From Evasion to Evidence: Exploiting the Funneling Behavior of Injects

This report analyzes the SmartApe multi-stage web-injection campaign that leverages transient injected pages and stage_2 redirect/TDS chokepoints to deliver a fake CAPTCHA, hijack the clipboard, and trick users into running mshta which fetches an encrypted HTA that decrypts to a PowerShell downloader; the final observed payload includes NetSupport RAT. The report provides IOCs (domains, URLs, a C2 IP), decryption/debugging steps, and shows how Censys can be used to find and monitor persistent infrastructure pivot points for detection and tracking.