{
	"id": "ae6449c6-466e-41bb-8300-ec50fb330733",
	"created_at": "2026-05-05T02:45:39.354859Z",
	"updated_at": "2026-05-05T02:46:36.767948Z",
	"deleted_at": null,
	"sha1_hash": "6e87d4da64bba7592c5550aee312b80f95b888f8",
	"title": "SmartApeSG",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 412567,
	"plain_text": "SmartApeSG\r\nBy Jonathan Mccay\r\nPublished: 2023-10-26 · Archived: 2026-05-05 02:06:10 UTC\r\n3 min read\r\nOct 26, 2023\r\nBy: Jonathan McCay\r\nSmartApeSG, (ZPHP, HANEYMANEY) is a threat actor using fake browser updates to distribute Netsupport\r\nRAT. Largely confused with SocGholish, this group uses a similar looking infection chain and fake update lure.\r\nWhen Trellix¹ first reported the earlier techniques used by this group, the activity was unattributed. After\r\nresearchers noticed this threat actor continually uses SmartApe ASN to host their infrastructure, and delivers\r\nmalicious javascript through fake browser updates like SocGholish, the name SmartApeSG was given.\r\nSite Inject:\r\nInjected into a compromised site is a script tag used to call the first script from the Threat Actor’s infrastructure.\r\nCompromised Site Inject\r\nMinlen.php:\r\nMinlen.php is responsible for browser validation and payload delivery. If the host was sent to this site from an\r\nacceptable referrer, and is using the correct browser, (Firefox, Chrome, or Edge) a javascript payload will be\r\nreturned.\r\nJavascript Payload — (delivered by Minlen.php)\r\nThe javascript payload delivered by minlen.php is used to construct the iframe needed to display the fake update\r\nlure. Minlen.php will also reach out to another script on the same server, (qzwewmrqqqqnaww.php) to retreive the\r\nhtml displayed in the iframe.\r\nOld javascript paylaod\r\nAn older sample of the javascript payload delivered by minlen.php shows an iframe being built to display code\r\nreturned by zwewmrqqqqnaww.php.\r\nhttps://medium.com/walmartglobaltech/smartapesg-4605157a5b80\r\nPage 1 of 6\n\nOlder javascript payload\r\nUpdated javascript payload\r\nThe latest version of this script has an additional layer of obfuscation added but, appears to perform the same\r\nfunction\r\nPress enter or click to view image in full size\r\nObfuscated javascript payload\r\nqzwewmrqqqqnaww.php — Retrieve HTML:\r\nReturns the html for the lure which includes the javascript “update.zip” encoded in base64.\r\nPress enter or click to view image in full size\r\nBase64 encoded .zip\r\nChrome Lure (Fake Update):\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/smartapesg-4605157a5b80\r\nPage 2 of 6\n\nSmartApeSG — Fake Update\r\nJavascript — “Update”:\r\nGet Jonathan Mccay’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nIf the user clicks the “Update Chrome” button, a .zip containing javascript will be base64 decoded and\r\ndownloaded to the host.\r\nExtracted .zip\r\nUpdate_browser_10.6336.js\r\nIf the Javascript is executed, another script, (help.php) will be contacted to retrieve and execute an additional\r\nPowershell cmd.\r\nhelp.php\r\nThe Powershell returned by help.php will create a run key in HKCU to setup persistence, contact another script,\r\n(111.php) to download and decode the Netsupport binaries, and execute.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/smartapesg-4605157a5b80\r\nPage 3 of 6\n\nPowershell — Download \u0026 Execute\r\n111.php\r\nReturns a base64 encoded .zip file of the Netsupport binaries. After the encoded binary is returned, the Powershell\r\ncommand will complete the infection.\r\nNetsupport:\r\nNetsupport — Client32.ini\r\nURI \u0026 Script Names\r\n/cdn-js/wds.min.php\r\n/cdn-js/wds-main.php\r\n/cdn/zwmrqqgqnaww.php\r\n/cdn/qzwewmrqqgqnaww.php\r\n/cdn/zwewmrqqgqnaww.php\r\n/cdn-js/minlen.php\r\n/cdn-vs/minlen.php\r\n/cdn/help.php\r\n/cdn/91c818ee6e9ec29f8c1.php\r\n/cdn/xxx.php\r\n/cdn/www.php\r\n/assets/js/css.js\r\n/cgi-bin.js\r\nHKCU — Run Key\r\nDIVX\r\nDIVXX\r\nSmartApeSG:\r\nhttps://medium.com/walmartglobaltech/smartapesg-4605157a5b80\r\nPage 4 of 6\n\ncdespto[.]org\r\nseyishalom[.]com\r\nbaroksmig[.]online\r\ncheetahsnv[.]com\r\nclubcamporico[.]com\r\naltiordp[.]com\r\nbigbirdmarketing[.]com\r\nponraj[.]com\r\nmagydostravel[.]com\r\nitsdigitalshiva[.]com\r\ncristinaamaro[.]com\r\nccescpolace[.]com\r\nkororo[.]com\r\nfablane[.]com\r\namazonascash[.]com\r\nresidencialcasabrasileira[.]com\r\nprofille-cex-io[.]com\r\nnilselsholz[.]com\r\ncredit-volta[.]com\r\naflomusic[.]com\r\nwebull[.]art\r\nzahrajoulaei[.]tech\r\ndomaintestss[.]xyz\r\npixelbase[.]com\r\nkrafttopia[.]net\r\nvoluntarismo[.]com\r\nkalista-posh[.]com\r\npolyfieldgallery[.]com\r\nseosuccesslab[.]com\r\noffshorechain[.]org\r\nlucyflix[.]com\r\nmypersonalprojectdomain[.]com\r\nmarcborowy[.]com\r\nfaseries[.]com\r\nmanxheu[.]online\r\nlintingdaun[.]com\r\ninvertirenmercados[.]com\r\nimpulsehorizon[.]com\r\ndatavortexllc[.]com\r\nmanchhd32ss[.]fun\r\ntidaysdeals[.]online\r\nmangoairsoft[.]com\r\nkevinsmithson[.]com\r\nxxxmir[.]info\r\nphimnhanh[.]info\r\nconfiguratorpro[.]com\r\nhttps://medium.com/walmartglobaltech/smartapesg-4605157a5b80\r\nPage 5 of 6\n\neastrenclouds[.]com\r\nantiqueglossary[.]com\r\nboka-rem[.]com\r\nmansaentertainment[.]com\r\nloloalexander[.]com\r\ngnavigatio[.]com\r\narauas[.]com\r\ngamefllix[.]com\r\nSmartApeSG — Netsupport:\r\n94.158.244[.]118\r\n94.158.247[.]23\r\n185.163.46[.]93\r\n5.252.178[.]48\r\n5.252.177[.]214\r\n5.252.177[.]126\r\nsdjfnvnbbz[.]pw\r\nReferences\r\n1: https://www.trellix.com/about/newsroom/stories/research/new-techniques-of-fake-browser-updates/\r\nSource: https://medium.com/walmartglobaltech/smartapesg-4605157a5b80\r\nhttps://medium.com/walmartglobaltech/smartapesg-4605157a5b80\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/walmartglobaltech/smartapesg-4605157a5b80"
	],
	"report_names": [
		"smartapesg-4605157a5b80"
	],
	"threat_actors": [],
	"ts_created_at": 1777949139,
	"ts_updated_at": 1777949196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6e87d4da64bba7592c5550aee312b80f95b888f8.pdf",
		"text": "https://archive.orkl.eu/6e87d4da64bba7592c5550aee312b80f95b888f8.txt",
		"img": "https://archive.orkl.eu/6e87d4da64bba7592c5550aee312b80f95b888f8.jpg"
	}
}