The SmartApeSG campaign, also known as ZPHP or HANEYMANEY, has evolved from using fake browser update pages to employing ClickFix-style fake CAPTCHA pages. This campaign distributes malicious NetSupport RAT packages as its initial infection vector. The attack chain begins with an injected script on compromised websites, which, under certain conditions, displays a fake CAPTCHA page. When users interact with this page, malicious content is injected into the Windows clipboard, prompting users to paste and execute it. This leads to the download and installation of NetSupport RAT, which maintains persistence through a Start Menu shortcut. The campaign frequently changes domains, packages, and C2 servers to evade detection.