SmartApeSG Campaign Distributes Multiple Remote Access Trojans (Remcos, NetSupport, StealC, Sectop)
What Happened — The threat‑actor group SmartApeSG was observed delivering four distinct Remote Access Trojans—Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (also known as ArechClient2)—through a coordinated malicious‑software campaign. The campaign leveraged a mix of phishing emails, malicious downloads, and exploit‑kit style payloads to gain footholds on victim machines.
Why It Matters for TPRM —
- Remote Access Trojans provide attackers with full control of compromised endpoints, exposing any data processed by third‑party vendors.
- The use of multiple RAT families increases detection complexity and may bypass single‑vendor security controls.
- Vendors that host or transmit files for clients (e.g., SaaS platforms, MSPs) could inadvertently become a distribution vector.
Who Is Affected —
- All industries that rely on third‑party software delivery, especially MSPs, cloud‑hosted SaaS providers, and organizations with remote workforces.
Recommended Actions —
- Review contracts and security questionnaires for any third‑party that handles file transfers or remote‑access tooling.
- Verify that vendors enforce strict email filtering, attachment sandboxing, and endpoint detection & response (EDR) controls.
- Conduct threat‑modeling exercises to assess the risk of RAT infection via supply‑chain or partner channels.
Technical Notes — The campaign employed phishing lures with malicious Office documents and disguised executable downloads. No specific CVE was cited; the RATs exploit standard Windows execution paths and rely on user interaction. Data exfiltrated can include credentials, proprietary documents, and system information. Source: SANS Internet Storm Center