SmartApeSG ClickFix Campaign Delivering Remcos RAT
The SmartApeSG campaign is using compromised legitimate websites to inject malicious JavaScript that presents a fake CAPTCHA and ClickFix-style instructions, tricking users into opening the Windows Run dialog, pasting a clipboard-loaded command, and executing the next stage themselves. In the observed infection chain, the payload was delivered as a ZIP archive disguised with a .pdf extension, then executed via DLL side-loading to install Remcos RAT and establish persistence through a Windows Registry modification. The reporting ties this activity to infrastructure and indicators previously associated with SmartApeSG, also tracked as ZPHP and HANEYMANEY.
A separate report on a new ClickFix variant is relevant because it documents the same broader social-engineering delivery technique, but with a different infection chain: a fake CAPTCHA leads victims to run a command that maps a remote WebDAV share using net use, launches update.cmd, downloads a ZIP archive, and executes a trojanized WorkFlowy application containing malicious logic in an .asar archive that acts as both a C2 beacon and dropper. Other references describe unrelated APT campaigns, malware families, or vendor detection updates and do not cover the SmartApeSG/Remcos activity itself.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
SmartApeSG maintains ClickFix tradecraft for months
SANS reported that the SmartApeSG campaign had been using consistent ClickFix-style social engineering and related delivery techniques for months, even as specific indicators changed over time.
Atos finds ClickFix variant evaded Defender and required threat hunting
Atos reported that the newly identified ClickFix execution flow bypassed Microsoft Defender for Endpoint and was detected only through targeted threat hunting. Investigators focused on suspicious commands launched from the Explorer Run dialog and artifacts recorded in the RunMRU registry key.
Atos identifies new ClickFix variant using WebDAV and trojanized WorkFlowy
Atos researchers identified a new ClickFix variant that used a Windows Run dialog command to map a remote WebDAV share with "net use" and execute a hosted batch file. The batch file downloaded a ZIP from 94.156.170.255, extracted it to %LOCALAPPDATA%\MyApp, and launched a trojanized WorkFlowy Electron app with malicious logic hidden in app.asar.
Lab observes SmartApeSG ClickFix infection delivering Remcos RAT
On 2026-03-11, analysts observed a SmartApeSG infection chain in a lab in which compromised legitimate websites served a fake CAPTCHA prompt that copied a malicious command for execution via the Windows Run dialog. The chain retrieved an HTA file and a ZIP archive disguised as a PDF, then appeared to install Remcos RAT via DLL side-loading and add persistence through a Windows Registry change.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
SmartApeSG ClickFix Campaign Delivers Remcos, NetSupport, StealC, and Sectop RAT
Researchers documented a **SmartApeSG** malware campaign using fake CAPTCHA pages and the **ClickFix** social-engineering technique to trick victims into launching an initial script that led to a multi-stage infection. In observed intrusions, **Remcos RAT** executed first, followed within minutes by **NetSupport RAT**, then **StealC**, and later **Sectop RAT** identified as **ArechClient2**. The activity relied on compromised web infrastructure, rotating delivery domains, attacker-controlled command-and-control servers, and multiple payload packages, with several stages using **DLL side-loading** through legitimate executables while NetSupport RAT was deployed as a legitimate remote administration tool configured for malicious control. Separate analysis tied **Sectop RAT / ArechClient2** to additional follow-on infections, including a chain where a victim seeking cracked software downloaded a password-protected archive that installed **Lumma Stealer** before fetching a 64-bit DLL from `enotsosun[.]pw` and executing it via `rundll32` using the `LoadForm` export. Investigators reported concrete indicators including malware hashes, filenames, persistence artifacts, malicious URLs, and network traffic from Sectop RAT to `91.92.241[.]102` over ports `9000` and `443`, reinforcing that ArechClient2 is being used across varied delivery lures as part of broader credential theft and remote-access operations.
Jun 1, 2026
ClickFix Social Engineering Drives Multi-Platform Malware Delivery
Security researchers reported multiple active campaigns using **ClickFix** social engineering—fake error dialogs or verification prompts that trick users into manually running attacker-supplied commands—to bypass browser and download protections and establish an initial foothold. In one enterprise case investigated by **CERT Polska (cert.pl)**, victims were lured via compromised websites showing a fake CAPTCHA/“fix” prompt that instructed them to paste and run a **PowerShell** command via `Win+R`; the script then downloaded a dropper and enabled rapid follow-on activity that can scale to **enterprise-wide compromise**, including deployment of secondary malware such as **Latrodectus** and **Supper** for data theft, lateral movement, and potential ransomware staging. A separate ClickFix operation targeted **macOS developers** by cloning the *Homebrew* site on typosquatted infrastructure; the “install” command was subtly altered to fetch content from `raw.homabrews.org` instead of `raw.githubusercontent.com`, leading to **Cuckoo Stealer** deployment and credential harvesting via repeated password prompts using macOS Directory Services, with related domains tied to shared hosting at **`5.255.123.244`**. ClickFix was also observed as the initial execution mechanism for the resurfaced **Matanbuchus 3.0** MaaS loader, which uses deceptive copy/paste prompts and **silent MSI** execution (via `msiexec`) to deliver a new payload, **AstarionRAT**, enabling capabilities including credential theft and **SOCKS5** proxying; operators were reported to move laterally quickly (including toward domain controllers), consistent with ransomware or data-exfiltration objectives.
Mar 21, 2026
ClickFix Campaigns Deliver Modular RATs, Banking Trojans, and macOS Stealers
Researchers reported multiple **ClickFix** campaigns using fake CAPTCHA or reCAPTCHA prompts to trick users into manually running malicious commands, with payloads tailored by platform and victim profile. On Windows, one campaign delivered a modular NodeJS-based RAT and infostealer through a malicious MSI installer, loading key capabilities only in memory after command-and-control was established and using `gRPC` over Tor for persistent communications. An operational security failure exposed the malware’s backend protocol definitions and admin panel API, revealing a malware-as-a-service operation with multi-operator support, Telegram alerts, automation rules, and cryptocurrency wallet tracking. The malware also fingerprinted victims extensively and established persistence through the Windows Run registry key as **LogicOptimizer**. A separate ClickFix chain attributed with high confidence to **Grandoreiro** targeted users of eight Brazilian banks by luring victims through a fake reCAPTCHA page and launching a malicious PowerShell sequence that sideloaded a Delphi banking trojan with legitimate GoToMeeting and Nero binaries. The malware deployed banking overlays, intercepted **PIX** QR-code payments, added Microsoft Defender exclusions, and stole credentials, device information, signatures, and payment confirmation codes. Netskope also documented a macOS variant that used AppleScript and a persistent fake password dialog to harvest Keychain data, browser cookies, saved credentials, extension storage, and cryptocurrency wallet data; the theft of live session cookies can enable attackers to bypass MFA by hijacking authenticated sessions.
May 1, 2026