A well-known social engineering campaign called SmartApeSG is back in the spotlight, this time using ClickFix scripts to quietly plant remote access malware on Windows computers.
The campaign lures victims through fake verification pages that trick them into running a malicious script without realizing the full damage it causes.
What makes this wave especially concerning is that the attack does not stop at one piece of malware. It delivers a second, more powerful tool once it gains a foothold inside the system.
The infection chain starts when a user visits a compromised or malicious website displaying a fake “verification” page. This page instructs the visitor to copy and run a PowerShell or similar script, which is the ClickFix technique.
Once the script runs, it silently reaches out to attacker-controlled servers and pulls down the first stage of the infection. The victim sees nothing unusual on their screen, while the attacker gains quiet and persistent access to the machine.
Internet Storm Center said in a report shared with Cyber Security News (CSN) that they identified the campaign after observing a suspicious infection on May 27, 2026.
Researcher Brad Duncan noted that an unidentified RAT had been generating encoded traffic to a command and control server since at least April 2026.
The discovery confirmed that this campaign had been quietly running for several weeks before it was formally documented and published.
What sets this attack apart is its deliberate two-stage design. The first stage drops an unidentified RAT that sends encoded traffic to its C2 server over TCP port 443, making it blend in with regular web traffic.
Once the initial RAT is in place, it pulls in a second payload: a malicious package of NetSupport Manager RAT, a legitimate remote access tool that attackers have repurposed to take unauthorized control of infected machines.
The entire process is built to stay quiet and survive reboots. After the NetSupport RAT is installed and made persistent on the host, the scripts used to set it up are deleted automatically, removing traces of the initial compromise.
This cleanup step makes forensic investigation harder and reveals the careful level of planning behind the campaign.
SmartApeSG Campaign Uses ClickFix Scripts
The SmartApeSG campaign uses a fake browser verification page as its entry point, a tactic that has grown increasingly popular among threat actors.
Visitors are told to run a script to “verify” their identity, which instead executes the ClickFix payload. The script then contacts attacker infrastructure to fetch a ZIP archive containing the initial RAT package from a remote server.
.webp)
Once extracted and executed, the initial RAT begins sending encoded traffic to its C2 server at a fixed IP address over port 443.
The use of encoded, non-SSL traffic on that port is unusual and helps the malware avoid detection tools that expect standard HTTPS on that port. The RAT then pulls down follow-up files through the same C2 channel to prepare the system for the next stage of the attack.
NetSupport RAT Deployed as Persistent Follow-Up Payload
The second stage delivers a malicious NetSupport Manager RAT package via a CAB file that is fetched and extracted to the system.
A batch script called token.bat handles the extraction and installation, while a VBScript file called processor.vbs triggers the batch script. Together, these components install the NetSupport RAT and configure it to run automatically whenever the system restarts.
Defenders are advised to monitor for unusual PowerShell execution tied to browser events, as this is a clear sign of the ClickFix technique being abused. Blocking access to suspicious or newly registered domains can also reduce the overall risk.
Security teams should watch for encoded traffic over port 443 that does not follow normal SSL/TLS patterns, as this is a known behavior of the initial RAT in this chain. Since the domains and file hashes used in this campaign rotate daily, checking the @monitorsg feed on Mastodon is recommended for the latest indicators.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| URL | hxxps[:]//hiddenplanetlab[.]top/signin/secure-util.js | SmartApeSG malicious URL observed May 27, 2026 |
| URL | hxxps[:]//hiddenplanetlab[.]top/signin/private-template?c66kjD5i | SmartApeSG malicious URL observed May 27, 2026 |
| URL | hxxps[:]//hiddenplanetlab[.]top/signin/legacy-worker.js?18b3825af007e53d | SmartApeSG malicious URL observed May 27, 2026 |
| IP Address | 178.156.165[.]82 | ClickFix script C2 traffic |
| IP Address | 178.156.173[.]194 | ClickFix script C2 traffic |
| URL | hxxps[:]//silverharvestnetwork[.]com/check | ClickFix script C2 traffic; also hosts initial RAT ZIP archive |
| IP Address | 89.110.110[.]119:443 | Initial RAT C2 server (TCP port 443, encoded traffic) |
| IP Address | 185.163.47[.]217:443 | NetSupport RAT C2 server |
| SHA256 | 1514b1268e9dc6d2f37137aa38c756cb4bf8186ac9235d6863b78e7f8bbbe976 | ZIP archive containing initial RAT software package |
| SHA256 | 469bac8e10f50263e8ff0806e6ba126bb4cc660799129a8653eab3f8ec7201e5 | processor.vbs — initial VBScript that runs token.bat |
| SHA256 | 9c7eda2c4d3aaa8746495741bef57a07de180f0409409faf0f91658e88ba33f5 | token.bat — batch script that installs and persists NetSupport RAT |
| SHA256 | 7ba5481c873bb3081442561f749f590badd72ef249fddfe993e30b28dc0c2112 | setup.cab — CAB file containing malicious NetSupport RAT package |
| File Path | C:ProgramDataprocessor.vbs | Initial VBScript dropped on infected host |
| File Path | C:ProgramDatatoken.bat | Batch script dropped on infected host |
| File Path | C:ProgramDatasetup.cab | CAB archive dropped on infected host |
| File Path | C:ProgramDataUpdateInstaller | Extraction directory for NetSupport RAT contents |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
