The SmartApeSG campaign (also known as ZPHP or HANEYMANEY) has evolved its infection vector from fake browser update pages to more sophisticated fake CAPTCHA pages styled after ClickFix. The attack chain begins with an injected malicious script on compromised legitimate websites. When a user visits these sites under specific conditions, the script displays a fake CAPTCHA page designed to trick the user into interacting with it. Upon interaction, the campaign injects malicious code into the Windows clipboard, prompting the user to paste and execute this code manually. This social engineering tactic bypasses some automated defenses that do not monitor clipboard content or user-pasted commands. Executing the clipboard content triggers the download and installation of the NetSupport Remote Access Trojan (RAT), a well-known remote administration tool often abused by threat actors. NetSupport RAT establishes persistence by creating a shortcut in the Windows Start Menu, ensuring it runs on system startup. The campaign employs frequent rotation of domains, malware payloads, and command-and-control (C2) servers to evade signature-based detection and complicate takedown efforts. The malware leverages multiple MITRE ATT&CK techniques including clipboard data injection (T1056.001), persistence via startup folder (T1547.001), fallback channels (T1102.002), encrypted communication (T1573.002), remote file copy (T1105), user execution (T1204.001), and spearphishing via user interaction (T1566.003). No known CVEs or exploits are associated, and exploitation requires user interaction but no prior authentication. The campaign targets Windows endpoints primarily through web browser interactions, making it a significant threat vector for organizations with users browsing compromised or malicious websites.

For European organizations, this campaign poses a medium but tangible risk primarily to Windows-based endpoints. Successful infection grants attackers remote access and control over compromised machines, potentially leading to data exfiltration, espionage, lateral movement, and further network compromise. The persistence mechanism ensures long-term access, complicating incident response and remediation. Clipboard injection and social engineering lower the technical barrier for infection but rely on user interaction, making user awareness critical. Organizations in finance, government, healthcare, and critical infrastructure sectors in Europe are at heightened risk due to the strategic value of their data and systems. The campaign's use of frequently changing domains and C2 infrastructure challenges traditional detection methods, increasing the likelihood of undetected infections. Additionally, the campaign could facilitate supply chain compromises if attackers leverage access to pivot into partner or customer networks. Overall, the threat can degrade confidentiality, integrity, and availability of affected systems, disrupt business operations, and cause reputational damage.

1. Implement advanced endpoint protection solutions capable of detecting clipboard injection and unusual persistence mechanisms such as Start Menu shortcuts. 2. Deploy web filtering and DNS filtering to block access to known malicious domains and suspicious URLs associated with the campaign. 3. Monitor clipboard activity on endpoints for suspicious injection or paste operations, especially those involving command execution. 4. Conduct targeted user awareness training emphasizing the risks of interacting with unexpected CAPTCHA pages and pasting unknown clipboard content. 5. Use application whitelisting to restrict execution of unauthorized scripts or binaries, limiting the ability to run malicious payloads. 6. Employ network monitoring to detect anomalous outbound connections to frequently changing C2 servers and domains. 7. Regularly update and patch browsers and operating systems to reduce exposure to web-based injection attacks. 8. Establish incident response playbooks specifically addressing RAT infections and persistence removal. 9. Utilize threat intelligence feeds to update blocklists and detection rules with indicators of compromise such as hashes, IPs, and domains provided. 10. Encourage multi-factor authentication and network segmentation to limit lateral movement if initial compromise occurs.