SmartApeSG ClickFix Campaign Delivers NetSupport RAT via Unidentified Initial Dropper
Researchers detail an infection chain starting with an unidentified RAT that delivered a NetSupport Manager RAT payload through the SmartApeSG ClickFix campaign.
On May 27, 2026, security analysts observed an infection chain in which an unidentified initial Remote Access Trojan (RAT) delivered a malicious NetSupport Manager RAT payload, all tied to the ongoing SmartApeSG ClickFix campaign. The initial RAT has been active since at least April 2026, consistently generating non-SSL/non-TLS traffic to a command-and-control server at 89.110.110[.]119 over TCP port 443. The campaign uses fake verification pages that prompt users to click a sequence to 'fix' their browser, unwittingly executing a malicious script.
The infection starts when a victim visits a SmartApeSG URL such as hiddenplanetlab[.]top. The ClickFix script then downloads and runs a VBS script (processor.vbs), which executes a batch file (token.bat). That batch file, in turn, extracts a Microsoft Cabinet archive (setup.cab) from the same URL and installs the NetSupport Manager RAT onto the Windows host. The RAT is placed in C:\ProgramData\UpdateInstaller\. After installation, token.bat deletes the original VBS, BAT, and CAB files to cover its tracks.
The NetSupport RAT communicates with its own C2 server, located at 185.163.47[.]217:443. This payload grants attackers interactive remote control over the compromised system, including screen viewing, file transfers, and command execution. The initial C2 server at 89.110.110[.]119 serves as a staging ground, pushing the follow-up NetSupport payload across the same encrypted TCP stream.
Analysts identified multiple domains and IPs associated with the campaign. SmartApeSG URLs observed on the day of infection include hiddenplanetlab[.]top and silverharvestnetwork[.]com. Additional infrastructure IPs include 178.156.165[.]82 and 178.156.173[.]194, both used for initial script downloads. The file hashes for the VBS, BAT, and CAB files have been documented, but researchers warn that indicators change on a daily basis, making threat hunting reliant on updated feeds.
The NetSupport Manager RAT package found in the CAB archive totaled 17.2 MB, sized to evade simple email gateway scanning while carrying full remote-control capabilities. The initial zip archive containing the first-stage RAT was 26.5 MB. These relatively large payloads suggest the attackers are not optimizing for delivery over low-bandwidth channels, but rather relying on the social-engineering success of the ClickFix page to do the heavy lifting.
The SmartApeSG campaign has been tracked by the community, with the @monitorsg Mastodon feed providing daily updates on changing domains and IP addresses. This incident underscores the persistence of ClickFix lures, which continue to be a favored initial-access vector for delivering commodity RATs like NetSupport. Organizations should remind users not to execute 'fix' instructions from web pages and to report suspicious pop-ups to IT.
The case also highlights the use of multi-stage malware delivery where the initial dropper remains unidentified. While NetSupport is a well-known legitimate remote-admin tool frequently abused in malicious campaigns, the identity of the first-stage RAT adds a layer of complexity. Until that main payload is named and analyzed, defenders must rely on behavioral indicators such as the specific non-SSL traffic pattern over port 443 and the SmartApeSG domain naming convention.