A sophisticated threat campaign named SmartApeSG, also known by the aliases ZPHP and HANEYMANEY, is actively spreading multiple malware strains, including Remcos RAT, NetSupport RAT, StealC, and Sectop RAT. This campaign leverages a social engineering tactic called ClickFix, observed as recently as March 24, 2026, demonstrating an alarming strategy of overwhelming a single infected host with a suite of potent malicious tools in one session. The campaign’s primary method involves injecting malicious scripts into legitimate but already compromised websites, creating a deceptive user experience.
When unsuspecting users visit these compromised sites, they are redirected to a fake CAPTCHA page. This page is meticulously designed to mimic routine security verification processes, but its true purpose is to trick the user into executing a harmful script. The compromised website quietly loads the injected script in the background, setting up the visually convincing but malicious page that the visitor encounters. Researchers at the Internet Storm Center identified this latest SmartApeSG wave, detailing how the campaign delivered each payload in a staged sequence over several hours.
SmartApeSG Campaign Leverages ClickFix for Multi-Malware Deployment
The fake CAPTCHA page serves a critical function within the ClickFix scheme: it contains instructions that silently copy a malicious script into the user’s clipboard. The page then prompts the victim to manually paste and execute this script via the Windows Run dialog box. Once these steps are followed, the infection chain is initiated and proceeds without readily apparent warning signs on the compromised machine. This method is particularly effective as it relies on user interaction, bypassing some automated security measures that might otherwise detect unusual file downloads or executions.
The impact of this campaign is significantly amplified by its multi-malware approach. Instead of deploying a single threat, SmartApeSG delivers a diverse toolkit designed for maximum damage from a single user error. According to observations, Remcos RAT traffic was detected mere minutes after the ClickFix script was executed. NetSupport RAT followed shortly after. Subsequently, StealC began exfiltrating data to its command-and-control server, with Sectop RAT appearing approximately an hour later. This staggered deployment provides defenders with a very narrow window to detect and neutralize the threat before multiple malicious payloads are running concurrently on the same system.
The combination of malware payloads—a keylogger-capable RAT, a remote support tool repurposed for malicious intent, a credential stealer, and a second RAT—clearly indicates that SmartApeSG is engineered to grant attackers comprehensive and varied access to a victim’s machine from a single infection event. This concentrated deployment strategy allows attackers to simultaneously gather sensitive information, maintain remote access, and potentially move laterally within a compromised network.
DLL Side-Loading: How the Malware Hides in Plain Sight
A technically noteworthy aspect of this campaign is its utilization of DLL side-loading for stealth. The archive files associated with Remcos RAT, StealC, and Sectop RAT all employ this technique. DLL side-loading involves a legitimate and trusted executable file being used to quietly load a malicious Dynamic Link Library (DLL) file alongside it. Since the primary executable appears benign and familiar, many security tools may overlook the malicious activity occurring in the background. In contrast, NetSupport RAT operates differently; it is a genuine remote support application that has been configured in this campaign to connect to an attacker-controlled server instead of a legitimate one.
Network traffic analysis, such as that performed with Wireshark, can reveal the distinct connections each malware strain makes to its designated command-and-control server. The HTA (HTML Application) file responsible for initiating the Remcos RAT download originates from the domain urotypos[.]com and is saved locally as post.hta before execution. Critically, the ClickFix script removes this HTA file immediately after running it, which complicates forensic investigations for response teams who do not quickly identify the infection.
Organizations are strongly advised to implement blocking measures for the identified malicious domains, specifically urotypos[.]com and fresicrto[.]top, at both the DNS and firewall levels. Furthermore, monitoring outbound traffic directed towards IP addresses such as 95.142.45[.]231, 185.163.47[.]220, 89.46.38[.]100, and 195.85.115[.]11 is also recommended. Employee training should emphasize the critical importance of never pasting or executing clipboard content prompted by any website. Security teams should remain vigilant for any unexpected HTA file executions and unusual DLL loading activities occurring within user-accessible directories like AppData and ProgramData.
The continued evolution of the SmartApeSG campaign, with its multi-layered approach and sophisticated evasion techniques, underscores the persistent threat posed by advanced persistent threats. As attackers refine their methods, organizations must continually update their defenses and user awareness programs to mitigate the risks associated with such advanced malware campaigns. The next phase of monitoring will likely focus on whether new domains or IP addresses are utilized by the SmartApeSG actors and if further variations in their payload delivery or evasion tactics emerge.