Okendo Reviews Widget Supply Chain Attack: How SmartApeSG Used ClickFix to Infect 18,000+ E-Commerce Sites

Technical Mechanics of the Malicious JavaScript

The injected code acted as a staged loader with multiple evasion and targeting layers . Instead of immediately dropping malware, it first performed environmental checks to avoid detection and ensure the victim was a suitable target:

• localStorage tracking — On first visit, the script set a timestamp marker in the browser's localStorage. This prevented repeated execution for the same user, reducing noise and lowering the chance of triggering security alerts during routine testing .
• User-Agent filtering (mobile exclusion) — The script checked the visitor's User-Agent string to ignore mobile browsers and target only desktop environments. Later infection stages relied on Windows-specific interactions, so mobile victims were bypassed entirely .
• XOR obfuscation — The loader dynamically reconstructed its next-stage command-and-control (C2) URL by decoding XOR-obfuscated string fragments at runtime, bypassing basic signature-based detection .
• Dynamic script injection — After rebuilding the hidden C2 URL, the code injected a new <script> element into the page to fetch follow-on payloads .
• Fake CAPTCHA / ClickFix social engineering — Victims who passed all checks were presented with a fake "verify you are human" page styled after ClickFix. The prompt instructed users to open the Windows Run dialog and paste a command that had been silently copied to their clipboard .

The ClickFix Social Engineering Lure

ClickFix is a social engineering technique where a malicious script copies a command to the user's clipboard, then displays instructions asking them to paste and run it — usually by pressing Win + R, pasting, and hitting Enter. The command is disguised as a verification step. In this attack, the ClickFix lure was embedded into a fake CAPTCHA page generated by the compromised widget . If a user followed the instructions, the pasted command triggered a PowerShell script or an HTML Application (HTA) file, which then downloaded and installed malware .

Payload Delivery: RATs and Info-Stealers

Once the ClickFix lure was executed, the infection chain delivered one or more of the following payloads :

• NetSupport RAT — A remote access trojan that gives attackers persistent remote control over the infected machine.
• Remcos RAT — A remote access trojan with keylogging, surveillance, and credential theft capabilities.
• StealC — An information stealer targeting passwords and financial credentials.
• Sectop RAT — A remote access trojan used for espionage.
• DeerStealer — An info-stealer observed in earlier SmartApeSG ClickFix variants .

Scale of the Breach

• Over 18,000 e-commerce brands used the compromised Okendo widget, exposing a massive downstream attack surface .
• Affected sites ranged from mid-sized online shops to large U.S. retail brands, with traffic estimates reaching 150,000 to several million monthly visitors per site. One impacted U.S. retail brand alone draws approximately 7 million visitors per month .
• On May 14, 2026 alone, Zscaler's cloud platform recorded nearly 15,000 blocks tied to SmartApeSG activity — the highest daily volume ever seen for this threat actor .

SmartApeSG's Prior Malware History

SmartApeSG is not a new actor. The group has a documented history of running ClickFix-style campaigns since mid-2024, delivering NetSupport RAT, Remcos RAT, StealC, and Sectop RAT across multiple prior operations . Earlier campaigns used compromised websites with fake CAPTCHA pages to trick users into pasting and executing malicious commands through the Windows Run dialog . The group has also been observed deploying DeerStealer info-stealer in earlier ClickFix variants . The Okendo attack represents an escalation: instead of infecting individual websites, SmartApeSG compromised a widely used third-party widget to reach thousands of sites at once—a classic supply chain amplifier .

Remediation Steps Taken

• Zscaler ThreatLabz reported the incident directly to Okendo on May 14, 2026 .
• Okendo confirmed awareness of the incident and restored the affected widget script to a clean state, effectively removing the malicious code from circulation .
• Zscaler deployed detection signatures under the threat name JS.Injection.SmartApeSG to track and block the injection activity .
• Indicators of Compromise (IoCs) published by researchers include the compromised widget URL (

  hxxp://cdn-static[.]okendo[.]io/reviews-widget-plus/js/okendo-reviews[.]js

  ) and SmartApeSG C2 infrastructure domains such as api[.]wigetticks[.]com and api[.]wizzleticks[.]com .