SmartApeSG Campaign Unleashes Devastating Multi-RAT Assault: How One ClickFix Leads to Remcos, NetSupport, StealC, and SectopRAT Infections + Video

Listen to this Post

Featured Image

Introduction

The SmartApeSG campaign represents a sophisticated evolution in malware distribution, leveraging the increasingly prevalent ClickFix social engineering technique to deliver not just one, but a cascade of Remote Access Trojans (RATs) and information stealers. This multi-stage attack, recently analyzed by the SANS Internet Storm Center, demonstrates how threat actors are combining legitimate remote administration tools with custom malware to establish persistent access, steal credentials, and maintain control over compromised systems, all while evading traditional security measures .

Learning Objectives

  • Understand the complete infection chain of the SmartApeSG campaign, from initial social engineering to the deployment of four distinct malware families
  • Identify indicators of compromise (IOCs) and network traffic patterns associated with Remcos RAT, NetSupport RAT, StealC, and SectopRAT
  • Implement effective detection and mitigation strategies, including PowerShell logging, network monitoring, and application control policies

You Should Know

  1. The ClickFix Deception: How Users Are Tricked into Executing Malicious Code

The SmartApeSG campaign begins with a compromised legitimate website that injects malicious JavaScript, redirecting users to a convincing fake CAPTCHA page. This page instructs victims to open the Windows Run dialog (Windows Key + R), paste a pre-copied command (Ctrl + V), and press Enter to “verify” they are human . The command is designed to execute PowerShell with encoded instructions that download and run the initial payload.

What this does: The attackers exploit user trust in familiar security controls like CAPTCHA, bypassing browser security warnings by having the user manually execute the payload.

Step-by-step guide to analyze this technique:

  1. Monitor RunMRU registry keys to detect executed commands:
    Windows: Check Run dialog history
    Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" | Select-Object -ExpandProperty MRUList
    

2. Capture suspicious PowerShell execution with command-line logging:

 Windows: Enable PowerShell script block logging
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1

3. Network analysis to detect initial callback domains:

 Linux: Monitor for suspicious domain lookups
tcpdump -i any -n "dst host fresicrto[.]top" -w captcha_traffic.pcap

4. Extract malicious scripts from compromised websites:

 Linux: Use curl to retrieve injected script
curl -s "http://[compromised-site]/" | grep -E "script.src" | grep -v "google"

2. Remcos RAT: The Initial Access Payload

The first malware deployed in the chain is Remcos RAT, which establishes initial foothold through fileless execution. In the SmartApeSG campaign, Remcos is delivered via an HTA file that downloads a ZIP archive containing the RAT . Modern variants of Remcos use PowerShell loaders that operate entirely in memory, bypassing traditional file-based detection .

Technical analysis: Remcos RAT V6.0.0 Pro employs advanced evasion techniques including Process Environment Block (PEB) walking to dynamically resolve API addresses, anti-debugging methods, and process hollowing into legitimate processes like svchost.exe .

Detection and mitigation steps:

  1. Monitor for MSHTA.exe execution with suspicious command lines:
    Windows: Query event logs for MSHTA execution
    Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object {$_.Properties[bash].Value -like "mshta.exe"}
    

2. Detect Remcos C2 communication using Zeek/Bro:

 Linux: Zeek rule to detect Remcos traffic patterns
zeek -r capture.pcap /usr/local/zeek/share/zeek/site/remcos-detection.zeek

3. Block known C2 infrastructure using IPtables:

 Linux: Block Remcos C2 IP addresses
sudo iptables -A OUTPUT -d 95.142.45.231 -j DROP

4. Memory analysis to detect injected shellcode:

 Windows: Use Volatility to identify injected processes
volatility -f memory.dump --profile=Win10x64 malfind -D output/

3. NetSupport RAT: Abusing Legitimate Tools for Persistence

Following the initial Remcos infection, the SmartApeSG campaign deploys NetSupport RAT, a legitimate remote administration tool repurposed by attackers. The malware is delivered as “client32.exe,” still bearing its original valid certificate, allowing it to bypass certificate-based security controls .

Infection mechanics: The ClickFix command initiates a PowerShell script that downloads an MSI package disguised as a PNG file, which then extracts and executes the NetSupport client. The script displays misleading messages like “Installing SecureModule Engine v1.0.0” to keep victims occupied while malware installs .

Detection and removal procedures:

  1. Identify NetSupport RAT installation by checking common paths:
    Windows: Check for NetSupport files in ProgramData
    Get-ChildItem -Path "C:\ProgramData\UpdateInstaller\" -Recurse -ErrorAction SilentlyContinue
    

2. Remove persistence mechanisms created by NetSupport:

 Windows: Remove autorun registry entries
Remove-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "QAFMEZQFQYU" -ErrorAction SilentlyContinue

3. Detect NetSupport network traffic with Wireshark filters:

 Wireshark filter for NetSupport RAT traffic
tcp.port == 443 && ip.addr == 185.163.47.220

4. Block execution using Windows Defender Application Control:

 Windows: Block NetSupport client32.exe via AppLocker
New-AppLockerPolicy -RuleType Path -Path "C:\ProgramData\UpdateInstaller\client32.exe" -Action Deny

4. StealC Infostealer: Credential Harvesting in Memory

Approximately one hour after NetSupport RAT infection, the SmartApeSG campaign deploys StealC, a sophisticated infostealer that operates largely in memory . StealC uses RC4-encrypted HTTP traffic to exfiltrate browser credentials, cryptocurrency wallets, email logins, and system information to its command-and-control server.

Advanced evasion: The malware uses Donut framework-generated shellcode that is reflectively loaded into memory and injected into svchost.exe, making forensic analysis challenging .

Detection and response steps:

1. Monitor for suspicious svchost.exe behavior using Sysmon:

<!-- Sysmon configuration to detect unusual svchost.exe network connections -->
<EventFiltering>
<ProcessCreate onmatch="exclude">
<Image condition="is">C:\Windows\System32\svchost.exe</Image>
</ProcessCreate>
<NetworkConnect onmatch="include">
<Image condition="is">C:\Windows\System32\svchost.exe</Image>
<DestinationPort condition="is">80</DestinationPort>
</NetworkConnect>
</EventFiltering>

2. Detect RC4 encryption patterns in network traffic:

 Linux: Use ngrep to detect StealC C2 traffic
sudo ngrep -d any -W byline "RC4" host 89.46.38.100

3. Extract StealC configuration from memory:

 Windows: Dump process memory for analysis
Get-Process -Name svchost | ForEach-Object { .\procdump.exe -ma $_.Id C:\dumps\ }

4. Block StealC C2 domains via DNS sinkhole:

 Linux: Add DNS blackhole entry
echo "0.0.0.0 89.46.38.100" >> /etc/hosts

5. SectopRAT (ArechClient2): Final-Stage Backdoor

The final payload in the SmartApeSG campaign is SectopRAT, also known as ArechClient2, a highly obfuscated .NET-based RAT that provides persistent backdoor access. SectopRAT uses the calli obfuscator to hide its core functions, making static analysis extremely difficult .

Capabilities and stealth: SectopRAT can steal browser data (cookies, passwords, autofill), profile victim systems, target VPNs, game launchers, and messaging platforms, and scan for cryptocurrency wallets. Some variants disguise themselves as Chrome extensions named “Google Docs” to inject malicious scripts into web pages .

Comprehensive removal and hardening:

1. Detect SectopRAT processes and associated files:

 Windows: Check for suspicious Chrome extensions
Get-ChildItem "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Extensions\" | ForEach-Object {
Get-Content "$_\manifest.json" | Select-String "google docs" -Context 5
}
  1. Monitor for SectopRAT C2 communication on ports 9000 and 15647:
    Linux: Use netstat to identify suspicious listening ports
    sudo ss -tulpn | grep -E ':(9000|15647)'
    

3. Remove SectopRAT persistence and files:

 Windows: Remove SectopRAT files and registry keys
Remove-Item -Path "$env:APPDATA\Local\llg" -Recurse -Force -ErrorAction SilentlyContinue
Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" | Where-Object {$_.Name -like "drag2pdf"} | Remove-ItemProperty -Name "Value"
  1. Implement YARA rules to detect SectopRAT in memory:
    rule SectopRAT_ArechClient2 {
    meta:
    description = "Detects SectopRAT/ArechClient2 payload"
    strings:
    $s1 = "calli obfuscation pattern" wide ascii
    $s2 = "ArechClient2" wide ascii
    $s3 = "49c5e6d7577e447ba2f4d6747f56c473" ascii
    condition:
    any of them
    }
    

What Undercode Say

  • Multi-stage payload delivery has become the new standard for sophisticated attacks, with SmartApeSG demonstrating how threat actors sequentially deploy different malware families for specific purposes—initial access (Remcos), persistent remote control (NetSupport), data theft (StealC), and backdoor access (SectopRAT). This modular approach increases detection difficulty and ensures redundant access .
  • Abuse of legitimate tools with valid certificates (NetSupport RAT) represents a critical security gap. Organizations must move beyond signature-based detection to behavioral monitoring and application whitelisting. NetSupport’s continued use in attacks despite its legitimate origins highlights why Zero Trust principles, including application control, are essential .
  • Fileless execution and memory-only payloads (StealC, Remcos) bypass traditional endpoint protection by operating entirely in memory or using reflective loading. Security teams must prioritize endpoint detection and response (EDR) solutions with memory analysis capabilities and ensure PowerShell logging is enabled to capture these evasive techniques .
  • ClickFix social engineering has emerged as a highly effective attack vector, exploiting user trust in verification processes. The technique’s success rate is alarming because it requires manual user action that bypasses automated security controls. Organizations must focus on user education about this specific attack pattern and implement technical controls limiting Run dialog execution and clipboard-to-command-paste operations .
  • Infrastructure diversity in the SmartApeSG campaign, with separate C2 servers for each malware family, complicates network-based detection. Security teams should implement threat intelligence feeds to block known malicious domains and IPs while monitoring for beaconing patterns across multiple endpoints .

Prediction

The SmartApeSG campaign represents a blueprint for future malware distribution that will likely be adopted and adapted by other threat actors. We predict an increase in ClickFix-style attacks across email, messaging platforms, and even mobile devices, as the technique’s effectiveness becomes more widely recognized. Additionally, the use of multiple, sequentially deployed malware families will become standard practice, making infection chain analysis and complete remediation increasingly complex. Organizations that fail to implement comprehensive logging, user behavior analytics, and application control policies will remain vulnerable to these multi-stage attacks. The evolution toward memory-only payloads and legitimate tool abuse will continue, pushing defenders toward more sophisticated behavioral detection and Zero Trust architectures.

▶️ Related Video (74% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Johannesullrich Sans – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky