{"id":11338,"date":"2026-03-14T04:04:18","date_gmt":"2026-03-14T04:04:18","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/03\/14\/32796\/"},"modified":"2026-03-14T04:04:18","modified_gmt":"2026-03-14T04:04:18","slug":"32796","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/03\/14\/32796\/","title":{"rendered":"SmartApeSG campaign uses ClickFix page to push Remcos RAT, (Sat, Mar 14th)"},"content":{"rendered":"

SmartApeSG campaign uses ClickFix page to push Remcos RAT, (Sat, Mar 14th)
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

Introduction<\/strong><\/em><\/p>\n

This diary describes a Remcos RAT infection that I generated in my lab on Thursday, 2026-03-11. This infection was from the SmartApeSG campaign that used a ClickFix-style fake CAPTCHA page.<\/p>\n

My previous in-depth diary about a SmartApeSG (ZPHP, HANEYMANEY)\u00a0was in November 2025<\/a>, when I saw NetSupport Manager RAT. Since then, I’ve fairly consistently seen what appears to be Remcos RAT from this campaign.<\/p>\n

Finding SmartApeSG Activity<\/strong><\/em><\/p>\n

As previously noted, I find SmartApeSG indicators from the Monitor SG account<\/a> on Mastodon, and I use URLscan<\/a> to pivot on those indicators to find compromised websites with injected SmartApeSG script.<\/p>\n

Details<\/strong><\/em><\/p>\n

Below is an image of HTML in a page from a legitimate but compromised website that shows the injected SmartApeSG script.<\/p>\n

\"\"<\/a>
\nShown above: Page from a legitimate but compromised site that highlights the injected SmartApeSG script.<\/em><\/p>\n

The injected SmartApeSG script generates a fake CAPTCHA-style “verify you are human” page, which displays ClickFix-style instructions after checking a box on the page. A screenshot from this infection is shown below, and it notes the ClickFix-style script injected into the user’s clipboard. Users are instructed to open a run window, paste the script into it, and hit the Enter key.<\/p>\n

\"\"<\/a>
\nShown above: Fake CAPTCHA page generated by a legitimate but compromised site, showing the ClickFix-style command.<\/em><\/p>\n

I used Fiddler to reveal URLS from the HTTPS traffic, and I recorded the traffic and viewed it in Wireshark. Traffic from the infection chain is shown in the image below.<\/p>\n

\"\"<\/a>
\nShown above: Traffic from the infection in Fiddler and Wireshark.<\/em><\/p>\n

After running the ClickFix-style instructions, the malware was sent as a ZIP archive and saved to disk with a .pdf<\/span> file extension. This appears to be Remcos RAT in a malicious package that uses DLL side-loading to run the malware. This infection was made persistent with an update to the Windows Registry.<\/p>\n

\"\"<\/a>
\nShown above: Malware from the infection persistent on an infected Windows host.<\/em><\/p>\n

Indicators of Compromise<\/strong><\/em><\/p>\n

Injected SmartApeSG script injected into page from legitimate but compromised site:<\/p>\n