SmartApeSG Injects Malicious Code Into Okendo Reviews Widget
Threat researchers reported that the SmartApeSG threat actor, also tracked as ZPHP and HANEYMANEY, compromised the legitimate Okendo Reviews widget in a supply chain attack that exposed downstream websites, particularly high-traffic e-commerce pages. The malicious JavaScript acted as a staged loader rather than an immediate payload, using localStorage to limit repeat execution, User-Agent filtering to prioritize desktop victims and exclude mobile devices, and XOR-obfuscated string fragments to rebuild command-and-control infrastructure at runtime before dynamically loading additional scripts.
Researchers said the activity is consistent with earlier SmartApeSG campaigns that used ClickFix-style fake CAPTCHA lures to trick users into launching follow-on malware through Windows Run, PowerShell, or HTA downloaders. Those campaigns have delivered payloads including NetSupport RAT, Remcos RAT, StealC, and Sectop RAT. Okendo said it was aware of the incident and restored the widget to a clean state, while telemetry showed a sharp spike in detections on May 14, with nearly 15,000 blocks in a single day, suggesting broad exposure across affected sites.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Okendo restores compromised widget script to a clean state
Okendo confirmed it was aware of the incident and said the affected widget script had been restored to a clean state following the compromise.
ThreatLabz publishes SmartApeSG Okendo supply chain attack analysis
Zscaler ThreatLabz published research attributing the staged JavaScript loader in the compromised Okendo Reviews script to SmartApeSG, also tracked as ZPHP or HANEYMANEY. The report detailed execution control, environment filtering, deobfuscation, and dynamic retrieval of follow-on payloads used in the campaign.
ThreatLabz detects malicious Okendo Reviews widget activity
Zscaler ThreatLabz discovered a supply chain attack involving malicious JavaScript injected into the legitimate Okendo Reviews widget. ThreatLabz also observed a sharp spike in detections that day, with nearly 15,000 blocks, indicating potentially broad exposure across downstream sites.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Hackers Abuse Third-Party Okendo Reviews Script to Spread SmartApeSG Malware Campaign
cybersecuritynews.com
Open sourceSmartApeSG Launches Okendo Reviews Supply Chain Attack - Malware News - Malware Analysis, News and Indicators
malware.news
Open sourceSmartApeSG Supply Chain Attack Targets Okendo | ThreatLabz
zscaler.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
SmartApeSG ClickFix Campaign Delivering Remcos RAT
The **SmartApeSG** campaign is using compromised legitimate websites to inject malicious JavaScript that presents a fake CAPTCHA and **ClickFix-style** instructions, tricking users into opening the Windows Run dialog, pasting a clipboard-loaded command, and executing the next stage themselves. In the observed infection chain, the payload was delivered as a ZIP archive disguised with a `.pdf` extension, then executed via **DLL side-loading** to install **Remcos RAT** and establish persistence through a Windows Registry modification. The reporting ties this activity to infrastructure and indicators previously associated with SmartApeSG, also tracked as **ZPHP** and **HANEYMANEY**. A separate report on a **new ClickFix variant** is relevant because it documents the same broader social-engineering delivery technique, but with a different infection chain: a fake CAPTCHA leads victims to run a command that maps a remote WebDAV share using `net use`, launches `update.cmd`, downloads a ZIP archive, and executes a trojanized *WorkFlowy* application containing malicious logic in an `.asar` archive that acts as both a C2 beacon and dropper. Other references describe unrelated APT campaigns, malware families, or vendor detection updates and do not cover the SmartApeSG/Remcos activity itself.
Mar 21, 2026
SmartApeSG ClickFix Campaign Delivers Remcos, NetSupport, StealC, and Sectop RAT
Researchers documented a **SmartApeSG** malware campaign using fake CAPTCHA pages and the **ClickFix** social-engineering technique to trick victims into launching an initial script that led to a multi-stage infection. In observed intrusions, **Remcos RAT** executed first, followed within minutes by **NetSupport RAT**, then **StealC**, and later **Sectop RAT** identified as **ArechClient2**. The activity relied on compromised web infrastructure, rotating delivery domains, attacker-controlled command-and-control servers, and multiple payload packages, with several stages using **DLL side-loading** through legitimate executables while NetSupport RAT was deployed as a legitimate remote administration tool configured for malicious control. Separate analysis tied **Sectop RAT / ArechClient2** to additional follow-on infections, including a chain where a victim seeking cracked software downloaded a password-protected archive that installed **Lumma Stealer** before fetching a 64-bit DLL from `enotsosun[.]pw` and executing it via `rundll32` using the `LoadForm` export. Investigators reported concrete indicators including malware hashes, filenames, persistence artifacts, malicious URLs, and network traffic from Sectop RAT to `91.92.241[.]102` over ports `9000` and `443`, reinforcing that ArechClient2 is being used across varied delivery lures as part of broader credential theft and remote-access operations.
Jun 1, 2026
Malware campaigns abusing trusted software channels (browser extensions, developer tools, and Google Ads) to deliver RATs and stealers
Multiple active malware campaigns are abusing *trusted distribution channels*—including Chrome/Edge extensions, Visual Studio Code extensions, and Google Ads/redirection infrastructure—to trick users into executing payloads that deliver **remote access trojans (RATs)** or **information stealers**. Huntress reported a malvertising-driven fake ad blocker extension, **NexShield**, that intentionally forces Chrome/Edge into a crash/DoS state by looping `chrome.runtime` port connections; on restart it displays a fake “security warning” and uses a **ClickFix-style** social engineering flow (“CrashFix”) to push users to paste and run clipboard-copied commands that trigger an obfuscated PowerShell download-and-execute chain, ultimately deploying the Python-based **ModeloRAT** in corporate environments. Separately, Trend Micro described **Evelyn Stealer** delivered via a trojanized **Visual Studio Code extension** that drops a malicious `Lightshot.dll` side-loaded by legitimate *Lightshot* (`Lightshot.exe`), then runs staged PowerShell and payload retrieval to steal browser credentials, cookies, crypto wallets, VPN/Wi‑Fi data, files, and screenshots before exfiltrating to an attacker-controlled FTP server—posing elevated risk when developer workstations are compromised. South Korea-focused activity also features prominently across several reports, with multiple delivery vectors leading to RAT deployment. ASEC documented **Remcos RAT** distributed via fake installers masquerading as *VeraCrypt* and via gambling-related “lookup” tools, using multi-stage obfuscated **VBS/PowerShell** chains and enabling credential theft, keylogging, and device surveillance (webcam/mic). Genians attributed “**Operation Poseidon**” to the **Konni APT**, describing spear-phishing that abuses Google’s advertising/tracking redirection (e.g., `ad.doubleclick.net` parameters) to make malicious links appear legitimate, redirecting victims to compromised WordPress infrastructure hosting ZIPs with LNK files that launch AutoIt-based loaders to run an **EndRAT** variant in memory. Nextron Systems reported widespread trojanized “free converter” apps promoted via malicious Google ads and lookalike converter sites (e.g., `ez2convertapp[.]com`, `convertyfileapp[.]com`), with some payloads signed using abused/rotating code-signing certificates (e.g., BLUE TAKIN LTD, TAU CENTAURI LTD, SPARROW TIDE LTD) to evade trust checks while installing persistent backdoors.
Mar 21, 2026