SANS Stormcast Monday, March 16th, 2026: SmartApeSG and Remcos RAT; React Based Phishing; Google Chrome Patches; AdGaurd Vuln - SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

Summary5 min read

SANS Stormcast Monday, March 16th, 2026

Host: Johannes B. Ullrich
Main Theme:
A concise roundup of current cybersecurity threats and updates, including insights into a SmartApeSG Remcos RAT campaign, a novel React-based phishing attack, critical Google Chrome patch news, malicious VPN installer campaigns, and a security fix for AdGuard Home.

Key Discussion Points & Insights

1. ClickFix/Remcos RAT Campaign Linked to SmartApeSG

Analyst: Brad (SANS Internet Storm Center Diary author)
Threat Details:
- The campaign is attributed to the "Smart Apesg" threat actor, previously seen distributing other RATs like NetSupport Manager.
- Attack involves a fake captcha prompting users to copy-paste a command into Windows, ultimately downloading and running the Remcos RAT.
Noteworthy Analysis:
- Brad provides detailed packet captures and forensic evidence, making it a valuable resource for learning malware analysis.
Quote:
- "The attack is, well, what we have seen so many times where a victim is presented with a fake captcha that tricks them into copy pasting a command into their Windows system that will then download the malware." — Johannes B. Ullrich [01:03]
Recommendation:
- Follow Brad’s diary for step-by-step compromise analysis.

2. React-Based Phishing Campaign Using EmailJS

Analyst: Jan (SANS Internet Storm Center Diary author)
Phishing Mechanics:
- Attack starts with a harmless PDF containing a link to a Cloudflare Worker-hosted phishing page, built with heavy JavaScript (React-based).
- Targets credentials by impersonating services like Dropbox.
- The stolen credentials are exfiltrated via EmailJS, which allows JavaScript to trigger emails externally by HTTP requests to the EmailJS web service.
Significance:
- Previous phishing campaigns used Telegram APIs for exfiltration; using EmailJS is a notable shift.
- This introduces potential for attribution if defenders can identify the attacker's EmailJS account.
Quote:
- "What they're using in this particular case is EmailJS. EmailJS allows you to send email with JavaScript." — Johannes B. Ullrich [02:04]
- "I think it makes it a little bit easier then to actually find the attacker, given that you can check what email JS account or so they're using." — Johannes B. Ullrich [02:35]
Analysis:
- Temporary effectiveness is often sufficient: "As long as it lasts a day or two, that's probably all attackers need in order to call this particular phish campaign successful." — Johannes B. Ullrich [02:40]

3. Google Chrome Critical Vulnerabilities & Patching Drama

Announcement:
- On Thursday, Google released a new Chrome version claiming to fix two critical vulnerabilities exploited in the wild.
- By Friday, Google revised the notice: only one vulnerability was fixed; the second remains unpatched until the next version.
Security Implication:
- There is still a known exploited Chrome vulnerability outstanding at the time of this episode.
Practical Reminder:
- "Just make sure you keep Google Chrome patched. As I always say, at least once a day restart Google Chrome and once a week double check that you’re running the latest version." — Johannes B. Ullrich [03:23]

4. Malicious VPN Client Campaign via SEO and Fake Sites

Source: Microsoft security blog
Attack Vector:
- Uses search engine optimization (SEO) and malicious ads to lead users searching for VPN software to convincing fake sites.
- Fake VPN clients (e.g., imitating Pulse Secure, Fortinet, Cisco) are malicious, stealing credentials as the user attempts to log in.
Notable Details:
- Attackers use digitally signed binaries with likely stolen Chinese certificates.
Security Note:
- This is not a vendor vulnerability but user deception:
  - "This is not a vulnerability really in any of these VPN systems, but just malicious software that the user is tricked into installing." — Johannes B. Ullrich [04:05]
- Reinforces the value of ad blockers as a defense.

5. AdGuard Home Authentication Vulnerability (and Patch)

Issue:
- AdGuard Home had an authentication flaw that could let an attacker gain full admin access without valid credentials.
Technical Details:
- Exploitation requires transitioning from HTTP/2 cleartext to encrypted (TLS); impractical on modern browsers which rarely use HTTP/2 cleartext, reducing real-world exploitability.
Recommendation:
- "Please keep your systems updated and this time it’s adguard’s time." — Johannes B. Ullrich [05:11]

Memorable Moments & Quotes

On Repeat Attacker Tactics:
- "What we have seen so many times... victim is presented with a fake captcha..." [01:01]
On Temporary Phishing Success:
- "As long as it lasts a day or two, that’s probably all attackers need in order to call this particular phish campaign successful." [02:40]
On Chrome Patch Habits:
- "At least once a day restart Google Chrome and once a week double check that you're running the latest version." [03:28]
On VPN Malware:
- "This is not a vulnerability really in any of these VPN systems, but just malicious software that the user is tricked into installing." [04:05]

Timestamps for Key Segments

| Time | Segment | |----------|-------------------------------------------------------------| | 00:32 | SmartApeSG ClickFix/Remcos RAT campaign | | 01:17 | Technical details & analysis resources | | 01:42 | Jan's React-based phishing / Cloudflare Worker / EmailJS | | 02:35 | Exfiltration discussion; attacker traceability | | 03:08 | Commentary on attack duration/success | | 03:30 | Google Chrome patching confusion | | 03:56 | Best practices for Chrome updates | | 04:07 | Malicious VPN campaigns via SEO and ads | | 04:46 | Details on AdGuard Home authentication vulnerability |

Summary

This episode offers listeners a fast-paced, detail-rich overview of today's key cyber threats. It outlines current malware campaigns using familiar social engineering and new exfiltration methods, explains the evolving risk around Chrome zero-day vulnerabilities, warns of malicious VPN downloads stemming from SEO manipulation, and closes with a practical update regarding AdGuard Home’s authentication flaw and the importance of regular system patching. As always, the advice leans pragmatic and actionable, with Johannes Ulrich emphasizing continual vigilance and routine update habits as essential defenses.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Monday, March 16, 2026 edition of the Sands Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Jacksonville, Florida and this episode is brought to you by the Sans Edu Graduate Certificate Program in Purple Team Operations. And today we got a couple of interesting diaries to talk about. The first one is by Brad about a ClickFix campaign that is then pushing Remco's rat. Now this is all associated with Smart Apesg, a threat actor that Brad has talked about before. In the past they have deployed other rats like for example, NetSupport Manager. Overall, the attack is, well, what we have seen so many times where a victim is presented with a fake captcha that tricks them into copy pasting a command into their Windows system that will then download the malware. As usual, Brad is sharing also all the evidence, including packet captures and the like. So this is a great diary kind of to follow along Brad's analysis and learn also a little bit more about how to analyze these kind of compromises. And the second diary from this weekend comes from Jan. And Jan is looking at an interesting phishing trick being played here. It all starts fairly straightforward. The victim receives a PDF. The PDF itself is harmless other than it contains a link to a cloudflare worker. And that cloudflare worker is used in order to display the phishing page with a lot of JavaScript. Now the one trick here that the attacker is playing, the attacker is collecting, of course credentials. And in the example that Jan shows, they're impersonating Dropbox. But they have to get the credentials somehow to the attacker. In the past we have seen stuff used like Telegram, for example, is very popular, a bunch of different APIs. What they're using in this particular case is EmailJS. EmailJS allows you to send email with JavaScript. Of course, JavaScript itself doesn't allow you to like speak SMTP or such, so instead they're connecting to the Email JS web service that allows you to then then send HTTP requests to the web service that will then result in the email being sent to the attacker. So an interesting twist on this. Of course I think it makes it a little bit easier then to actually find the attacker, given that you can check what email JS account or so they're using. And that may be a little bit vulnerability here in this particular scheme, but then again, as long as it lasts a day or two, that's probably all attackers need in order to call this particular phish campaign successful. Well, and then we got a little bit of patch Drama with Google Chrome On Thursday, Google released a new version of Chrome stating that they patched two critical vulnerabilities in Google Chrome that were already exploited in the wild. On Friday they corrected the notice stating that this update actually only fixes one of these vulnerabilities and the second is going to be updated in the next version of Google Chrome. So there is still an outstanding already exploited vulnerability that will hopefully be patched soon. Just make sure that you keep Google Chrome patched. As I always say, at least once a day restart Google Chrome and once a week double check that you're running the latest version. And Microsoft published a blog post with details regarding a campaign they're currently observing that tricks users into downloading malicious VPN clients. It all starts with good old search engine optimization, so that's still a thing. Sadly if the user searches for VPN client, they're then being directed to a fake website that imitates the particular manufacturer and then the download will actually capture the credentials as the user types them in. There are a number of different VPN clients being impersonated here by this particular malware. Like, you know, Pulse Secure is like one, but also Fortinet and a couple of sort of other Cisco I think. Also this is not a vulnerability really in any of these VPN systems, but just malicious software that the user is tricked into installing. It's digitally signed using Chinese certificate, unclear where that came from, but likely stolen from the rightful owner. And with all of the search engine optimization tricks and in many cases also paid malicious advertisements. Of course one defense is to run some kind of ad blocker. Well if you're running adguard Home, there's an update for you. It does fix an authentication issue that would allow an attacker to gain full access to adguard home without valid credit credentials. Not 100% sure how severe this vulnerability or exploitable it is given that it does require a transition from HP2 clear text and to basically encrypt it or HP2 over TLS and browsers typically don't support HP2 clear text so maybe difficult to exploit. But please keep your systems updated and this time it's adguard's time. Well, and this is it for today. So thanks again for listening, thanks for liking, thanks for subscribing to this podcast and talk to you again tomorrow. Bye.