Brad

2026-05-20 (Wednesday): #SmartApeSG #ClickFix activity

SMARTAPESG TRAFFIC TRIGGERED FROM LEGITIMATE BUT COMPROMISED SITE:

- hxxps[:]//vividanchorlab[.]top/auth/rate-script.js
- hxxps[:]//vividanchorlab[.]top/auth/dashboard-schema.php
- hxxps[:]//vividanchorlab[.]top/auth/routerr-client.js

TRAFFIC FROM RUNNING SMARTAPESG CLICKFIX TEXT:

- hxxp[:]//178.156.222[.]131/
- hxxp[:]//5.78.144[.]156/
- hxxps[:]//astralharborworks[.]com/ground

SHA256 HASH FOR DOWNLOADED ZIP ARCHIVE:

- 6e3663c509debeda6c9f9faa260963973aa3e11f4fce21f9e8ff3ae45f785c20

POST-INFECTION C2 TRAFFIC:

- tcp://89.110.110[.]119:443

cc: @monitorsg

May 20 at 11:14pmWeb
Show thread𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲1d ago
@malware_traffic @monitorsg Interesting, same pattern again. Big zip download then exfil to 89.110.110.119:443, but not using TLS. Is this latest finding of yours available on a public sandbox somewhere? The vividanchorlab[.]top seems to be down, so I can't reproduce the infection chain ;(
Show threadBrad2h ago
@netresec @monitorsg I'll post something here today with the updated info. The legitimate but compromised nhanhoa[.]org can kick off this infection chain, which I tried in my lab today and saw thunderplanethub[.]top as the #SmartApeSG domain