This report details recent SmartApeSG activity observed on April 23, 2026, highlighting a new password scheme for associated zip files. The activity involves a sophisticated infection chain starting with web traffic leading to fake CAPTCHA pages, specifically ibharcan.com and nexaflowlab.top domains. These pages inject a SmartApeSG script and subsequently deploy a "ClickFix" script, which then generates further malicious traffic.
The infection culminates in the download of a password-protected zip archive from solidpathcore.com/bpp. This large archive, identified by its SHA256 hash 017d87bd080eb4714414ffb0b87b6f142ca5bd2dfc7cf05d163be952ba18202d, contains a legitimate software package bundled with a malicious DLL intended for side-loading. Post-infection, the malware establishes persistence on the compromised Windows host through both a Windows Registry update and a scheduled task, engaging in encoded TCP communication with 89.110.110.119:443.
The report also provides Indicators of Compromise (IOCs), including specific URLs and IP addresses associated with the malicious traffic and downloads. Visual evidence, such as screenshots of the injected script, fake CAPTCHA pages, ClickFix instructions, Wireshark traffic analysis, and evidence of malware persistence via registry and scheduled tasks, illustrates the attack vector and post-exploitation activities.
Top comments (0)