The SmartApeSG campaign, observed on March 24, 2026, is a sophisticated malware distribution operation that uses a social engineering technique involving a fake CAPTCHA page combined with a ClickFix script to initiate infection. Victims are tricked into running a malicious HTA file that downloads and executes multiple RATs and malware payloads. The initial payload is Remcos RAT, a well-known remote access trojan, which establishes initial control. Shortly after, NetSupport RAT is deployed, followed by StealC malware and Sectop RAT (ArechClient2) at staggered intervals, indicating a multi-stage infection strategy to maintain persistence and expand capabilities. The malware packages use DLL side-loading, a technique where legitimate executables load malicious DLLs, helping evade detection by security tools. The campaign uses compromised legitimate websites to host injected scripts and fake CAPTCHA pages, increasing the likelihood of victim interaction. The attackers use multiple command and control servers with changing domains and IPs, complicating detection and blocking efforts. The campaign's use of legitimate tools configured for malicious purposes (NetSupport RAT) and the variety of RATs deployed suggest a flexible and evolving threat actor capable of espionage, data theft, and long-term system compromise. The infection timeline and file hashes provided allow defenders to identify and correlate infections. The campaign’s infrastructure and tactics indicate a high level of operational security and adaptability.

Organizations worldwide face significant risks from this campaign due to the deployment of multiple RATs capable of remote control, data exfiltration, credential theft, and lateral movement within networks. The use of DLL side-loading and legitimate tools complicates detection and mitigation, increasing the likelihood of prolonged undetected compromise. The staggered deployment of multiple malware families allows attackers to maintain persistence even if some components are removed. Sensitive data, intellectual property, and system integrity are at risk, especially in sectors with high-value targets such as government, finance, healthcare, and critical infrastructure. The campaign’s use of compromised legitimate websites for initial infection increases the attack surface and can affect organizations relying on third-party web resources. The potential for widespread infection is amplified by the campaign’s frequent changes in infrastructure and file names, challenging traditional signature-based defenses. Overall, the campaign can lead to significant operational disruption, financial loss, and reputational damage.

1. Implement advanced endpoint detection and response (EDR) solutions capable of detecting DLL side-loading and anomalous process behaviors, focusing on monitoring legitimate executables loading unexpected DLLs. 2. Employ network monitoring to detect unusual outbound connections to known C2 IPs and domains associated with Remcos, NetSupport, StealC, and Sectop RATs; use threat intelligence feeds to update blocklists dynamically. 3. Harden web security by scanning and monitoring third-party and internal websites for injected malicious scripts, especially those serving CAPTCHA or similar user interaction pages. 4. Educate users about the risks of interacting with suspicious CAPTCHA pages and running unexpected HTA or script files, emphasizing the dangers of clipboard manipulation and social engineering. 5. Use application whitelisting to prevent execution of unauthorized HTA files and untrusted scripts, particularly in user directories like AppData and ProgramData. 6. Regularly audit and restrict permissions on directories commonly used for malware persistence (e.g., AppData, ProgramData, Public folders). 7. Employ multi-factor authentication and network segmentation to limit lateral movement if initial compromise occurs. 8. Conduct regular threat hunting exercises focusing on the presence of the identified malware hashes and network indicators. 9. Collaborate with ISPs and hosting providers to take down malicious domains and servers used by the campaign. 10. Maintain up-to-date backups and incident response plans to quickly recover from infections.