickFix script abuse. Additionally, blocking access to suspicious domains and observing for encoded traffic on port 443 can mitigate risks.
Security teams should remain vigilant as the campaign’s domains and file hashes change frequently. For the latest indicators, monitoring feeds like @monitorsg on Mastodon is advised. Important indicators of compromise include various URLs and IP addresses associated with the campaign’s operations.
In conclusion, the SmartApeSG campaign emphasizes the need for heightened vigilance and robust security measures to protect against evolving cyber threats. Staying informed and implementing effective defense strategies are essential in maintaining system integrity.
