SmartApeSG Hijacks Okendo Reviews Widget in Supply Chain Attack

Attackers injected malicious JavaScript into Okendo Reviews, a product review widget used by more than 18,000 brands. The compromised script loaded on store pages. After a few checks, it could show visitors a fake CAPTCHA or verification window. The trick belongs to the ClickFix family, and it asked users to open the Windows Run dialog and run a pasted command. Zscaler researchers reported the attack.

One Widget, Thousands of Stores

Researchers tied the attack to the group SmartApeSG, also known as ZPHP and HANEYMANEY. Store owners add the Okendo Reviews widget to homepages, product pages, and review forms. So compromising one third-party service let the attackers reach visitors across many sites at once. Zscaler spotted the suspicious activity on May 14.

A Quiet, Staged Loader

The malicious script did not run everything at once. On first execution, the JavaScript wrote a timestamp to localStorage. On a repeat visit, it then stopped running. The code also checked the User-Agent. As a result, it skipped phones and tablets and focused on desktop users.

How the Next Stage Loaded

After these checks, the loader rebuilt the next server address from XOR-encrypted fragments. It generated a random eight-character token. Then it added a new script tag to the page. The following stage could display a fake CAPTCHA and prompt the user to open the Run dialog. The pasted command pulled down a PowerShell or HTA file. Through that file, a remote access tool or stealer could land on the machine. The full breakdown appears in the Zscaler ThreatLabz report.

The Payloads SmartApeSG Favors

In past campaigns, SmartApeSG installed several remote access tools. Those included NetSupport RAT, Remcos RAT, and Sectop RAT. The group also deployed the StealC stealer to grab passwords, files, and browser data. However, Zscaler does not claim that every one of these tools appeared in the Okendo Reviews attack.

How Far It Reached

Among the affected sites, researchers saw stores with 150,000 to several million visits per month. One large U.S. retailer running the Okendo Reviews widget draws about seven million visits monthly. Still, traffic figures do not show how many users actually saw the malicious code or infected a device. On May 14 alone, Zscaler’s systems blocked nearly 15,000 actions tied to SmartApeSG. Okendo confirmed it was aware of the incident and restored a clean version of the script.

Indicators of Compromise

Zscaler listed the indicators for defenders, shown here defanged. The compromised widget appeared at cdn-static[.]okendo[.]io/reviews-widget-plus/js/okendo-reviews[.]js. The next-stage servers were api[.]wigetticks[.]com and api[.]wizzleticks[.]com, which delivered the follow-on payload. Teams running third-party widgets should block this infrastructure, audit their integrations, and watch for unexpected script behavior on their pages.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy