SmartApeSG script injected into page from compromised website.

SmartApeSG fake CAPTCHA page with ClickFix instructions.

Malware delivered through SmartApeSG persistent on an infected Windows host.

2026-04-06 (Monday): #ClickFix activity from the #SmartApeSG campaign. Not sure what malware was sent through the fake CAPTCHA page is this time, but it's not the usual.

Indicators, a #pcap of the traffic, malware samples and other info available at malware-traffic-analysis.net/2026/04/06/i...

Compromised website > #SmartApeSG > #ClickFix:

Date Observed: 2026-01-22

IOCs:
hxxps://flautister[.]com/handler/dashboard-response[.]js
hxxp://98[.]142[.]251[.]63/con
hxxps://oilporter[.]com/con

Compromised website > #SmartApeSG > #ClickFix:

Date Observed: 2026-01-21

IOCs:
hxxps://touchkasablanka[.]com/logout/auth-server[.]js
hxxp://79[.]141[.]160[.]151/token
hxxps://lightspreme[.]com/token

Compromised website > #SmartApeSG > #ClickFix:

Date Observed: 2026-01-20

IOCs:
hxxps://triplecust[.]com/l
hxxps://touchkasablanka[.]com/api/public-server[.]js
hxxp://79[.]141[.]162[.]189/web
hxxps://minaretish[.]com/web

Compromised website > #SmartApeSG > #ClickFix:

Date Observed: 2026-01-16

IOCs:
hxxps://inklosers[.]top/secure/auth-service[.]js
hxxp://193[.]111[.]208[.]239/humble
hxxps://lirityfan[.]com/humble

Compromised website > #SmartApeSG > #ClickFix:

Date Observed: 2026-01-16

IOCs:
hxxps://triplecust[.]com/l
hxxps://qirtewd[.]com/secure/auth-service[.]js
hxxp://193[.]111[.]208[.]239/humble
hxxps://lirityfan[.]com/humble

Compromised website > #SmartApeSG > #ClickFix:

Date Observed: 2026-01-14

IOCs:
cpajoliette[.]com/d[.]js
qirtewd[.]com/logout/secure-util[.]js
89[.]46[.]38[.]118/lanny
paikailai[.]com/lanny
89[.]46[.]38[.]118/auth
Middleware[.]zip
32a5d357c7a44f567613ec2a47df7bdc5a78b89d8ebb364b568d0e30083a6e61

Compromised website > #SmartApeSG > #ClickFix:

Date Observed: 2026-01-13

IOCs:
hxxps://nixoperty[.]com/settings/logout-core[.]js
hxxp://193[.]111[.]208[.]239/sync
hxxps://lirityfan[.]com/sync

Compromised website > #SmartApeSG > #ClickFix:

Date Observed: 2026-01-13

IOCs:
hxxps://portwinejoke[.]icu/l
hxxps://qirtewd[.]com/settings/logout-core[.]js
hxxp://193[.]111[.]208[.]239/sync
hxxps://lirityfan[.]com/sync

Compromised website > #SmartApeSG > #ClickFix:

Date Observed: 2026-01-12

IOCs:
hxxps://portwinejoke[.]icu/l
hxxps://inforash[.]com/auth/logout-service[.]js
hxxp://98[.]142[.]251[.]115/cache
hxxps://tibetosi[.]com/cache

Screenshot from an infected Windows host showing Remcos RAT and how it is persistent.

2026-01-22 (Thursday): #RemcosRAT infection persistent on an infected Windows host. This was caused by #ClickFix instructions from #SmartApeSG through a fake CAPTCHA page. Details of this #Remcos #RAT infection are available at www.malware-traffic-analysis.net/2026/01/06/i...

Compromised website > #SmartApeSG > #ClickFix:

Date Observed: 2026-01-09

IOCs:
hxxps://portwinejoke[.]icu/l
hxxps://pippyheydguide[.]com/endpoint/callback-fetch[.]js
hxxp://89[.]46[.]38[.]5/micro
hxxps://buldiakogroup[.]com/micro

Compromised website > #SmartApeSG > #ClickFix:

Date Observed: 2026-01-08

IOCs:
hxxps://yuzagrisi[.]com/j[.]js
hxxps://foresposition[.]com/profile/redirect-hook[.]js
hxxp://89[.]46[.]38[.]5/rest
hxxps://buldiakogroup[.]com/rest

Compromised website > #SmartApeSG > #ClickFix:

Date Observed: 2026-01-07

IOCs
mercedesheritage[.]com/j[.]js
pippyheydguide[.]com/dashboard/redirect-state[.]js
79[.]141[.]172[.]170/profile
qilsao[.]us/profile
79[.]141[.]172[.]170/moon
bcf13c1e79ebffba07dcc635c05a5d2f826fe75b4e69f7541b6ce6af4a5e31c0

Compromised website > #SmartApeSG > #ClickFix:

Date Observed: 2026-01-07

IOCs:
yuzagrisi[.]com/j[.]js
pippyheydguide[.]com/dashboard/redirect-state[.]js
79[.]141[.]172[.]170/profile
qilsao[.]us/profile
79[.]141[.]172[.]170/moon
bcf13c1e79ebffba07dcc635c05a5d2f826fe75b4e69f7541b6ce6af4a5e31c0

Compromised website > #SmartApeSG > #ClickFix:

Date Observed: 2026-01-06

IOCs:
hxxps://posibblaks[.]icu/redirect/profile-script[.]js
hxxp://193[.]111[.]208[.]238/auth
hxxps://deregulatedenergy[.]com/fdg2[.]zip
039b88209b3fb51bc0b4915ab2a1490de34448c6f5bfb66ac0fa3a5fa16927e8

Compromised website > #SmartApeSG > #ClickFix:

Date Observed: 2026-01-06

IOCs:
dinozozo[.]com/menu[.]js
pippyheydguide[.]com/redirect/profile-script[.]js
193[.]111[.]208[.]238/auth
deregulatedenergy[.]com/fdg2[.]zip
039b88209b3fb51bc0b4915ab2a1490de34448c6f5bfb66ac0fa3a5fa16927e8

Compromised website > #SmartApeSG > #ClickFix:

Date Observed: 2025-12-26

IOCs:
dinozozo[.]com/menu[.]js
loppyskapert[.]com/session/settings-module[.]js
79[.]141[.]160[.]28/machine
deregulatedenergy[.]com/fdg2[.]zip
039b88209b3fb51bc0b4915ab2a1490de34448c6f5bfb66ac0fa3a5fa16927e8

Compromised website > #SmartApeSG > #ClickFix:

Date Observed: 2025-12-24

IOCs:
hxxps://limenescarlett[.]top/router/callback-fetch[.]js
hxxp://193[.]42[.]38[.]178/auth
hxxps://deregulatedenergy[.]com/fdg2[.]zip
039b88209b3fb51bc0b4915ab2a1490de34448c6f5bfb66ac0fa3a5fa16927e8

Compromised website > #SmartApeSG > #ClickFix:

Date Observed: 2025-12-24

IOCs:
selcukpeker[.]com/d[.]js
mipisesho[.]top/router/callback-fetch[.]js
193[.]42[.]38[.]178/auth
deregulatedenergy[.]com/fdg2[.]zip
039b88209b3fb51bc0b4915ab2a1490de34448c6f5bfb66ac0fa3a5fa16927e8

Compromised website > #SmartApeSG > #ClickFix:

Date Observed: 2025-12-23

IOCs:
hxxps://toxicsnake-wifes[.]com/promise/scope[.]js
hxxp://79[.]141[.]172[.]212/int
hxxps://deregulatedenergy[.]com/fdg2[.]zip
039b88209b3fb51bc0b4915ab2a1490de34448c6f5bfb66ac0fa3a5fa16927e8

Compromised website > #SmartApeSG > #ClickFix:

Date Observed: 2025-12-23

IOCs:
hxxps://selcukpeker[.]com/d[.]js
hxxps://ourasolid[.]com/promise/scope[.]js
hxxp://79[.]141[.]172[.]212/int
hxxps://deregulatedenergy[.]com/fdg2[.]zip
039b88209b3fb51bc0b4915ab2a1490de34448c6f5bfb66ac0fa3a5fa16927e8

Compromised website > #SmartApeSG > #ClickFix:

Date Observed: 2025-12-22

IOCs:
hxxps://misiolove[.]com/websockets/local-storage[.]js
hxxps://positivelike[.]com/porsche
hxxps://deregulatedenergy[.]com/fdg2[.]zip
039b88209b3fb51bc0b4915ab2a1490de34448c6f5bfb66ac0fa3a5fa16927e8

Compromised website > #SmartApeSG > #ClickFix:

Date Observed: 2025-12-22

IOCs:
cansupeker[.]com/d[.]js
ourasolid[.]com/websockets/local-storage[.]js
positivelike[.]com/porsche
deregulatedenergy[.]com/fdg2[.]zip
039b88209b3fb51bc0b4915ab2a1490de34448c6f5bfb66ac0fa3a5fa16927e8

Compromised website > #SmartApeSG > #ClickFix:

Date Observed: 2025-12-19

IOCs:
hxxps://nishbashposv[.]com/typescript/code-splitting[.]js
hxxps://inclimit[.]com/proper
hxxps://deregulatedenergy[.]com/fdg2[.]zip
039b88209b3fb51bc0b4915ab2a1490de34448c6f5bfb66ac0fa3a5fa16927e8

Compromised website > #SmartApeSG > #ClickFix:

Date Observed: 2025-12-19

IOCs:
cansupeker[.]com/d[.]js
jacketinno[.]top/typescript/code-splitting[.]js
inclimit[.]com/proper
deregulatedenergy[.]com/fdg2[.]zip
039b88209b3fb51bc0b4915ab2a1490de34448c6f5bfb66ac0fa3a5fa16927e8

Example of a legitimate but compromised site showing the SmartApeSG fake CAPTCHA page.

HTTPS URLs from the infection run.

Traffic from an infection filtered in Wireshark.

Remcos RAT infection persistent on an infected Windows host.

2026-01-06 (Tuesday): #SmartApeSG CAPTCHA page uses #ClickFix technique to push #RemcosRAT, with #Remcos #RAT C2 server at 192.144.56[.]80. A #pcap of the traffic, the Remcos RAT #malware, and a list of indicators are available at www.malware-traffic-analysis.net/2026/01/06/i...

Screenshot of the post with the pcaps, files, and other info from the Kongtuke ClickFix activity using the finger command on 2025-12-11.

I finished compiling the information for #Kongtuke #ClickFix activity using the finger command on 2025-12-11, and it's now live at www.malware-traffic-analysis.net/2025/12/11/i...

I'd already posted the #SmartApeSG ClickFix activity using finger that same day, so now both are available.

Compromised website > #SmartApeSG > #ClickFix:

Date Observed: 2025-12-17

IOCs:
hxxps://juicekumyre[.]com/relay/graphql-client[.]js
hxxps://ninkilji[.]com/Bachelor[.]pdf
hxxps://deregulatedenergy[.]com/fdg2[.]zip
039b88209b3fb51bc0b4915ab2a1490de34448c6f5bfb66ac0fa3a5fa16927e8

Compromised website > #SmartApeSG > #ClickFix:

Date Observed: 2025-12-17

IOCs:
cansupeker[.]com/d[.]js
jacketinno[.]top/relay/graphql-client[.]js
ninkilji[.]com/Bachelor[.]pdf
deregulatedenergy[.]com/fdg2[.]zip
039b88209b3fb51bc0b4915ab2a1490de34448c6f5bfb66ac0fa3a5fa16927e8