2026-01-06: SmartApeSG CAPTCHA page uses ClickFix technique for Remcos RAT

Key Points:

• SmartApeSG's CAPTCHA page has been compromised to deliver the Remcos RAT through a ClickFix technique, leveraging a legitimate but infected site.
• The attack impacts Windows systems, with the Remcos RAT establishing persistence via scheduled tasks and registry modifications, and utilizing HTTPS for command and control communications.
• Immediate actions include monitoring for suspicious traffic to the specified URLs, implementing endpoint detection measures, and reviewing system logs for unauthorized changes or scheduled tasks.

Technical Details: The Remcos RAT is delivered via a ZIP file containing a malicious executable that uses DLL side-loading. It communicates over HTTPS to a known IP address (192.144.56.80) and maintains persistence through both scheduled tasks and registry updates.

MITRE ATT&CK Techniques:

• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
• T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys (Persistence)
• T1053.005 - Scheduled Task/Job: Scheduled Task (Persistence)
• T1203 - User Execution (Execution)

IOCs Mentioned:

• hxxps://dinozozo.com/menu.js
• hxxps://pippyheydguide.com/redirect/profile-script.js
• hxxps://lpiaretes.com/auth
• SHA256: bcf13c1e79ebffba07dcc635c05a5d2f826fe75b4e69f7541b6ce6af4a5e31c0