Introduction<\/strong><\/em><\/p>\n This diary describes a NetSupport RAT infection I generated in my lab from the SmartApeSG campaign that used a ClickFix-style fake CAPTCHA page.<\/p>\n Known as\u00a0ZPHP or HANEYMANEY,\u00a0SmartApeSG is a campaign\u00a0reported as early as June 2024<\/a>. When it started, this campaign used fake browser update pages. But it currently uses the ClickFix method<\/a> of fake CAPTCHA-style “verify you are human” pages.<\/p>\n This campaign pushes malicious NetSupport RAT<\/a>\u00a0packages for its initial malware infection, and I’ve seen follow-up malware<\/a>\u00a0from these NetSupport RAT infections.<\/p>\n How To Find SmartApeSG Activity<\/strong><\/em><\/p>\n I can usually find SmartApeSG indicators from the Monitor SG account<\/a> on Mastodon. I use URLscan<\/a> to pivot on those indicators, so I can find compromised websites that lead to the SmartApeSG script.<\/p>\n The Infection<\/strong><\/em><\/p>\n Sites compromised through this campaign display pages with a hidden injected script. Given the right conditions, this script kicks off a SmartApeSG chain of events. The image below shows an example.<\/p>\n In some cases, this injected script does not kick off the infection chain. I’ve had issues getting an infection chain during certain times of day, or if I try viewing the compromised website multiple times from the same source IP address. I don’t know what the conditions are, but if those conditions are right, the compromised site shows a fake CAPTCHA-style “verify you are human” page.<\/p>\n Clicking the “verify you are human” box does the following:<\/p>\n The clipboard-injected content is a command string that uses the mshta<\/span> command to retrieve and run malicious content that will generate a NetSupport RAT infection.<\/p>\n Below is a URL list of the HTTPS traffic directly involved in this infection.<\/p>\n The malicious NetSupport RAT package stays persistent on the infected host through a Start Menu shortcut. The shortcut runs a .js<\/span> file in the user’s AppDataLocalTemp<\/span> directory. That .js<\/span> file runs the NetSupport RAT executable located in a folder under the C:ProgramData<\/span> directory.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2025-11-12-ISC-diary-image-01.png?ssl=1\")
<\/a>
\nShown above: Injected SmartApeSG script in a page from the compromised site.<\/em><\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2025-11-12-ISC-diary-image-02.png?ssl=1\")
<\/a>
\nShown above:\u00a0Fake CAPTCHA page displayed by the compromised site.<\/em><\/p>\n\n
![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2025-11-12-ISC-diary-image-03.png?ssl=1\")
<\/a>
\nShown above: Following ClickFix directions to paste content (a malicious command) into the Run window.<\/em><\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2025-11-12-ISC-diary-image-04.png?ssl=1\")
<\/a>
\nShown above: HTTPS traffic directly involved in this SmartApe SG activity.<\/em><\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2025-11-12-ISC-diary-image-05.png?ssl=1\")
<\/a>
\nShown above: Traffic from the infection filtered in Wireshark.<\/em><\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2025-11-12-ISC-diary-image-06.png?ssl=1\")
<\/a>