6 malware families

SmartApeSG

Also known assmartapesg

SmartApeSG is a malware delivery campaign, also tracked as ZPHP and HANEYMANEY, that uses ClickFix-style social engineering to infect Windows users. The campaign injects malicious scripts into legitimate but compromised websites and redirects visitors to fake CAPTCHA or human-verification pages that instruct victims to paste clipboard-injected commands into the Windows Run dialog. Reported payloads delivered by SmartApeSG include Remcos RAT, NetSupport RAT/NetSupport Manager RAT, StealC, and Sectop RAT (ArechClient2). Multiple reports describe the use of password-protected ZIP archives, HTA downloaders, and DLL side-loading via legitimate executables. Observed persistence mechanisms include Windows Registry modifications and scheduled tasks. The campaign has been documented from at least late 2025 through 2026, including activity using the finger command and repeated ClickFix lures. The provided content does not attribute SmartApeSG to a specific nation state.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

31 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

9 of 15 tactics44 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

3 techniques

T1189×7

Drive-by Compromise

T1195

Supply Chain Compromise

T1566

Phishing

T1566.003

Spearphishing via Service

TA0002

Execution

3 techniques

T1053

Scheduled Task/Job

T1053.005×2

Scheduled Task

T1059

Command and Scripting Interpreter

T1059.001×4

PowerShell

T1059.003×3

Windows Command Shell

T1059.005×2

Visual Basic

T1059.007

JavaScript

T1204×8

User Execution

T1204.002×5

Malicious File

T1204.004

Malicious Copy and Paste

TA0003

Persistence

4 techniques

T1053

Scheduled Task/Job

T1053.005×2

Scheduled Task

T1112

Modify Registry

T1505

Server Software Component

T1505.003

Web Shell

T1547

Boot or Logon Autostart Execution

T1547.001×2

Registry Run Keys / Startup Folder

TA0004

Privilege Escalation

3 techniques

T1053

Scheduled Task/Job

T1053.005×2

Scheduled Task

T1055

Process Injection

T1547

Boot or Logon Autostart Execution

T1547.001×2

Registry Run Keys / Startup Folder

TA0005

Stealth

6 techniques

T1027

Obfuscated Files or Information

T1027.003

Steganography

T1036×2

Masquerading

T1055

Process Injection

T1070

Indicator Removal

T1070.004

File Deletion

T1218

System Binary Proxy Execution

T1218.005×3

Mshta

T1497

Virtualization/Sandbox Evasion

TA0112

Defense Impairment

1 technique

T1112

Modify Registry

TA0007

Discovery

1 technique

T1497

Virtualization/Sandbox Evasion

TA0009

Collection

2 techniques

T1115

Clipboard Data

T1560

Archive Collected Data

TA0011

Command and Control

4 techniques

T1071×7

Application Layer Protocol

T1071.001

Web Protocols

T1095

Non-Application Layer Protocol

T1105×3

Ingress Tool Transfer

T1219

Remote Access Tools

ARSENAL

Associated malware families

6 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

NetSupport RATThe campaign, active as recently as March 24, 2026, delivered four separate malware payloads to a single infected host in one session: Remcos RAT, NetSupport RAT, StealC, and Sectop RAT, also known as ArechClient2.4Mar 25, 2026

StealCThe campaign, active as recently as March 24, 2026, delivered four separate malware payloads to a single infected host in one session: Remcos RAT, NetSupport RAT, StealC, and Sectop RAT, also known as ArechClient2.4Mar 25, 2026

RemcosSmartApeSG campaign uses ClickFix page to push Remcos RAT3May 26, 2026

SectopRATOperators connect via C2, run system reconnaissance, and can drop SectopRAT as a secondary payload.3Mar 8, 2026

NetSupport Manager RATMy previous in-depth diary about a SmartApeSG (ZPHP, HANEYMANEY) was in November 2025, when I saw NetSupport Manager RAT.1Mar 14, 2026

1 additional family tracked in Mallory.

IOCS

Observables

49 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

49 IOCsView more in app

uri

19 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+11

hash.sha256

11 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+3

ip.v4

10 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+2

Domains

9 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+1

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app

sans iscNews

Jun 1, 2026

Unidentified RAT pushes NetSupport RAT - SANS ISC

ClickFix campaign delivering an unidentified initial RAT followed by a malicious NetSupport Manager RAT package, with changing daily indicators and C2 infrastructure.

malware traffic analysis blogNews

Apr 23, 2026

Malware-Traffic-Analysis.net - 2026-04-23: SmartApeSG activity

SmartApeSG is described conducting a fake CAPTCHA / ClickFix infection chain using compromised websites, redirector infrastructure, a password-protected ZIP archive, DLL side-loading, and persistence via Windows Registry updates and scheduled tasks.

malware traffic analysis blogNews

Apr 6, 2026

Malware-Traffic-Analysis.net - 2026-04-06: SmartApeSG activity

Activity cluster associated with injected scripts on compromised websites, fake CAPTCHA pages using ClickFix instructions, and malware delivery leading to persistence on infected Windows hosts.

cyber security newsNews

Mar 25, 2026

SmartApeSG ClickFix Campaign Delivers Remcos, NetSupport RAT, StealC and Sectop RAT

A malware delivery campaign using ClickFix fake CAPTCHA social engineering on compromised websites to trick users into manually executing malicious scripts, resulting in staged delivery of multiple payloads including Remcos RAT, NetSupport RAT, StealC, and Sectop RAT.

+5 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping31

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal6

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables49

Domains, IPs, and hashes tied to this actor, refreshed continuously.