SmartApeSG Campaign Distributes Multiple RATs via ClickFix Technique

Severity: High (Score: 69.5)

Sources: Cybersecuritynews, Isc.Sans.Edu, Gbhackers

Summary

The SmartApeSG campaign, also known as ZPHP and HANEYMANEY, has been observed delivering multiple remote access trojans (RATs) including Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (ArechClient2) through a social engineering technique called ClickFix. This activity was noted on March 24, 2026, where the malware was pushed to a single infected host in a single session. The attack vector involved the use of compromised legitimate websites to inject malicious scripts that facilitate the malware delivery. The timeline of the malware delivery indicates that NetSupport RAT followed Remcos RAT by approximately 4 minutes, with subsequent malware appearing at intervals of 1 hour and 18 minutes. Indicators of compromise include various domains and IP addresses associated with the malware packages. The campaign is characterized by its dynamic nature, with changing indicators on a near-daily basis. Security professionals are advised to be vigilant as the malware can employ DLL side-loading techniques. The current status of the campaign indicates ongoing activity with potential for further infections. Key Points: • SmartApeSG campaign delivers multiple RATs using ClickFix technique. • Malware includes Remcos, NetSupport, StealC, and Sectop RAT. • Indicators of compromise are frequently changing, requiring constant vigilance.

Key Entities

• Malware (attack_type)
• Trojan (attack_type)
• Haneymaney (campaign)
• SmartApeSG ClickFix Campaign (campaign)
• SmartApeSG (apt_group)
• ZPHP (apt_group)
• malware-traffic-analysis.net (domain)
• NetSupport RAT (malware)
• Remcos (malware)
• Remcos RAT (malware)
• Sectop RAT (malware)
• StealC (malware)
• T1574 - Hijack Execution Flow (mitre_attack)