Executive Summary
In late May 2026, the SmartApeSG campaign employed a ClickFix-style fake CAPTCHA page to deliver an unidentified Remote Access Trojan (RAT) to Windows systems. This initial RAT established a connection to a command and control server at 89.110.110[.]119 over TCP port 443, facilitating the subsequent download and installation of the NetSupport Manager RAT. The infection chain involved multiple stages, including the execution of malicious scripts and the deployment of various files to ensure persistence on the compromised host.
This incident underscores the evolving tactics of threat actors who leverage social engineering techniques, such as fake verification pages, to deceive users into executing malicious code. The use of legitimate tools like NetSupport Manager for malicious purposes highlights the challenges in detecting and mitigating such threats, emphasizing the need for continuous monitoring and advanced threat detection mechanisms.
Why This Matters Now
The SmartApeSG campaign's use of sophisticated social engineering tactics and multi-stage infection chains demonstrates the increasing complexity of cyber threats. Organizations must remain vigilant and implement robust security measures to defend against such evolving attack vectors.
Attack Path Analysis
The attack began with users being tricked into executing a malicious script via a fake CAPTCHA page, leading to the download and execution of an initial Remote Access Trojan (RAT). The RAT then escalated privileges to maintain persistence on the infected system. Subsequently, the attacker moved laterally within the network by deploying additional malware such as NetSupport RAT. The compromised systems established command and control channels to external servers, allowing remote control by the attacker. Sensitive data was exfiltrated from the infected hosts to the attacker's infrastructure. Finally, the attacker achieved their objectives, potentially causing data theft and system compromise.
Kill Chain Progression
Initial Compromise
Description
Users were deceived into executing a malicious script via a fake CAPTCHA page, leading to the download and execution of an initial Remote Access Trojan (RAT).
MITRE ATT&CK® Techniques
Spearphishing Attachment
Malicious File
Registry Run Keys / Startup Folder
Web Protocols
Ingress Tool Transfer
Windows Command Shell
Obfuscated Files or Information
Match Legitimate Name or Location
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities by installing applicable security patches
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
RAT attacks enable lateral movement bypassing zero trust segmentation, threatening encrypted transactions and triggering NIST compliance violations in banking infrastructure.
Health Care / Life Sciences
NetSupport RAT C2 traffic compromises patient data encryption requirements, violating HIPAA 164.312(e)(1) and enabling exfiltration of protected health information.
Information Technology/IT
Unidentified RAT targeting multi-cloud environments exploits east-west traffic vulnerabilities, compromising Kubernetes security and client infrastructure management capabilities.
Government Administration
ClickFix campaign RAT infections bypass egress filtering controls, threatening sensitive government data through command and control channels requiring enhanced threat detection.
Sources
- Unidentified RAT pushes NetSupport RAT, (Mon, Jun 1st)https://isc.sans.edu/diary/rss/33034Verified
- SmartApeSG campaign pushes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (ArechClient2)https://isc.sans.edu/diary/SmartApeSG%2Bcampaign%2Bpushes%2BRemcos%2BRAT%2BNetSupport%2BRAT%2BStealC%2Band%2BSectop%2BRAT%2BArechClient2/32826Verified
- Think before you Click(Fix): Analyzing the ClickFix social engineering techniquehttps://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/Verified
- SmartApeSG uses fake CAPTCHAs to deploy NetSupport RAT and StealC v2https://www.broadcom.com/support/security-center/protection-bulletin/smartapesg-uses-fake-captchas-to-deploy-netsupport-rat-and-stealc-v2Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The initial compromise may have been detected and contained at the workload level, reducing the likelihood of the RAT establishing a foothold.
Control: Zero Trust Segmentation
Mitigation: Privilege escalation attempts could have been constrained, limiting the attacker's ability to gain higher-level access.
Control: East-West Traffic Security
Mitigation: Lateral movement may have been restricted, reducing the attacker's ability to propagate malware across systems.
Control: Multicloud Visibility & Control
Mitigation: Command and control communications could have been identified and disrupted, limiting the attacker's remote control capabilities.
Control: Egress Security & Policy Enforcement
Mitigation: Data exfiltration attempts may have been detected and blocked, reducing the risk of data loss.
The overall impact could have been minimized, limiting the extent of data theft and system compromise.
Impact at a Glance
Affected Business Functions
- n/a
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of sensitive data due to remote access capabilities of NetSupport RAT.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within the network.
- • Deploy Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to malicious activities promptly.
- • Enforce East-West Traffic Security to monitor and control internal network communications, limiting the spread of malware.
- • Apply Inline IPS (Suricata) to detect and prevent known exploit patterns and malicious payloads.
