This report details recent SmartApeSG activity observed on April 23, 2026, highlighting a new password scheme for associated zip files. The activity involves a sophisticated infection chain starting with web traffic leading to fake CAPTCHA pages, specifically ibharcan.com and nexaflowlab.top domains. These pages inject a SmartApeSG script and subsequently deploy a "ClickFix" script, which then generates further malicious traffic. The infection culminates in the download of a password-protected zip archive from solidpathcore.com/bpp . This large archive, identified by its SHA256 hash 017d87bd080eb4714414ffb0b87b6f142ca5bd2dfc7cf05d163be952ba18202d , contains a legitimate software package bundled with a malicious DLL intended for side-loading. Post-infection, the malware establishes persistence on the compromised Windows host through both a Windows Registry update and a scheduled task, engaging in encoded TCP communication with 89.110.110.119:443 .…