The Social Engineering That Still Converts
SmartApeSG's ClickFix campaign is still running. Still active. Still converting victims into RAT-infected endpoints. The campaign dropped again this week with a fresh variant delivering NetSupport Manager - a legitimate remote access tool weaponized as a backdoor.
This isn't new operational tradecraft. ClickFix has been around for years. But persistence beats novelty. Last Wednesday (May 27), researchers caught another wave of compromises linked directly to SmartApeSG's infrastructure.
The attack pattern is straightforward and relies entirely on human error: fake browser verification pages + social engineering scripts + staged malware delivery. No zero-days. No exploits. Just trust manipulation at scale.
How the Attack Sequence Works
The initial infection starts with a ClickFix lure - typically fake "verify your browser" or "update required" pages. Victims click. A malicious JavaScript runs. This initial RAT establishes C2 communication back to attacker infrastructure.
From there, the attacker drops a secondary payload: NetSupport Manager packaged inside a cabinet (.cab) file. A batch script extracts it, installs it, makes it persistent, then deletes itself. By the time the victim reboots, they have a fully operational remote access tool with no trace of the installer.
The C2 infrastructure rotates frequently. Indicators of compromise - domains, IPs, file hashes - change on a daily basis. This is intentional: it degrades the signal-to-noise ratio for detection and keeps defenders constantly chasing moving targets.
Why NetSupport Manager Is the Perfect Secondary Payload
NetSupport Manager is legitimate software sold for remote support. It's signed. It's trusted. It has all the functionality an attacker needs: screen capture, keystroke logging, file transfer, and persistent C2.
The beauty for attackers is simplicity. They don't need to develop custom malware or maintain complex C2 infrastructure. They rent commodity access tools and rely on the fact that most organizations don't monitor for abuse of legitimate remote access software.
From a defender's perspective, this is the hard problem: distinguishing between legitimate remote support and attacker-controlled RAT activity. The tool itself isn't malicious. The intent is.
The Indicators You Should Know
From this week's infection (May 27, 2026), tracked indicators include:
- Initial RAT C2: 89.110.110.119 on TCP port 443
- NetSupport RAT C2: 185.163.47.217 on port 443
- Malicious domains: hiddenplanetlab[.]top, silverharvestnetwork[.]com
- File hash (initial RAT package): 1514b1268e9dc6d2f37137aa38c756cb4bf8186ac9235d6863b78e7f8bbbe976
These will change. New domains will spin up tomorrow. New infrastructure next week. Indicator-hunting alone won't stop this campaign. Pattern recognition will.
What to Do This Week
First: Run email filtering rules against hiddenplanetlab[.]top and silverharvestnetwork[.]com. Block them at the gateway. Alert on any outbound connections to the C2 IPs listed above.
Second: Review your remote access tool deployments. NetSupport Manager, TeamViewer, AnyDesk, Splashtop - audit who has licenses and who's actually using them. Cross-reference against your endpoint security logs. Unauthorized instances are a red flag.
Third: Run user awareness training specifically around fake browser alerts and verification pages. ClickFix works because users trust browser warnings. A single user preventing this attack is worth more than a dozen detection rules that fire after the fact.
None of this requires new tools or significant investment. It requires someone actually looking at the data you already have.
Why This Matters for Your Org
SmartApeSG has been operating for years. They've compromised thousands of endpoints. They're not stopping because ClickFix works - not because it's advanced, but because it converts. Social engineering at scale beats sophisticated malware most of the time.
Your team is probably already defending against the technical attacks. The organizational risk this week is human. One click. One verification page. One compromised endpoint.
Watch for it. Train for it. Monitor for it.
GET IN TOUCH
uMercs runs offensive security engagements - pen testing, red team operations, and threat simulation. We test your defenses against real-world attack patterns like ClickFix before someone else does. Contact us at umercs.com or info@umercs.com.
Sources
SANS Internet Storm Center: "Unidentified RAT pushes NetSupport RAT" - Brad Duncan, June 1, 2026
@monitorsg (Mastodon): SmartApeSG daily indicator updates and threat tracking
