SmartApeSG ClickFix Campaign Delivers Remcos, NetSupport RAT, StealC and Sectop RAT

Using a social engineering method called ClickFix, SmartApeSG has been seen pushing several types of malware This article explores load malicious dll. . The campaign, which was still going on as of March 24, 2026, sent four different types of malware to a single infected host in one session.

SmartApe SG is designed to give attackers deep and varied access to a victim machine from a single infection event. This is clear from the overall payload mix, which includes a keylogger-capable RAT, a remote support tool turned against users, a credential stealer, and a second RAT. One of the more technically interesting things about this campaign is how it hides bad code inside packages that also have real software in them.

DLL side-loading is the method used by Remcos, StealC, and Sectop RAT to store their archive files. It uses a known and trusted executable file to load a malicious DLL file without anyone knowing. It is strongly recommended that businesses block the domains urotypos[.

]com and fresicrto[. ]top at the DNS and firewall levels. Employees should be taught never to paste or run clipboard content that a website tells them to. Security teams should also keep an eye out for HTA files that run when they shouldn't and DLL files that load in strange ways in user-accessible folders like AppData and ProgramData.

Follow LinkedIn and X to Get More Instant Updates, and set ZeroOwl as a Preferred Source in Google.

You can get more instant updates on Facebook, Twitter, and LinkedIn. You can also set ZeroOwl as your preferred source in Google, Facebook, and Twitter. You can also see more on CNN.com/Heroes and CNN.co/Heros on Monday, Tuesday, and Wednesday at 9 a.m.

ET. Visit www.cnn.com for more information.