Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
6 malware families

SmartApeSG

Also known assmartapesg

SmartApeSG is a malware delivery threat actor/campaign also tracked as ZPHP and HANEYMANEY. The content links it to repeated ClickFix-style social engineering operations in which malicious scripts are injected into legitimate but compromised websites, victims are redirected to fake CAPTCHA or human-verification pages, and users are instructed to paste clipboard-injected commands into the Windows Run dialog. Reported delivery mechanisms include PowerShell and HTA downloaders, password-protected ZIP archives, and DLL side-loading. Malware families directly associated in the content include Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (also noted as ArechClient2), and one report also describes an unidentified initial RAT preceding NetSupport RAT. The content also describes a May 14, 2026 supply chain compromise in which SmartApeSG injected malicious JavaScript into the Okendo Reviews widget used by more than 18,000 brands; the staged loader used localStorage execution control, User-Agent filtering favoring desktop victims, XOR-based decoding of hidden next-stage URLs, and dynamic script loading before presenting ClickFix-style prompts. Observed follow-on behavior in the reporting includes remote access tool and information-stealer deployment, persistence via Windows Registry changes and scheduled tasks, and abuse of legitimate software for side-loading or remote access.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Consumer Discretionary Distribution & Retail

Where they target

Geographies tied to known operations.

  • 🇺🇸 United States
MITRE ATT&CK

Tradecraft

33 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

9 of 15 tactics46 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
3 techniques
T1189×7
Drive-by Compromise
T1195×3
Supply Chain Compromise
T1566
Phishing
T1566.003
Spearphishing via Service
TA0002
Execution
3 techniques
T1053
Scheduled Task/Job
T1053.005×2
Scheduled Task
T1059×2
Command and Scripting Interpreter
T1059.001×7
PowerShell
T1059.003×3
Windows Command Shell
T1059.005×2
Visual Basic
T1059.007×3
JavaScript
T1204×11
User Execution
T1204.002×5
Malicious File
T1204.004
Malicious Copy and Paste
TA0003
Persistence
4 techniques
T1053
Scheduled Task/Job
T1053.005×2
Scheduled Task
T1112
Modify Registry
T1505
Server Software Component
T1505.003
Web Shell
T1547
Boot or Logon Autostart Execution
T1547.001×2
Registry Run Keys / Startup Folder
TA0004
Privilege Escalation
3 techniques
T1053
Scheduled Task/Job
T1053.005×2
Scheduled Task
T1055
Process Injection
T1547
Boot or Logon Autostart Execution
T1547.001×2
Registry Run Keys / Startup Folder
TA0005
Stealth
6 techniques
T1027×3
Obfuscated Files or Information
T1027.003
Steganography
T1036×2
Masquerading
T1055
Process Injection
T1070
Indicator Removal
T1070.004
File Deletion
T1218
System Binary Proxy Execution
T1218.005×6
Mshta
T1497
Virtualization/Sandbox Evasion
T1497.001×2
System Checks
TA0112
Defense Impairment
1 technique
T1112
Modify Registry
TA0007
Discovery
1 technique
T1497
Virtualization/Sandbox Evasion
T1497.001×2
System Checks
TA0009
Collection
2 techniques
T1115×2
Clipboard Data
T1560
Archive Collected Data
TA0011
Command and Control
4 techniques
T1071×7
Application Layer Protocol
T1071.001
Web Protocols
T1095
Non-Application Layer Protocol
T1105×5
Ingress Tool Transfer
T1219×2
Remote Access Tools
ARSENAL

Associated malware families

6 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
NetSupport RATThe group has been linked to past campaigns that delivered dangerous tools including NetSupport RAT, Remcos RAT, StealC, and Sectop RAT.7Jun 19, 2026
StealCThe group has been linked to past campaigns that delivered dangerous tools including NetSupport RAT, Remcos RAT, StealC, and Sectop RAT.7Jun 19, 2026
RemcosThe group has been linked to past campaigns that delivered dangerous tools including NetSupport RAT, Remcos RAT, StealC, and Sectop RAT.6Jun 19, 2026
Sectop RATThe group has been linked to past campaigns that delivered dangerous tools including NetSupport RAT, Remcos RAT, StealC, and Sectop RAT.4Jun 19, 2026
SectopRATOperators connect via C2, run system reconnaissance, and can drop SectopRAT as a secondary payload.3Mar 8, 2026

1 additional family tracked in Mallory.

IOCS

Observables

55 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

55 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

12 SOURCESView more in app
cyber security newsNews
Jun 19, 2026
Hackers Abuse Third-Party Okendo Reviews Script to Spread SmartApeSG Malware Campaign

Conducted a supply chain attack by injecting malicious JavaScript into the Okendo Reviews widget to deliver malware to visitors of e-commerce websites. The campaign used staged JavaScript loading and social engineering to install remote access tools and information stealers on victim systems.

Read more
malware newsNews
Jun 18, 2026
SmartApeSG Launches Okendo Reviews Supply Chain Attack - Malware News - Malware Analysis, News and Indicators

Conducted a supply chain attack via the Okendo Reviews widget by injecting staged malicious JavaScript into a widely used third-party e-commerce component. The loader used obfuscation, environment checks, staged retrieval, and ClickFix-style social engineering to deliver follow-on malware including RATs and information stealers.

Read more
zscaler threat labzNews
Jun 18, 2026
SmartApeSG Supply Chain Attack Targets Okendo | ThreatLabz

Uses injected JavaScript as a staged loader to control execution, reconstruct hidden infrastructure, retrieve follow-on payloads, and support ClickFix-style infection chains that present fake CAPTCHA/verification prompts, instruct users to run copied commands via the Windows Run menu, retrieve PowerShell or HTA downloaders, and deploy remote access tools or information stealers.

Read more
sans iscNews
Jun 1, 2026
Unidentified RAT pushes NetSupport RAT - SANS ISC

ClickFix campaign delivering an unidentified initial RAT followed by a malicious NetSupport Manager RAT package, with changing daily indicators and C2 infrastructure.

Read more
+8 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping33

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal6

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables55

Domains, IPs, and hashes tied to this actor, refreshed continuously.