The SmartApeSG campaign is a malware infection chain that leverages compromised websites to deliver the NetSupport Remote Access Trojan (RAT) to Windows systems. Initially reported in June 2024, the campaign has shifted its infection vector from fake browser update pages to a more sophisticated ClickFix-style fake CAPTCHA page, which prompts users to verify they are human. When conditions are met, the compromised site injects a hidden script that triggers the display of a fake CAPTCHA page. Upon user interaction—clicking the verification box—the campaign injects a malicious command into the Windows clipboard. The user is then instructed via a pop-up to open the Run dialog, paste the clipboard content, and execute it. This command uses the mshta utility to download and execute malicious scripts that ultimately install the NetSupport RAT. The RAT package is delivered as a zip archive from frequently changing domains and is extracted to the C:\ProgramData directory. Persistence is maintained through a Start Menu shortcut that runs a JavaScript file from the user's AppData\Local\Temp folder, which in turn launches the RAT executable. The RAT communicates with its command and control (C2) server over TCP port 443, using encrypted channels to evade network detection. The campaign's infrastructure is dynamic, with domains and payloads changing almost daily, complicating detection and blocking efforts. While exploitation requires user interaction and some manual steps, the RAT's capabilities allow attackers to remotely control infected machines, potentially leading to data exfiltration, lateral movement, and deployment of additional malware. Indicators of compromise include specific URLs hosting injected scripts, fake CAPTCHA pages, and the malicious zip archive. The campaign is monitored via social media and URL scanning services, highlighting its ongoing activity and evolution.

For European organizations, the SmartApeSG campaign poses a significant risk primarily through social engineering and web compromise vectors. Successful infections can lead to unauthorized remote access, data theft, espionage, and further malware infections, threatening confidentiality and integrity of sensitive information. The persistence mechanism and encrypted C2 communications make detection and remediation challenging. Organizations with employees frequently accessing compromised or untrusted websites are particularly vulnerable. The campaign's use of dynamic infrastructure and changing domains complicates traditional signature-based defenses. Additionally, the requirement for user interaction means that phishing awareness and user training are critical. The campaign could impact sectors with high-value data or critical infrastructure, including finance, government, and technology sectors prevalent in Europe. The medium severity reflects the balance between the need for user action and the potential for significant damage if compromised. Disruptions could also affect operational availability if infected systems are used as footholds for broader attacks.

European organizations should implement multi-layered defenses tailored to this campaign's tactics. First, enhance web filtering to block access to known malicious domains and URLs associated with SmartApeSG, leveraging threat intelligence feeds that track the campaign's dynamic infrastructure. Deploy endpoint detection and response (EDR) solutions capable of identifying suspicious use of mshta.exe and unusual clipboard activity. Restrict or monitor the use of mshta and execution of scripts from temporary directories via application control policies. Conduct targeted user awareness training focusing on the risks of executing commands from untrusted sources and recognizing fake CAPTCHA or verification pages. Implement strict privilege management to limit user ability to execute arbitrary commands and create persistence mechanisms. Regularly audit and monitor Start Menu shortcuts and AppData\Local\Temp directories for unauthorized scripts or executables. Employ network monitoring to detect anomalous outbound traffic on TCP port 443 that may indicate RAT C2 communications. Finally, maintain up-to-date backups and incident response plans to quickly remediate infections. Collaboration with threat intelligence sharing platforms can provide timely updates on evolving indicators and tactics used by SmartApeSG.