SmartApeSG Campaign Exploits ClickFix Scripts to Deploy Remote Access Malware
The SmartApeSG campaign, also known as ZPHP or HANEY MANEY, has resurfaced with a sophisticated method to infiltrate Windows systems using ClickFix scripts. This technique deceives users into executing malicious commands, leading to the installation of remote access tools (RATs) that grant attackers full control over compromised machines.
Evolution of the SmartApeSG Campaign
Initially identified in June 2024, the SmartApeSG campaign employed fake browser update pages to distribute malware. By November 2025, the attackers had shifted to using ClickFix techniques, presenting users with counterfeit CAPTCHA pages that prompted them to verify their identity. This evolution made the attacks more deceptive and challenging to detect. ([cybersecuritynews.com](https://cybersecuritynews.com/smartapesg-campaign-leverages-clickfix-technique/?utm_source=openai))
Mechanics of the ClickFix Technique
The ClickFix method involves injecting malicious scripts into legitimate but compromised websites. When users visit these sites, they encounter a fake verification page, often resembling a CAPTCHA. This page instructs them to copy and execute a script, typically via the Windows Run dialog box. Unbeknownst to the user, this action initiates a multi-stage infection process. ([cybersecuritynews.com](https://cybersecuritynews.com/smartapesg-clickfix-campaign-delivers-remcos/?utm_source=openai))
Infection Chain and Payloads
Upon execution of the ClickFix script, the following sequence unfolds:
1. Initial RAT Deployment: The script downloads and runs an initial remote access tool (RAT) that establishes a connection with the attacker’s command and control (C2) server over TCP port 443. This traffic is often encoded to blend with regular web communications. ([cybersecuritynews.com](https://cybersecuritynews.com/smartapesg-campaign-leverages-clickfix-technique/?utm_source=openai))
2. Secondary Payload Installation: The initial RAT fetches additional malware, such as NetSupport Manager RAT, a legitimate remote support tool repurposed for malicious intent. This tool provides attackers with comprehensive control over the infected system. ([cybersecuritynews.com](https://cybersecuritynews.com/smartapesg-campaign-leverages-clickfix-technique/?utm_source=openai))
3. Persistence Mechanisms: To maintain access, the malware creates shortcuts in the Start Menu that execute scripts stored in the AppData\Local\Temp directory. These scripts launch the RAT executable located in the C:\ProgramData\ directory, ensuring the malware remains active even after system reboots. ([cybersecuritynews.com](https://cybersecuritynews.com/smartapesg-campaign-leverages-clickfix-technique/?utm_source=openai))
Advanced Techniques and Evasion
The SmartApeSG campaign employs several advanced techniques to evade detection:
– DLL Side-Loading: Malicious code is hidden within packages containing legitimate software. Trusted executables load harmful DLL files, making it difficult for security tools to detect the malware. ([cybersecuritynews.com](https://cybersecuritynews.com/smartapesg-clickfix-campaign-delivers-remcos/?utm_source=openai))
– Steganography: Malicious code is concealed within seemingly innocuous images, such as fake Windows Update screens. This method allows the malware to bypass traditional security measures that scan for executable files. ([cybersecuritynews.com](https://cybersecuritynews.com/fake-windows-security-update-screen/?utm_source=openai))
– Clipboard Hijacking: The ClickFix technique manipulates the user’s clipboard, copying malicious commands that the user unknowingly executes. This approach exploits human interaction to circumvent automated security systems. ([cybersecuritynews.com](https://cybersecuritynews.com/weaponized-google-meet-clickfix/?utm_source=openai))
Targeted Sectors and Impact
The SmartApeSG campaign has primarily targeted sectors such as cryptocurrency, Web3 professionals, financial institutions, and e-commerce platforms. By deploying multiple malware strains, including Remcos RAT, NetSupport RAT, StealC, and Sectop RAT, attackers aim to maximize damage from a single user mistake. ([cybersecuritynews.com](https://cybersecuritynews.com/smartapesg-clickfix-campaign-delivers-remcos/?utm_source=openai))
The impact of these infections is severe, granting attackers access to critical credentials, financial assets, and the ability to monitor user activity. This access can lead to data theft, financial loss, and further exploitation of compromised networks. ([cybersecuritynews.com](https://cybersecuritynews.com/clickfix-infostealer-campaign/?utm_source=openai))
Recommendations for Mitigation
To defend against the SmartApeSG campaign and similar threats, organizations and individuals should implement the following measures:
1. User Education: Train users to recognize and avoid suspicious prompts, especially those instructing them to execute commands or download files from untrusted sources.
2. Network Protections: Implement network-level defenses to block connections to known malicious domains and IP addresses associated with the campaign.
3. Endpoint Security: Deploy advanced endpoint detection and response (EDR) solutions capable of identifying and mitigating sophisticated malware techniques, such as DLL side-loading and steganography.
4. Regular Updates: Ensure all systems and software are up-to-date with the latest security patches to reduce vulnerabilities that attackers might exploit.
5. Monitor for Anomalies: Continuously monitor network and system activity for unusual behavior, such as unexpected clipboard activity or unauthorized remote access sessions.
By staying informed about evolving threats like the SmartApeSG campaign and adopting proactive security measures, organizations can better protect their systems and data from sophisticated cyberattacks.
