Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AI Used in Ticketmaster Attack to Score Free Tickets
July 3, 2026
Anthropic Details Claude 3.5 Sonnet Safeguards and Jailbreak Framework
July 3, 2026
Google Disrupts NetNut Residential Proxy Botnet Exploiting 2 Million Devices
July 3, 2026
Home/Threats/SmartApeSG ClickFix Campaign Delivers Four RATs and Info Stealers
Threats

SmartApeSG ClickFix Campaign Delivers Four RATs and Info Stealers

Key Takeaways The SmartApeSG campaign, also known as ZPHP and HANEYMANEY, is actively distributing four distinct malware payloads: Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (ArechClient2)....

Sarah simpson
Sarah simpson
March 25, 2026 4 Min Read
45 0

Key Takeaways

  • The SmartApeSG campaign, also known as ZPHP and HANEYMANEY, is actively distributing four distinct malware payloads: Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (ArechClient2).
  • Attackers leverage a social engineering tactic called ClickFix, which involves redirecting users to a fake CAPTCHA page that silently copies a malicious script to the clipboard, prompting manual execution.
  • The campaign uses compromised legitimate websites for initial redirection and employs sophisticated evasion techniques like DLL side-loading to deliver malware while appearing benign.
  • The staggered delivery of multiple RATs and info-stealers maximizes damage from a single user error, providing a narrow window for detection.

A sophisticated threat campaign, dubbed SmartApeSG and also identified as ZPHP and HANEYMANEY, is currently deploying a dangerous array of malware strains through a clever social engineering technique known as ClickFix. This multi-pronged attack delivers no fewer than four distinct malicious payloads to a single victim, highlighting a growing trend of attackers stacking tools to maximize impact from an initial compromise.

Table Of Content

  • Key Takeaways
  • The ClickFix Deception
  • Multi-Stage Malware Deployment
  • DLL Side-Loading: How the Malware Hides in Plain Sight
  • What You Should Do

Recent activity, documented as late as March 24, 2026, revealed the campaign’s capability to infect a single host with Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (also known as ArechClient2) within a single session. This comprehensive delivery of remote access trojans (RATs) and information stealers underscores the severe threat posed to unsuspecting users.

The ClickFix Deception

The SmartApeSG operation initiates by injecting malicious scripts into legitimate but already compromised websites. When a user navigates to one of these infected sites, they are surreptitiously redirected to a deceptive CAPTCHA page. This page, designed to mimic a routine security verification, is actually a trap intended to trick the user into executing harmful code.

In the background, the compromised website silently loads the injected script, preparing the fake CAPTCHA interface that the visitor encounters. Researchers at the Internet Storm Center pinpointed this latest SmartApeSG wave on March 24, 2026, detailing the staged, multi-hour sequence of payload delivery.

The fake CAPTCHA page presents instructions that silently copy a malicious script into the user’s clipboard. The victim is then prompted to paste and manually execute this script via the Windows Run dialog box. Once these steps are followed, the infection chain commences, operating without noticeable warning signs on the compromised system. This method of delivery, as detailed in a recent report, leverages user trust and system familiarity to bypass initial defenses.

Multi-Stage Malware Deployment

The campaign’s significant danger stems from its ability to deploy multiple malware families sequentially. Following the execution of the ClickFix script, Remcos RAT traffic was detected almost immediately at 17:12 UTC. Just four minutes later, NetSupport RAT began its operations. Approximately an hour after NetSupport, the StealC info-stealer initiated communication with its command-and-control server, followed by Sectop RAT roughly an hour and eighteen minutes later.

This staggered, multi-payload approach grants attackers deep and diverse access to a victim’s machine from a single point of entry. It also creates a critical, but narrow, window for defenders to detect and neutralize the threat before multiple malicious processes are running simultaneously on the affected system.

DLL Side-Loading: How the Malware Hides in Plain Sight

A notable technical aspect of the SmartApeSG campaign is its sophisticated use of DLL side-loading to conceal malicious code within seemingly legitimate software packages. The archive files for Remcos RAT, StealC, and Sectop RAT all employ this technique. It involves using a trusted and recognized executable to discreetly load a malicious Dynamic Link Library (DLL) file alongside it. Because the primary executable appears benign and familiar, many security tools may fail to immediately flag the underlying malicious activity.

NetSupport RAT, on the other hand, utilizes a different tactic. It is a legitimate remote support application that, in this campaign, has been maliciously configured to connect to an attacker-controlled server instead of its intended, trusted counterpart.

Network traffic analysis using tools like Wireshark has revealed the distinct command-and-control server connections established by each malware strain. For instance, the HTA file responsible for downloading Remcos RAT is retrieved from urotypos[.]com and saved locally as post.hta before execution. Crucially, the ClickFix script deletes this HTA file immediately after it runs, complicating forensic investigations for incident response teams who do not quickly identify the infection.

What You Should Do

  • Block Malicious Domains and IPs: Implement blocks for urotypos[.]com and fresicrto[.]top at the DNS and firewall levels. Monitor outbound traffic towards IP addresses 95.142.45[.]231, 185.163.47[.]220, 89.46.38[.]100, and 195.85.115[.]11.
  • User Awareness Training: Educate employees on the dangers of social engineering and the ClickFix technique. Emphasize that users should never paste or execute clipboard content prompted by any website, especially those disguised as CAPTCHA verifications.
  • Monitor for Anomalous Activity: Security teams should actively monitor for unexpected HTA file executions and unusual DLL loading activities, particularly within user-accessible directories like AppData and ProgramData.
  • Endpoint Detection and Response (EDR): Utilize EDR solutions to detect and respond to suspicious process chains and file modifications that might indicate a ClickFix infection.
  • Regular Backups: Maintain regular, secure backups of critical data to mitigate the impact of potential data theft or system compromise.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Infostealers Expose Victims on Dark Web Within 48 Hours

Next Post

Firefox 119.0 Released, Adds Free VPN With 50GB Monthly Limit

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Critical Claude Cowork Sandbox Vulnerability Lets Attackers Run Commands as Root
July 2, 2026
Ousaban Malware Targets Iberian Banks with Phishing PDFs and VBS Downloader
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us