SmartApeSG ClickFix Campaign Delivers Remcos, NetSupport, StealC, and Sectop RAT
Researchers documented a SmartApeSG malware campaign using fake CAPTCHA pages and the ClickFix social-engineering technique to trick victims into launching an initial script that led to a multi-stage infection. In observed intrusions, Remcos RAT executed first, followed within minutes by NetSupport RAT, then StealC, and later Sectop RAT identified as ArechClient2. The activity relied on compromised web infrastructure, rotating delivery domains, attacker-controlled command-and-control servers, and multiple payload packages, with several stages using DLL side-loading through legitimate executables while NetSupport RAT was deployed as a legitimate remote administration tool configured for malicious control.
Separate analysis tied Sectop RAT / ArechClient2 to additional follow-on infections, including a chain where a victim seeking cracked software downloaded a password-protected archive that installed Lumma Stealer before fetching a 64-bit DLL from enotsosun[.]pw and executing it via rundll32 using the LoadForm export. Investigators reported concrete indicators including malware hashes, filenames, persistence artifacts, malicious URLs, and network traffic from Sectop RAT to 91.92.241[.]102 over ports 9000 and 443, reinforcing that ArechClient2 is being used across varied delivery lures as part of broader credential theft and remote-access operations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
SmartApeSG ClickFix chain seen delivering unidentified RAT then NetSupport RAT
On 2026-05-27, a SmartApeSG ClickFix infection chain was observed delivering an unidentified initial RAT that communicated with 89.110.110[.]119:443, followed by a malicious NetSupport Manager RAT package communicating with 185.163.47[.]217:443. The report identified lure and delivery infrastructure including hiddenplanetlab[.]top and silverharvestnetwork[.]com, plus installation and persistence files such as processor.vbs, token.bat, and setup.cab under C:\ProgramData.
Lumma Stealer infection chain seen delivering Sectop RAT
A separate malware infection chain was documented in which a user searching for cracked software downloaded a password-protected archive that installed Lumma Stealer, followed by a Sectop RAT (ArechClient2) DLL executed via rundll32. The report included C2 domains, malicious URLs, hashes, persistence details, and network traffic to 91.92.241[.]102 over ports 9000 and 443.
VMRay publishes analysis of ArechClient2 SectopRAT activity
VMRay released a report focused on ArechClient2 SectopRAT, adding technical analysis of this malware family and its behavior. The reference indicates public reporting on the malware by March 31, 2026.
SmartApeSG infection chain expands to multiple malware families
On March 24, 2026, Bradley Duncan documented a SmartApeSG infection in which a victim executing a ClickFix script received Remcos RAT first, then NetSupport RAT, followed by StealC and finally Sectop RAT (ArechClient2). The analysis also identified delivery infrastructure, C2 servers, hashes, and use of DLL side-loading for several payloads.
SmartApeSG observed using ClickFix to deliver Remcos RAT
A SmartApeSG campaign was observed using a fake CAPTCHA ClickFix page to infect victims and deliver Remcos RAT. Malware-Traffic-Analysis.net published supporting sample files for this infection chain tied to activity dated March 12, 2026.
Earlier SmartApeSG ClickFix campaign reported pushing NetSupport RAT
An earlier SANS ISC diary reported SmartApeSG using a ClickFix page to deliver NetSupport RAT, showing the campaign had already been using fake CAPTCHA lures before the March 2026 multi-malware chain. The exact activity date is not provided in the reference, so the publication date is used.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
SmartApeSG Campaign Uses ClickFix Scripts to Infect Windows Hosts With RAT Malware
cybersecuritynews.com
Open sourceUnidentified RAT pushes NetSupport RAT - SANS ISC
isc.sans.edu
Open sourceLumma Stealer infection with Sectop RAT (ArechClient2)
isc.sans.edu
Open sourceSmartApeSG campaign pushes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (ArechClient2)
isc.sans.edu
Open sourceSmartApeSG campaign pushes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (ArechClient2)
isc.sans.edu
Open sourceMalware-Traffic-Analysis.net - 2026-03-12: Files for an ISC diary (SmartApeSG CAPTCHA page uses ClickFix technique to push Remcos RAT
malware-traffic-analysis.net
Open sourceSmartApeSG campaign uses ClickFix page to push NetSupport RAT
isc.sans.edu
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
SmartApeSG ClickFix Campaign Delivering Remcos RAT
The **SmartApeSG** campaign is using compromised legitimate websites to inject malicious JavaScript that presents a fake CAPTCHA and **ClickFix-style** instructions, tricking users into opening the Windows Run dialog, pasting a clipboard-loaded command, and executing the next stage themselves. In the observed infection chain, the payload was delivered as a ZIP archive disguised with a `.pdf` extension, then executed via **DLL side-loading** to install **Remcos RAT** and establish persistence through a Windows Registry modification. The reporting ties this activity to infrastructure and indicators previously associated with SmartApeSG, also tracked as **ZPHP** and **HANEYMANEY**. A separate report on a **new ClickFix variant** is relevant because it documents the same broader social-engineering delivery technique, but with a different infection chain: a fake CAPTCHA leads victims to run a command that maps a remote WebDAV share using `net use`, launches `update.cmd`, downloads a ZIP archive, and executes a trojanized *WorkFlowy* application containing malicious logic in an `.asar` archive that acts as both a C2 beacon and dropper. Other references describe unrelated APT campaigns, malware families, or vendor detection updates and do not cover the SmartApeSG/Remcos activity itself.
Mar 21, 2026
ClickFix Campaigns Deliver Modular RATs, Banking Trojans, and macOS Stealers
Researchers reported multiple **ClickFix** campaigns using fake CAPTCHA or reCAPTCHA prompts to trick users into manually running malicious commands, with payloads tailored by platform and victim profile. On Windows, one campaign delivered a modular NodeJS-based RAT and infostealer through a malicious MSI installer, loading key capabilities only in memory after command-and-control was established and using `gRPC` over Tor for persistent communications. An operational security failure exposed the malware’s backend protocol definitions and admin panel API, revealing a malware-as-a-service operation with multi-operator support, Telegram alerts, automation rules, and cryptocurrency wallet tracking. The malware also fingerprinted victims extensively and established persistence through the Windows Run registry key as **LogicOptimizer**. A separate ClickFix chain attributed with high confidence to **Grandoreiro** targeted users of eight Brazilian banks by luring victims through a fake reCAPTCHA page and launching a malicious PowerShell sequence that sideloaded a Delphi banking trojan with legitimate GoToMeeting and Nero binaries. The malware deployed banking overlays, intercepted **PIX** QR-code payments, added Microsoft Defender exclusions, and stole credentials, device information, signatures, and payment confirmation codes. Netskope also documented a macOS variant that used AppleScript and a persistent fake password dialog to harvest Keychain data, browser cookies, saved credentials, extension storage, and cryptocurrency wallet data; the theft of live session cookies can enable attackers to bypass MFA by hijacking authenticated sessions.
May 1, 2026
Amatera Stealer and NetSupport RAT Delivered via ClickFix Social Engineering Campaigns
Cybersecurity researchers have identified a surge in malware campaigns leveraging the ClickFix social engineering technique to deploy the Amatera Stealer and NetSupport RAT. These campaigns trick users into executing malicious commands through the Windows Run dialog, often under the guise of completing a reCAPTCHA verification on fraudulent phishing pages. The infection chain typically involves the use of `mshta.exe` to launch a PowerShell script, which downloads a .NET payload from a file hosting service. The Amatera Stealer DLL, packed with PureCrypter, is injected into the `MSBuild.exe` process, enabling the malware to harvest sensitive data from crypto-wallets, browsers, messaging apps, FTP clients, and email services. Advanced evasion techniques, such as WoW64 SysCalls and in-memory AMSI patching, are employed to bypass endpoint detection and response (EDR) and antivirus solutions. The Amatera Stealer, considered an evolution of the ACR Stealer, is available as a malware-as-a-service (MaaS) offering, with subscription plans ranging from $199 to $1,499. The campaigns also deploy NetSupport RAT for remote access and further exploitation. Notably, the PowerShell scripts used by Amatera check for the presence of valuable files or domain membership before proceeding, indicating a targeted approach. These findings highlight the increasing sophistication of social engineering and malware delivery tactics, as well as the growing threat posed by MaaS platforms to organizations and individuals alike.
Mar 21, 2026