ThreatLabz found SmartApeSG injecting malicious JavaScript into the Okendo Reviews widget, creating a supply-chain style compromise that could affect many high-traffic e-commerce sites. The loader used obfuscation, environment checks, staged retrieval, and ClickFix-style prompts to support follow-on delivery of tools such as NetSupport, Remcos, StealC, and Sectop RAT. #SmartApeSG #OkendoReviews #NetSupport #Remcos #StealC #SectopRAT
Keypoints
- On May 14, 2026, Zscaler ThreatLabz identified unusual SmartApeSG activity tied to malware delivery.
- The attack involved malicious JavaScript injected into the legitimate Okendo Reviews widget.
- Okendo Reviews is used by more than 18,000 brands, creating broad downstream exposure across many websites.
- The malicious script used localStorage, User-Agent filtering, obfuscation, and staged retrieval to hide behavior and control execution.
- Later stages of the infection chain used ClickFix-style social engineering to trick users into running commands.
- SmartApeSG campaigns are associated with payloads such as NetSupport RAT, Remcos RAT, StealC, and Sectop RAT.
- Okendo confirmed the incident and restored the widget script to a clean state after notification from ThreatLabz.
MITRE Techniques
- [T1027 ] Obfuscated Files or Information – The loader hid the next-stage infrastructure by encoding fragments and using XOR decoding to complicate analysis (‘the infrastructure is not stored in cleartext’ and ‘applies an XOR-based decoding routine’).
- [T1056.001 ] Input Capture: Keylogging – Not mentioned.
- [T1071 ] Application Layer Protocol – The script retrieved follow-on content by dynamically inserting a script element to load remote content (‘dynamically inserts a new
- [T1105 ] Ingress Tool Transfer - The loader fetched additional stages from remote infrastructure after checks were met ('staged retrieval to pull additional content').
- [T1204.001 ] User Execution: Malicious Link - The campaign used ClickFix-style prompts to get users to run commands ('Present instructions for the user to run copied commands via the Windows Run menu').
- [T1497.001 ] Virtualization/Sandbox Evasion: System Checks - The code performed environment checks and User-Agent filtering to bias execution toward desktop browsers ('excluded mobile devices' and 'checks biased execution toward desktop environments').
- [T1027.013 ] Obfuscated Files or Information: Encrypted/Encoded File - The script split the destination into encoded fragments to hide the URL ('destination is split into encoded fragments').
Indicators of Compromise
- [Domains/URLs] Malicious or related infrastructure - hxxp://cdn-static[.]okendo[.]io/reviews-widget-plus/js/okendo-reviews[.]js, hxxps://api[.]wigetticks[.]com/logout/private-response[.]php?8D1V4th3, and 1 more URL.
- [Domains/URLs] SmartApeSG delivery endpoints - hxxps://api[.]wizzleticks[.]com/claims/scope-schema[.]php?4ManBBdA, and the related widget script path above.
- [Vendor/Service] Compromised third-party component - Okendo Reviews widget, used on many e-commerce sites and restored to a clean state after reporting.
- [Threat Name] Detection label - JS.Injection.SmartApeSG.