{
	"id": "990bcbd0-984d-49ae-b1db-2d6386bfb384",
	"created_at": "2026-04-06T00:14:51.695157Z",
	"updated_at": "2026-04-10T13:13:00.055824Z",
	"deleted_at": null,
	"sha1_hash": "f34f88d238237f10833e9e565e772908d54ef5c9",
	"title": "SmartApeSG campaign uses ClickFix page to push NetSupport RAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1182353,
	"plain_text": "SmartApeSG campaign uses ClickFix page to push NetSupport\r\nRAT\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-06 00:02:58 UTC\r\nIntroduction\r\nThis diary describes a NetSupport RAT infection I generated in my lab from the SmartApeSG campaign that used\r\na ClickFix-style fake CAPTCHA page.\r\nKnown as ZPHP or HANEYMANEY, SmartApeSG is a campaign reported as early as June 2024. When it started,\r\nthis campaign used fake browser update pages. But it currently uses the ClickFix method of fake CAPTCHA-style\r\n\"verify you are human\" pages.\r\nThis campaign pushes malicious NetSupport RAT packages for its initial malware infection, and I've seen follow-up malware from these NetSupport RAT infections.\r\nHow To Find SmartApeSG Activity\r\nI can usually find SmartApeSG indicators from the Monitor SG account on Mastodon. I use URLscan to pivot on\r\nthose indicators, so I can find compromised websites that lead to the SmartApeSG script.\r\nThe Infection\r\nSites compromised through this campaign display pages with a hidden injected script. Given the right conditions,\r\nthis script kicks off a SmartApeSG chain of events. The image below shows an example.\r\nhttps://isc.sans.edu/diary/32474\r\nPage 1 of 5\n\nShown above: Injected SmartApeSG script in a page from the compromised site.\r\nIn some cases, this injected script does not kick off the infection chain. I've had issues getting an infection chain\r\nduring certain times of day, or if I try viewing the compromised website multiple times from the same source IP\r\naddress. I don't know what the conditions are, but if those conditions are right, the compromised site shows a fake\r\nCAPTCHA-style \"verify you are human\" page.\r\nShown above: Fake CAPTCHA page displayed by the compromised site.\r\nClicking the \"verify you are human\" box does the following:\r\nInjects malicious content into the Windows host's clipboard\r\nGenerates a pop-up with instructions to open a Run window, paste content into the window, and run it.\r\nhttps://isc.sans.edu/diary/32474\r\nPage 2 of 5\n\nThe clipboard-injected content is a command string that uses the mshta command to retrieve and run malicious\r\ncontent that will generate a NetSupport RAT infection.\r\nShown above: Following ClickFix directions to paste content (a malicious command) into the Run window.\r\nBelow is a URL list of the HTTPS traffic directly involved in this infection.\r\nShown above: HTTPS traffic directly involved in this SmartApe SG activity.\r\nShown above: Traffic from the infection filtered in Wireshark.\r\nhttps://isc.sans.edu/diary/32474\r\nPage 3 of 5\n\nThe malicious NetSupport RAT package stays persistent on the infected host through a Start Menu shortcut. The\r\nshortcut runs a .js file in the user's AppData\\Local\\Temp directory. That .js file runs the NetSupport RAT\r\nexecutable located in a folder under the C:\\ProgramData\\ directory.\r\nShown above: The malicious NetSupport RAT package, persistent on an infected Windows host.\r\nIndicators From This Activity\r\nThe following URLs were noted in traffic from this infection:\r\nhxxps[:]//frostshiledr[.]com/xss/buf.js  \u003c-- injected SmartApeSG script\r\nhxxps[:]//frostshiledr[.]com/xss/index.php?iArfLYKw\r\nhxxps[:]//frostshiledr[.]com/xss/bof.js?0e58069bbdd36e9a36  \u003c-- fake CAPCHA page/ClickFix\r\ninstructions\r\nhxxps[:]//newstarmold[.]com/sibhl.php  \u003c-- Script retrieved by ClickFix command\r\nhxxps[:]//www.iconconsultants[.]com/4nnjson.zip  \u003c-- zip archive containing malicious NetSupport RAT\r\npackage\r\nhxxp[:]//194.180.191[.]121/fakeurl.htm  \u003c-- NetSupport RAT C2 traffic over TCP port 443\r\nThe following is the zip archive containing the malicious NetSupport RAT package:\r\nSHA256 hash: 1e9a1be5611927c22a8c934f0fdd716811e0c93256b4ee784fadd9daaf2459a1\r\nFile size: 9,192,105 bytes\r\nFile type: Zip archive data, at least v1.0 to extract, compression method=store\r\nhttps://isc.sans.edu/diary/32474\r\nPage 4 of 5\n\nFile location: hxxps[:]//www.iconconsultants[.]com/4nnjson.zip\r\nSaved to disk as: C:\\ProgramData\\psrookk11nn.zip\r\nNote: These domains change on a near-daily basis, and the NetSupport RAT package and C2 server also\r\nfrequently change.\r\n---\r\nBradley Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://isc.sans.edu/diary/32474\r\nhttps://isc.sans.edu/diary/32474\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://isc.sans.edu/diary/32474"
	],
	"report_names": [
		"32474"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434491,
	"ts_updated_at": 1775826780,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f34f88d238237f10833e9e565e772908d54ef5c9.pdf",
		"text": "https://archive.orkl.eu/f34f88d238237f10833e9e565e772908d54ef5c9.txt",
		"img": "https://archive.orkl.eu/f34f88d238237f10833e9e565e772908d54ef5c9.jpg"
	}
}