This report details a SmartApeSG campaign observed on January 22, 2026, which utilizes the "ClickFix" social engineering technique to distribute malware. The attack sequence begins when a user visits a compromised website that displays a fake CAPTCHA page. This page tricks victims into executing a malicious script from their clipboard, which subsequently downloads a zip archive containing the Remcos RAT payload.
Upon execution, the malware establishes persistence on the victim's Windows host by using a legitimate executable, shotcut.exe, to side-load malicious components. Post-infection analysis shows that the Remcos RAT communicates with a Command and Control (C2) server over port 443, enabling remote access and control of the infected system.
Top comments (0)