CP
cyberpings
Malware & RansomwareHIGH

Malware - SmartApeSG Campaign Delivers Multiple RATs

CSCyber Security News
Remcos RATNetSupport RATStealCSectop RATSmartApeSG
🎯

Basically, a new threat campaign tricks users into downloading harmful software.

Quick Summary

The SmartApeSG campaign is delivering multiple malware strains through social engineering. Users visiting compromised sites are at risk. Immediate action is needed to block malicious domains and educate employees.

What Happened

A new threat campaign, known as SmartApeSG, has been identified pushing multiple strains of malware using a social engineering technique called ClickFix. This campaign, also tracked under the names ZPHP and HANEYMANEY, has been active as recently as March 24, 2026. It successfully delivered four separate malware payloads to a single infected host in one session: Remcos RAT, NetSupport RAT, StealC, and Sectop RAT. This approach maximizes damage from a single user mistake, showcasing a sophisticated method of attack.

The SmartApeSG campaign injects malicious scripts into legitimate but already-compromised websites. When a user visits these sites, they are redirected to a fake CAPTCHA page designed to trick them into executing harmful scripts. This method is particularly insidious as it relies on user interaction to initiate the infection chain, making it difficult for security measures to intervene.

Who's Being Targeted

The SmartApeSG campaign primarily targets users who unknowingly visit compromised websites. By using social engineering tactics, attackers exploit human behavior to execute their malware. The staged delivery of malware payloads is particularly concerning. For instance, Remcos RAT was detected just one minute after the ClickFix script ran, followed closely by NetSupport RAT and others. This staggered approach allows multiple threats to run in parallel on the same system, complicating detection efforts.

Signs of Infection

Users infected by this campaign may notice unusual behavior on their devices, such as unexpected prompts or slow performance. The malware operates stealthily, often without obvious warning signs. One notable aspect of this campaign is the use of DLL side-loading, where malicious code is hidden inside packages containing legitimate software. This technique makes it harder for security tools to detect threats, as the main executable appears clean. Additionally, the ClickFix script deletes critical files after execution, further complicating forensic investigations.

How to Protect Yourself

Organizations are advised to take immediate action to mitigate risks associated with the SmartApeSG campaign. Blocking the domains urotypos.com and fresicrto.top at the DNS and firewall level is crucial. Furthermore, monitoring outbound traffic to specific IP addresses can help identify compromised systems. Employees should be trained to avoid pasting or running clipboard content prompted by any website. Security teams should also watch for unexpected HTA file execution and unusual DLL loading activity within user-accessible directories, such as AppData and ProgramData. By implementing these measures, organizations can better protect themselves against the evolving threat landscape posed by campaigns like SmartApeSG.

🔒 Pro insight: The ClickFix technique highlights the need for enhanced user education and proactive monitoring to combat sophisticated social engineering attacks.

Original article from

Cyber Security News · Tushar Subhra Dutta

Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

Ransomware Attack - Major Disruption at Spanish Port

A ransomware attack has hit Spain's Port of Vigo, causing major disruptions. Authorities are managing cargo operations manually as they investigate the breach. This incident highlights the growing threat to critical infrastructure.

The Record·
HIGHMalware & Ransomware

Ransomware - Iran-linked Group Targets US Healthcare Provider

An Iran-linked ransomware group has targeted a U.S. healthcare provider, shifting its focus from extortion to destruction. This alarming trend could impact patient safety and data integrity. Cybersecurity experts stress the need for heightened defenses in the healthcare sector.

Cybersecurity Dive·
HIGHMalware & Ransomware

Malware - Botnet Operator Sentenced for Ransomware Extortion

A Russian national has been sentenced to 24 months for managing a botnet linked to $14 million in ransomware extortion. His group targeted over 70 U.S. companies, showcasing the growing threat of cybercrime. This case emphasizes the need for stronger cybersecurity measures.

Help Net Security·
HIGHMalware & Ransomware

GlassWorm Malware - New RAT Delivers Data Theft via Solana

A new version of GlassWorm malware is stealing sensitive data using a RAT disguised as Google Docs. Developers and cryptocurrency users are at risk. Stay alert and verify your downloads to protect your data.

The Hacker News·
HIGHMalware & Ransomware

Infostealer Malware - Rapidly Exposes Data on Dark Web

New research reveals infostealer malware can expose corporate data on the dark web within 48 hours. This rapid cycle poses serious risks to organizations. Immediate action is needed to safeguard sensitive information and prevent exploitation.

Cyber Security News·
HIGHMalware & Ransomware

Malware - Russian Botnet Operator Sentenced for Ransomware

Ilya Angelov, a Russian hacker, has been sentenced for managing a botnet that aided ransomware attacks. His actions led to significant losses for U.S. companies. This case underscores the ongoing threat of cybercrime and the importance of cybersecurity measures.

The Record·