CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 01, 2026

SmartApeSG Campaign Uses ClickFix Scripts to Infect Windows Hosts With RAT Malware

Cybersecurity News Archived Jun 01, 2026 ✓ Full text saved

A well-known social engineering campaign called SmartApeSG is back in the spotlight, this time using ClickFix scripts to quietly plant remote access malware on Windows computers. The campaign lures victims through fake verification pages that trick them into running a malicious script without realizing the full damage it causes. What makes this wave especially concerning […] The post SmartApeSG Campaign Uses ClickFix Scripts to Infect Windows Hosts With RAT Malware appeared first on Cyber Securi

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News SmartApeSG Campaign Uses ClickFix Scripts to Infect Windows Hosts With RAT Malware By Tushar Subhra Dutta June 1, 2026 A well-known social engineering campaign called SmartApeSG is back in the spotlight, this time using ClickFix scripts to quietly plant remote access malware on Windows computers. The campaign lures victims through fake verification pages that trick them into running a malicious script without realizing the full damage it causes. What makes this wave especially concerning is that the attack does not stop at one piece of malware. It delivers a second, more powerful tool once it gains a foothold inside the system. The infection chain starts when a user visits a compromised or malicious website displaying a fake “verification” page. This page instructs the visitor to copy and run a PowerShell or similar script, which is the ClickFix technique. Fake verification page with ClickFix instructions from the SmartApeSG campaign (Source – Internet Storm Center) Once the script runs, it silently reaches out to attacker-controlled servers and pulls down the first stage of the infection. The victim sees nothing unusual on their screen, while the attacker gains quiet and persistent access to the machine. Internet Storm Center said in a report shared with Cyber Security News (CSN) that they identified the campaign after observing a suspicious infection on May 27, 2026. Researcher Brad Duncan noted that an unidentified RAT had been generating encoded traffic to a command and control server since at least April 2026. The discovery confirmed that this campaign had been quietly running for several weeks before it was formally documented and published. What sets this attack apart is its deliberate two-stage design. The first stage drops an unidentified RAT that sends encoded traffic to its C2 server over TCP port 443, making it blend in with regular web traffic. Once the initial RAT is in place, it pulls in a second payload: a malicious package of NetSupport Manager RAT, a legitimate remote access tool that attackers have repurposed to take unauthorized control of infected machines. The entire process is built to stay quiet and survive reboots. After the NetSupport RAT is installed and made persistent on the host, the scripts used to set it up are deleted automatically, removing traces of the initial compromise. This cleanup step makes forensic investigation harder and reveals the careful level of planning behind the campaign. SmartApeSG Campaign Uses ClickFix Scripts The SmartApeSG campaign uses a fake browser verification page as its entry point, a tactic that has grown increasingly popular among threat actors. Visitors are told to run a script to “verify” their identity, which instead executes the ClickFix payload. The script then contacts attacker infrastructure to fetch a ZIP archive containing the initial RAT package from a remote server. Initial RAT malware on an infected Windows host (Source – Internet Storm Center) Once extracted and executed, the initial RAT begins sending encoded traffic to its C2 server at a fixed IP address over port 443. The use of encoded, non-SSL traffic on that port is unusual and helps the malware avoid detection tools that expect standard HTTPS on that port. The RAT then pulls down follow-up files through the same C2 channel to prepare the system for the next stage of the attack. NetSupport RAT Deployed as Persistent Follow-Up Payload The second stage delivers a malicious NetSupport Manager RAT package via a CAB file that is fetched and extracted to the system. A batch script called token.bat handles the extraction and installation, while a VBScript file called processor.vbs triggers the batch script. Together, these components install the NetSupport RAT and configure it to run automatically whenever the system restarts. Defenders are advised to monitor for unusual PowerShell execution tied to browser events, as this is a clear sign of the ClickFix technique being abused. Blocking access to suspicious or newly registered domains can also reduce the overall risk. Security teams should watch for encoded traffic over port 443 that does not follow normal SSL/TLS patterns, as this is a known behavior of the initial RAT in this chain. Since the domains and file hashes used in this campaign rotate daily, checking the @monitorsg feed on Mastodon is recommended for the latest indicators. Indicators of Compromise (IoCs):- Type Indicator Description URL hxxps[:]//hiddenplanetlab[.]top/signin/secure-util.js SmartApeSG malicious URL observed May 27, 2026 URL hxxps[:]//hiddenplanetlab[.]top/signin/private-template?c66kjD5i SmartApeSG malicious URL observed May 27, 2026 URL hxxps[:]//hiddenplanetlab[.]top/signin/legacy-worker.js?18b3825af007e53d SmartApeSG malicious URL observed May 27, 2026 IP Address 178.156.165[.]82 ClickFix script C2 traffic IP Address 178.156.173[.]194 ClickFix script C2 traffic URL hxxps[:]//silverharvestnetwork[.]com/check ClickFix script C2 traffic; also hosts initial RAT ZIP archive IP Address 89.110.110[.]119:443 Initial RAT C2 server (TCP port 443, encoded traffic) IP Address 185.163.47[.]217:443 NetSupport RAT C2 server SHA256 1514b1268e9dc6d2f37137aa38c756cb4bf8186ac9235d6863b78e7f8bbbe976 ZIP archive containing initial RAT software package SHA256 469bac8e10f50263e8ff0806e6ba126bb4cc660799129a8653eab3f8ec7201e5 processor.vbs — initial VBScript that runs token.bat SHA256 9c7eda2c4d3aaa8746495741bef57a07de180f0409409faf0f91658e88ba33f5 token.bat — batch script that installs and persists NetSupport RAT SHA256 7ba5481c873bb3081442561f749f590badd72ef249fddfe993e30b28dc0c2112 setup.cab — CAB file containing malicious NetSupport RAT package File Path C:\ProgramData\processor.vbs Initial VBScript dropped on infected host File Path C:\ProgramData\token.bat Batch script dropped on infected host File Path C:\ProgramData\setup.cab CAB archive dropped on infected host File Path C:\ProgramData\UpdateInstaller\ Extraction directory for NetSupport RAT contents Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Veeam Backup & Replication Tool Vulnerability Enables Privilege Escalation Attacks Hackers Use Grandoreiro Malware to Target Portuguese Banks and Latin American Companies Gitea Container Vulnerability Exposes Private Container Images to Attackers Multiple Angular Language Service Extension Vulnerabilities Enable RCE Attacks MicrosoftSystem64 Malware Uses HuggingFace Datasets for Stealthy Data Exfiltration Latest News Cyber Security News Iranian Hackers Abuse AppDomainManager Hijacking to Evade EDR Detection Cyber Security News SideCopy Hackers Deploy Persistent XenoRAT Malware to Target Afghanistan Finance Ministry Cyber Security News Critical Plesk Vulnerability Let Users Execute Arbitrary Commands on the Server Cyber Security News Iran-Linked Hackers Destroy IT, Backups, and Recovery Systems in Cyberattack targeting Middle East Cyber Security News New DriveSurge Threat Actor Uses ClickFix and Fake Updates to Infect Website Visitors
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 01, 2026
    Archived
    Jun 01, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗