The SmartApeSG campaign is a sophisticated malware distribution operation that compromises legitimate websites by injecting malicious JavaScript code. This injected script generates a fake CAPTCHA verification page styled after ClickFix, a known legitimate service, to deceive users into believing they must verify their humanity. Upon user interaction (checking a box), the page displays instructions that prompt the user to open the Windows Run dialog and paste a script copied to their clipboard. Executing this script initiates a multi-stage infection chain. First, it contacts attacker-controlled domains that serve HTA files and subsequently a ZIP archive disguised with a .pdf extension. This archive contains the Remcos RAT payload, which is executed via DLL side-loading, a technique that abuses legitimate Windows binaries to load malicious DLLs, evading detection. The malware establishes persistence by modifying the Windows Registry to ensure execution on system startup. Network traffic analysis reveals communication with command and control servers over TLSv1.3 using self-signed certificates, complicating network-based detection. The campaign's infrastructure, including domains and file hashes, changes frequently, indicating active maintenance and evasion efforts. The campaign has been observed since at least November 2025, initially distributing NetSupport Manager RAT but now predominantly pushing Remcos RAT. The attack relies heavily on social engineering, requiring user interaction to execute the malicious script, but exploits compromised trusted websites to increase credibility and infection likelihood.

This threat poses significant risks to organizations globally, particularly those with employees or customers who may visit compromised legitimate websites. Successful infections grant attackers remote access to affected systems via Remcos RAT, enabling data exfiltration, credential theft, lateral movement, and deployment of additional malware. The use of DLL side-loading and persistence mechanisms complicates detection and removal, potentially leading to prolonged unauthorized access. The campaign's reliance on social engineering means that even well-defended networks can be compromised if users are tricked. The frequent change of infrastructure and indicators hinders traditional signature-based defenses, increasing the risk of undetected infections. Organizations in sectors with high web traffic or those targeted for espionage or financial gain are particularly vulnerable. The campaign's global nature and use of legitimate websites as infection vectors mean no region is entirely immune, but the impact can be severe in environments lacking robust endpoint protection and user awareness training.

Organizations should implement multi-layered defenses focusing on both technical controls and user education. Specifically, deploy advanced endpoint detection and response (EDR) solutions capable of detecting DLL side-loading and unusual registry modifications. Employ web filtering and DNS security to block access to known malicious domains and monitor for suspicious traffic patterns, including TLS connections with self-signed certificates. Regularly audit and monitor websites under organizational control for unauthorized script injections. Conduct targeted user awareness training emphasizing the risks of executing unknown scripts and the dangers of social engineering tactics like fake CAPTCHA pages. Implement application control policies restricting execution of scripts from untrusted sources and limit the use of the Windows Run dialog for script execution. Utilize threat intelligence feeds to stay updated on changing indicators related to SmartApeSG infrastructure. Finally, maintain robust incident response plans to quickly isolate and remediate infected systems upon detection.