2026-04-23 (THURSDAY): SMARTAPESG ACTIVITY

NOTICE:

ASSOCIATED FILES:

 

2026-04-23 (THURSDAY): SMARTAPESG ACTIVITY

TRAFFIC LEADING TO SMARTAPESG CAPTCHA PAGE:

- hxxps[:]//ibharcan[.]com/meta.google.com
- hxxps[:]//nexaflowlab[.]top/role/metrics-html.js
- hxxps[:]//nexaflowlab[.]top/role/claims-view.php?7V8bm1Xz
- hxxps[:]//nexaflowlab[.]top/role/legacy-request.js?454d152afc93fb47fd

TRAFFIC GENERATED BY CLICKFIX SCRIPT FROM FAKE CAPTCHA PAGE:

- hxxp[:]//104.36.229[.]108/
- hxxp[:]//104.225.129[.]155/
- hxxps[:]//solidpathcore[.]com/bpp

DOWNLOADED ZIP ARCHIVE:

- SHA256 hash: 017d87bd080eb4714414ffb0b87b6f142ca5bd2dfc7cf05d163be952ba18202d
- File size: 96,790,667 bytes
- File type: Zip archive data, at least v2.0 to extract
- Retrieved from: hxxps[:]//solidpathcore[.]com/bpp
- Content extracted to: C:\Users\[username]\AppData\Local\E3SDNLPITGYVGW0K-E65490DD-939D-4CC9-9AE8-BADD134270DD\
- File description: Legitimate software package containing malicious DLL for side-loading

POST-INFECTION TRAFFIC:

- 89.110.110[.]119:443 - encoded or otherwise encrypted TCP traffic (not HTTPS/TLS)

 

IMAGES


Shown above: SmartApeSG script injected into page from legitimate but compromised website.

 


Shown above: SmartApeSG Fake CAPTCHA (human verification) page.

 


Shown above: Fake CAPTCHA (human verification) page showing ClickFix instructions.

 


Shown above: ClickFix instructions pasted into a run Window.

 


Shown above: Traffic from the infection filtered in Wireshark.

 


Shown above: Malware persistent on the infected Windows host with a Windows Registry update.

 


Shown above: A scheduled task also keeps this malware persistent.

 

Click here to return to the main page.