SANS Stormcast Monday, March 16th, 2026: SmartApeSG and Remcos RAT; React Based Phishing; Google Chrome Patches; AdGaurd Vuln
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 16 March 2026
⏱️ 6 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Monday, March 16th, 20206 edition of the Sands and then at Storm Center's Stormcast. |
| 0:12.9 | My name is Johannes Orich, recording today from Jacksonville, Florida. |
| 0:18.2 | And this episode is brought you by the sands.edu graduate certificate program in |
| 0:22.6 | Purple Team Operations. And today we got a couple of interesting diaries to talk about. The first one is |
| 0:30.2 | by Brad about a click fix campaign that is then pushing Remco's rat. Now this is all associated with SmartApe SG, a threat actor that Brad has talked about before. |
| 0:44.1 | In the past, they have deployed other rats like, for example, Net Support Manager. |
| 0:50.4 | Overall, the attack is, well, what we have seen so many times, where a victim is presented with a fake capture that tricks them into copy-pasting or command into their window system that will then download the malware. |
| 1:06.3 | As usual, Brad is sharing also all the evidence, including packet cap, just the like. |
| 1:12.0 | So this is a great diary kind of to follow along Brad's analysis and learn also a little bit more about how to analyze these kind of compromises. |
| 1:21.9 | And the second diary from this weekend comes from Jan. |
| 1:25.0 | And Jan is looking at an interesting fishing trick being played here. |
| 1:29.3 | It all starts fairly straightforward. The victim receives a PDF. |
| 1:34.3 | The PDF itself is harmless other than it contains a link to a Cloudflare worker. |
| 1:40.3 | And that Cloudflare worker is used in order to display the fishing page with a lot of |
| 1:47.1 | JavaScript. Now, the one trick here that the attacker is playing, the attacker is collecting, |
| 1:52.6 | of course, credentials. And in the example that Jan shows, they're impersonating Dropbox, |
| 1:58.5 | but they have to get the credentials somehow to the attacker. |
| 2:03.1 | In the past, we have seen stuff used like Telegram, for example, is very popular. |
| 2:08.1 | A bunch of different APIs. What they're using in this particular case is email JS. |
| 2:13.9 | Email.js allows you to send email with JavaScript. Of course, JavaScript itself doesn't allow you to, like, speak SMTP or such. So instead, they're connecting to the email JS web service that allows you to then send HTTP requests to the web service that will then result in the email being sent to the attacker. |
| 2:37.2 | So an interesting twist on this. Of course, I think it makes it a little bit easier than to actually |
| 2:42.7 | find the attacker given that you can check what email JS account or so they're using. |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.