Brad<p>2025-07-15 (Tuesday): Tracking <a href="https://infosec.exchange/tags/SmartApeSG" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SmartApeSG</span></a> </p><p>The SmartApeSG script injected into page from compromised website leads to <a href="https://infosec.exchange/tags/ClickFix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ClickFix</span></a> style fake verification page. ClickFix-ing you way through this leads to a <a href="https://infosec.exchange/tags/NetSupportRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetSupportRAT</span></a> infection.</p><p>Compromised site (same as yesterday): </p><p>- medthermography[.]com</p><p>URLs for ClickFix style fake verification page:</p><p>- warpdrive[.]top/jjj/include.js<br>- warpdrive[.]top/jjj/index.php?W11WzmLj<br>- warpdrive[.]top/jjj/buffer.js?409a8bdbd9</p><p>Running the script for NetSupport RAT:</p><p>- sos-atlanta[.]com/lal.ps1<br>- sos-atlanta[.]com/lotu.zip?l=4773</p><p><a href="https://infosec.exchange/tags/NetSupport" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetSupport</span></a> RAT server (same as yesterday):</p><p>- 185.163.45[.]87:443</p>