Introduction

This diary describes a Remcos RAT infection that I generated in my lab on Thursday, 2026-03-11. This infection was from the SmartApeSG campaign that used a ClickFix-style fake CAPTCHA page.

My previous in-depth diary about a SmartApeSG (ZPHP, HANEYMANEY) was in November 2025, when I saw NetSupport Manager RAT. Since then, I’ve fairly consistently seen what appears to be Remcos RAT from this campaign.

Finding SmartApeSG Activity

As previously noted, I find SmartApeSG indicators from the Monitor SG account on Mastodon, and I use URLscan to pivot on those indicators to find compromised websites with injected SmartApeSG script.

Details

Below is an image of HTML in a page from a legitimate but compromised website that shows the injected SmartApeSG script.

Shown above: Page from a legitimate but compromised site that highlights the injected SmartApeSG script.

The injected SmartApeSG script generates a fake CAPTCHA-style “verify you are human” page, which displays ClickFix-style instructions after checking a box on the page. A screenshot from this infection is shown below, and it notes the ClickFix-style script injected into the user’s clipboard. Users are instructed to open a run window, paste the script into it, and hit the Enter key.

Shown above: Fake CAPTCHA page generated by a legitimate but compromised site, showing the ClickFix-style command.

I used Fiddler to reveal URLS from the HTTPS traffic, and I recorded the traffic and viewed it in Wireshark. Traffic from the infection chain is shown in the image below.

Shown above: Traffic from the infection in Fiddler and Wireshark.

After running the ClickFix-style instructions, the malware was sent as a ZIP archive and saved to disk with a .pdf file extension. This appears to be Remcos RAT in a malicious package that uses DLL side-loading to run the malware. This infection was made persistent with an update to the Windows Registry.

Shown above: Malware from the infection persistent on an infected Windows host.

Indicators of Compromise

Injected SmartApeSG script injected into page from legitimate but compromised site:

• hxxps[:]//cpajoliette[.]com/d.js

Traffic to domain hosting the fake CAPTCHA page:

• hxxps[:]//retrypoti[.]top/endpoint/signin-cache.js
• hxxps[:]//retrypoti[.]top/endpoint/login-asset.php?Iah0QU0N
• hxxps[:]//retrypoti[.]top/endpoint/handler-css.js?00109a4cb788daa811

Traffic generated by running the ClickFix-style script:

• hxxp[:]//forcebiturg[.]com/boot 
• hxxps[:]//forcebiturg[.]com/boot 
• hxxp[:]//forcebiturg[.]com/proc 
• hxxps[:]//forcebiturg[.]com/proc 

Post-infection traffic for Remcos RAT:

• 193.178.170[.]155:443 – TLSv1.3 traffic using self-signed certificate

Example of ZIP archive for Remcos RAT:

• SHA256 hash: b170ffc8612618c822eb03030a8a62d4be8d6a77a11e4e41bb075393ca504ab7
• File size: 92,273,195 bytes
• File type: Zip archive data, at least v2.0 to extract, compression method=deflate
• Example of saved file location: C:\Users\[username]\AppData\Local\Temp\594653818\594653818.pdf

Of note, the files, URLs and domains for SmartApeSG activity change on a near-daily basis, and the indicators described in this article are likely no longer current. However, the overall patterns of activity for SmartApeSG have remained fairly consistent over the past several months.

—

Bradley Duncan

brad [at] malware-traffic-analysis.net

After the genocide in Gaza, and now on a far larger field in Iran, those in power in Israel and the U.S. have a lust to kill and revel in impunity. There’s an urgent need for regime change – in the West.

By Craig Murray
CraigMurray.org.uk

The United States and Israel are both reveling in inflicting the maximum possible death and suffering on Iran.

After the genocide in Gaza, on a far larger field in Iran, those in power in Israel and the U.S. have a lust to kill and they revel in impunity.

The Epstein Files reveal the same dynamic. We live in a society where those who obtain power wish to exercise it in the cruellest possible ways against the most defenceless.

It appears to be a feature of late Western capitalist society, where sociopathic tendencies are essential to obtaining power in a society which rejects altruism and cooperation as concepts and promotes competition, self-love and ruthlessness.

Iran is showing commendable fighting spirit, but American military power should not be underestimated. They have the ability to destroy Iran from the air, to obliterate the institutions of the state and all of the key civilian infrastructure. Electricity, water, healthcare, education, administration, policing all can be knocked out just as they were systematically in Gaza and — on a scale insufficiently recalled — in Iraq.

Trump is already asking Congress for $50 billion to fund the operation and replenish stocks. The scale of destruction Israeli Prime Minister Benjamin Netanyahu envisages will cost at least half a trillion dollars from the U.S. Treasury. But there is nothing that can stop them.

If modern war history shows us anything it’s once you start sending troops the number keeps going up especially when the war is a debacle. And leaders would rather pass off the problem to the next administration rather than be the one to admit defeat https://t.co/h2fR7mvxns

— Mike Prysner (@MikePrysner) March 13, 2026

I witnessed close up over five months the 80 to 100,000 homes destroyed in Lebanon by Israel in the last three years. We have all seen what they did to Gaza. The notion they cannot do this to Iran is simply wrong. It requires a colossal effort of will, a mania for killing, a vast amount of money and the depletion of the U.S. arsenal. But they can do it.

Only political action by the peoples of the West against their leaders can stop it.

Iran and its allies have been the only physical opposition to the creation of Greater Israel. If the physical destruction of Iran is achieved, Greater Israel will be established at pace.

One of the world’s greatest civilisations will lie in ashes, covering millions of corpses, but none of that will prevent the extraction of oil.

Pete Hegseth, U.S. secretary for war, simply comes over as a Nazi thug. He plainly is enjoying this as much as Netanyahu, Israeli National Security Minister Itamar Ben Gvir or Israeli Finance Minister Bezalel Smotrich. He has gloatingly promised “Death and destruction from the sky, all day long.” He repeatedly signals ever-escalating bombing.

The Iranian Red Crescent has listed the bombing destruction as of March 7. By then it included:

• 5,535 civilian residential units
• 1,041 commercial units
• 65 schools
• 14 hospitals and medical centres
• 13 Red Crescent Society bases

By contrast, there has been no credible claim that Iran has inflicted widespread civilian damage. It has very tightly targeted specific facilities — collateral damage seems almost entirely confined to debris from intercepted drones and missiles.

But we know the U.S.-Israel axis targets hospitals and medical facilities. It is proven beyond doubt in Gaza, and I witnessed it in Beirut.

In gloating about U.S. military superiority, Trump advised Iranian civilians: “Don’t leave your home. It’s very dangerous outside. Bombs will be dropping everywhere.”

Yet they are deliberately bombing residential buildings, exactly as in both Lebanon and Gaza. Trump is attempting to terrorise Iran into “unconditional surrender.”

At the 1815 Battle of Waterloo — an epic, large-scale and unmissable event — approximately 15,000 people died on the field of battle (more died later of wounds in an age before antibiotics). You are supposed to believe that the Iranian government in January killed twice as many demonstrators as died at Waterloo. This using only small arms and despite the complete lack of visual evidence of killing on anything like that scale.

At the same time you are supposed to believe that tens of thousands of tonnes of the highest explosives have been dropped into the centre of cities all across Iran but that these are “precision attacks” killing very few civilians.

It is obvious nonsense.

AI targeting only adds a new layer of dystopia to an entirely vicious and unnecessary war. The indifference of the Western media to the slaughter of 160 Iranian schoolgirls leads to really difficult questions about the type of society the West has become. Racism is just the beginning of the problems.

The effort to coerce the Kurds into yet again fighting for the U.S., only to be abandoned when no longer deemed helpful, is reckless in the extreme. It is bound to lead to further war and fragmentation in Iraq. The repercussions in Turkey are potentially extreme — and possibly may jolt Turkey’s President Recep Tayyip Erdogan from his complacent furthering of the U.S-Israeli agenda.

Civil war is close in Lebanon. The traitorous Zionist regime of Lebanese President General Joseph Aoun has no forces capable of taking on Hezbollah; but the other Zionist puppet al-Jolani [Syrian President Ahmed al-Sharaa] has concentrated forces on the border with the Bekaa Valley ready to attack Hezbollah from the East while Hezbollah fight Israeli invading forces in the South. French President Emmanuel Macron has indicated he may send troops and armour to assist Aoun.

This entire conflict sounds like a dreadful regional disaster in which millions could die – and it is. But to the U.S. and Israeli Zionists, the prospect of a devastated region is precisely what they wish to achieve to facilitate Israeli expansion and American seizure of resources.

There is an urgent need for regime change – in the West. The only way for this carnage to stop is for the people of the West to remove their Zionist-controlled ruling classes.

Craig Murray is an author, broadcaster and human rights activist. He was British ambassador to Uzbekistan from August 2002 to October 2004 and rector of the University of Dundee from 2007 to 2010. His coverage is entirely dependent on reader support. Subscriptions to keep this blog going are gratefully received.

Subscriptions to keep Craig Murray’s blog going are gratefully received. Because some people wish an alternative to PayPal, Murray has set up new methods of payment including a GoFundMe appeal and a Patreon account.

This article is from CraigMurray.org.uk.

Views expressed in this article may or may not reflect those of Consortium News.