A well-known social engineering campaign called SmartApeSG is back in the spotlight, this time deploying ClickFix scripts to quietly install remote access malware on Windows computers. The campaign lures victims through fake browser verification pages that trick them into running a malicious script, without ever revealing the full extent of the damage being done.
The ClickFix Technique: Social Engineering at Scale
The infection chain starts when a user visits a compromised or malicious website displaying a fake “verification” page. This page instructs the visitor to copy and run a PowerShell or similar script to prove they are human — the so-called ClickFix technique. Once the script runs, it silently reaches out to attacker-controlled servers and downloads the first stage of the infection. The victim sees nothing unusual on their screen while the attacker gains quiet, persistent access to the machine.
According to the Internet Storm Center (ISC), the campaign was formally identified after researcher Brad Duncan observed a suspicious infection on May 27, 2026. An unidentified RAT had been generating encoded traffic to a command and control server since at least April 2026, confirming the campaign had been running quietly for several weeks before being publicly documented.
Two-Stage Infection: Unidentified RAT to NetSupport Manager
What sets this SmartApeSG wave apart is its deliberate two-stage attack design. The first stage involves an unidentified RAT that sends encoded traffic to its C2 server over TCP port 443, making it blend in with regular web traffic. This encoded, non-SSL traffic on port 443 is unusual and helps the malware evade detection tools that expect standard HTTPS on that port.
Once the initial RAT establishes a foothold, it pulls in a second payload: a malicious package containing NetSupport Manager RAT — a legitimate remote access tool that attackers have repurposed to take unauthorized control of infected machines. The delivery mechanism uses:
- A CAB file fetched and extracted from the C2 server
- A batch script (
token.bat) that handles installation - A VBScript file (
processor.vbs) that triggers the batch script
Together, these components install the NetSupport RAT and configure it to automatically run whenever the system restarts, ensuring long-term persistence even through reboots.
Self-Cleaning for Anti-Forensic Evasion
After the NetSupport RAT is installed and persistent, the scripts used to set it up are deleted automatically, removing traces of the initial compromise. This cleanup step makes forensic investigation significantly harder and reveals the careful level of planning behind the campaign. The entire infection chain is designed to stay quiet, survive reboots, and resist analysis.
Campaign Infrastructure and Indicators
Key indicators of compromise for this campaign include the following (defanged for safety):
- Initial RAT C2: 89.110.110[.]119 over TCP port 443 (encoded traffic)
- NetSupport RAT C2: 185.163.47[.]217 over TCP port 443
- Distribution domain: silverharvestnetwork[.]com
- ClickFix domain: hiddenplanetlab[.]top
Since domains and file hashes rotate daily, defenders are advised to follow the @monitorsg feed on Mastodon for the latest indicators of compromise.
Detection and Defense Recommendations
Security teams should take the following steps to detect and prevent SmartApeSG infections:
- Monitor for unusual PowerShell execution triggered by browser events — a clear sign of the ClickFix technique being abused.
- Watch for encoded, non-standard traffic over TCP port 443 that does not follow normal SSL/TLS handshake patterns.
- Block access to suspicious or newly registered domains through DNS filtering and web proxy policies.
- Train users to never copy and paste scripts from websites claiming to offer verification or CAPTCHA bypass steps.
- Deploy endpoint detection and response (EDR) capable of identifying NetSupport Manager RAT usage in unauthorized contexts.
- Audit startup items and scheduled tasks for newly added persistence entries after any suspected compromise.
The SmartApeSG ClickFix campaign illustrates how social engineering combined with legitimate tooling continues to be a highly effective attack vector. Organizations should prioritize user awareness training alongside technical controls to reduce their exposure to these persistent threats.