Campaign uses ClickFix page to push NetSupport RAT

Dec. 21, 2025, 6:49 p.m.

Description

The SmartApeSG campaign, also known as ZPHP or HANEYMANEY, has evolved from using fake browser update pages to employing ClickFix-style fake CAPTCHA pages. This campaign distributes malicious NetSupport RAT packages as its initial infection vector. The attack chain begins with an injected script on compromised websites, which, under certain conditions, displays a fake CAPTCHA page. When users interact with this page, malicious content is injected into the Windows clipboard, prompting users to paste and execute it. This leads to the download and installation of NetSupport RAT, which maintains persistence through a Start Menu shortcut. The campaign frequently changes domains, packages, and C2 servers to evade detection.

External References

https://otx.alienvault.com/pulse/69370db0cd2bc81cbbe13d51
https://isc.sans.edu/diary/32474
Tags
persistence
clickfix
netsupport rat
fake captcha
clipboard injection
2025-12-08
haneymaney
zphp

Date

  • Created: Dec. 8, 2025, 5:41 p.m.
  • Published: Dec. 8, 2025, 5:41 p.m.
  • Modified: Dec. 21, 2025, 6:49 p.m.

Indicators

  • 1e9a1be5611927c22a8c934f0fdd716811e0c93256b4ee784fadd9daaf2459a1
  • 194.180.191.121
  • www.iconconsultants.com
Download all indicators here!

Attack Patterns

  • NetSupport RAT
  • SmartApeSG

Additional Informations

  • newstarmold.com
  • frostshiledr.com